User Tools
использование_протоколов_связанных_с_aaa
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
использование_протоколов_связанных_с_aaa [2012/08/29 12:50] val |
использование_протоколов_связанных_с_aaa [2014/04/03 15:45] (current) val [Протокол 802.1x] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| ==== Настройка сервера (FreeBSD/Ubuntu) ==== | ==== Настройка сервера (FreeBSD/Ubuntu) ==== | ||
| - | [[Сервис FreeRADIUS]] | + | * [[Сервис FreeRADIUS#Инсталяция сервера]] |
| - | + | * [[Сервис FreeRADIUS#Настройка хранилища базы данных пользователей]] | |
| - | <code> | + | * [[Сервис FreeRADIUS#Регистрация клиентов]] |
| - | server# cat clients.conf | + | * [[Сервис FreeRADIUS#Создание базы данных пользователей]] |
| - | </code><code> | + | |
| - | ... | + | |
| - | client switch { | + | |
| - | secret = testing123 | + | |
| - | shortname = switch | + | |
| - | } | + | |
| - | </code><code> | + | |
| - | root@server# cat users | + | |
| - | </code><code> | + | |
| - | user1 Cleartext-Password := "rpassword1" | + | |
| - | + | ||
| - | user2 Cleartext-Password := "rpassword2" | + | |
| - | Service-Type = NAS-Prompt-User, | + | |
| - | cisco-avpair = "shell:priv-lvl=14" | + | |
| - | </code> | + | |
| ==== Настройка клиента Cisco ==== | ==== Настройка клиента Cisco ==== | ||
| Line 41: | Line 26: | ||
| * [[AAA#Использование RADIUS для протокола 802.1x]] | * [[AAA#Использование RADIUS для протокола 802.1x]] | ||
| * [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]] | * [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]] | ||
| - | * Настройка Windows (http://open1x.sourceforge.net/) | + | * Настройка Windows ([[http://sourceforge.net/projects/open1x/]]) |
| - | * Учет ресурсов | + | * [[Сервис FreeRADIUS#Учет ресурсов потребляемых пользователями]] |
| - | + | ||
| - | <code> | + | |
| - | root@server:~# tail -f /var/log/freeradius/radacct/192.168... | + | |
| - | + | ||
| - | [server:~] # tail -f /var/log/radacct/192.168... | + | |
| - | </code> | + | |
| ===== Использование протокола TACACS+ ===== | ===== Использование протокола TACACS+ ===== | ||
| - | ==== Установка TACACS+ сервера ==== | + | * [[Сервис TACACS+]] |
| - | + | * [[AAA#Настройка клиента TACACS+]] | |
| - | === FreeBSD === | + | * [[AAA#Использование TACACS+ для аутентификации telnet подключений]] |
| - | <code> | + | |
| - | [server:~] # pkg_add -r tac_plus | + | |
| - | + | ||
| - | [server:~] # cd /usr/local/etc/ | + | |
| - | </code> | + | |
| - | + | ||
| - | === Ubuntu/Debian/CentOS/SL === | + | |
| - | + | ||
| - | Необходимые пакеты: flex bison libwrap0-dev | + | |
| - | + | ||
| - | [[Управление ПО в Linux]] | + | |
| - | + | ||
| - | Работа с исходными текстами | + | |
| - | <code> | + | |
| - | root@server:~# apt-get install flex bison libwrap0-dev | + | |
| - | + | ||
| - | root@server:~# cd /usr/src | + | |
| - | + | ||
| - | root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz | + | |
| - | root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.26.tar.gz | + | |
| - | root@server:/usr/src# cd tacacs+-F4.0.4.26 | + | |
| - | + | ||
| - | root@server:/usr/src/tacacs+-F4.0.4.26# ./configure --prefix=/usr/local/tac_plus | + | |
| - | root@server:/usr/src/tacacs+-F4.0.4.26# make install clean | + | |
| - | + | ||
| - | root@server:/usr/src/tacacs+-F4.0.4.26# cd /etc | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Настройка ==== | + | |
| - | + | ||
| - | === FreeBSD/Ubuntu === | + | |
| - | <code> | + | |
| - | # htpasswd -n -d user1 | + | |
| - | New password: tpassword1 | + | |
| - | ... | + | |
| - | + | ||
| - | # cat tac_plus.conf | + | |
| - | </code><code> | + | |
| - | key = tackey123 | + | |
| - | + | ||
| - | user=user1 { | + | |
| - | default service = permit | + | |
| - | login = des "DWRr6OSzYvMH." | + | |
| - | service = exec { | + | |
| - | priv-lvl = 15 | + | |
| - | } | + | |
| - | } | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Запуск ==== | + | |
| - | + | ||
| - | === FreeBSD === | + | |
| - | <code> | + | |
| - | # /usr/local/etc/rc.d/tac_plus rcvar | + | |
| - | + | ||
| - | # /usr/local/etc/rc.d/tac_plus start | + | |
| - | Starting tac_plus. | + | |
| - | </code> | + | |
| - | + | ||
| - | === Ubuntu/Debian/CentOS/SL === | + | |
| - | <code> | + | |
| - | root@server:~# cat /etc/rc.local | + | |
| - | </code><code> | + | |
| - | ... | + | |
| - | /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
| - | + | ||
| - | exit 0 | + | |
| - | </code><code> | + | |
| - | root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Настройка Cisco на использование TACACS+ сервера ==== | + | |
| - | <code> | + | |
| - | tacacs-server host server | + | |
| - | + | ||
| - | tacacs-server key tackey123 | + | |
| - | + | ||
| - | aaa authentication login default group tacacs+ enable | + | |
| - | + | ||
| - | aaa authorization exec default group tacacs+ none | + | |
| - | </code> | + | |
| - | + | ||
| - | ===== Дополнительные материалы ===== | + | |
| - | <code> | + | |
| - | # cat /usr/local/etc/tac_plus.conf.example | + | |
| - | # /usr/local/etc/tac_plus.conf | + | |
| - | + | ||
| - | # This is example from old version of tac_plus. It will work | + | |
| - | # but config file have new features. I recomend to read | + | |
| - | # /usr/local/share/doc/tac_plus/users_guide | + | |
| - | + | ||
| - | user=fred { | + | |
| - | name = "Fred Flintstone" | + | |
| - | login = des mEX027bHtzTlQ | + | |
| - | + | ||
| - | # Remember that authorization is also recursive over groups, in | + | |
| - | # the same way that password lookups are recursive. Thus, if you | + | |
| - | # place a user in a group, the daemon will look in the group for | + | |
| - | # authorization parameters if it cannot find them in the user | + | |
| - | # declaration. | + | |
| - | member = admin | + | |
| - | + | ||
| - | expires = "May 23 2010" | + | |
| - | + | ||
| - | service = exec { | + | |
| - | # When Fred starts an exec, his connection access list is 5 | + | |
| - | acl = 5 | + | |
| - | + | ||
| - | # We require this autocmd to be done at startup | + | |
| - | autocmd = "telnet foo" | + | |
| - | } | + | |
| - | + | ||
| - | # All commands except telnet 131.108.13.* are denied for Fred | + | |
| - | cmd = telnet { | + | |
| - | # Fred can run the following telnet command | + | |
| - | permit 131\.108\.13\.[0-9]+ | + | |
| - | + | ||
| - | deny .* | + | |
| - | } | + | |
| - | + | ||
| - | service = ppp protocol = ip { | + | |
| - | # Fred can run ip over ppp only if he uses one | + | |
| - | # of the following mandatory addresses If he supplies no | + | |
| - | # address, the first one here will be mandated | + | |
| - | addr=131.108.12.11 | + | |
| - | addr=131.108.12.12 | + | |
| - | addr=131.108.12.13 | + | |
| - | addr=131.108.12.14 | + | |
| - | + | ||
| - | # Fred's mandatory input access list number is 101 | + | |
| - | inacl=101 | + | |
| - | + | ||
| - | # We will suggest an output access list of 102, but Fred may | + | |
| - | # choose to ignore or override it | + | |
| - | optional outacl=102 | + | |
| - | } | + | |
| - | + | ||
| - | service = slip { | + | |
| - | # Fred can run slip. When he does, he will have to use | + | |
| - | # these mandatory access lists | + | |
| - | inacl=101 | + | |
| - | outacl=102 | + | |
| - | } | + | |
| - | + | ||
| - | # set a timeout in the lcp layer of ppp | + | |
| - | service = ppp protocol = lcp { | + | |
| - | timeout = 10 | + | |
| - | } | + | |
| - | } | + | |
| - | + | ||
| - | user = wilma { | + | |
| - | # Wilma has no password of her own, but she's a group member so | + | |
| - | # she'll use the group password if there is one. Same for her | + | |
| - | # password expiry date | + | |
| - | member = admin | + | |
| - | } | + | |
| - | + | ||
| - | group = admin { | + | |
| - | # group members who don't have their own password will be looked | + | |
| - | # up in /etc/passwd | + | |
| - | login = file /etc/passwd | + | |
| - | + | ||
| - | # group members who have no expiry date set will use this one | + | |
| - | expires = "Jan 1 2038" | + | |
| - | } | + | |
| - | + | ||
| - | ----------------------------------------------- | + | |
| - | # cat /usr/local/etc/tac_plus.conf | + | |
| - | ... | + | |
| - | user=user1 { | + | |
| - | default service = permit | + | |
| - | login = des "xxxxxxxxx" | + | |
| - | service = exec { | + | |
| - | priv-lvl = 15 | + | |
| - | } | + | |
| - | member=level15 | + | |
| - | } | + | |
| - | + | ||
| - | group=level15 { | + | |
| - | cmd=enable { permit .* } | + | |
| - | cmd=configure { permit terminal } | + | |
| - | # cmd=cli { permit terminal } | + | |
| - | cmd=radius-server { permit .* } | + | |
| - | cmd=vlan { permit .* } | + | |
| - | cmd=interface { permit .* } | + | |
| - | cmd=ip { permit .* } | + | |
| - | cmd=router { permit .* } | + | |
| - | cmd=network { permit .* } | + | |
| - | cmd=eapol { permit .* } | + | |
| - | cmd=show { permit .* } | + | |
| - | cmd=copy { permit .* } | + | |
| - | cmd=reload { permit .* } | + | |
| - | cmd=end { permit .* } | + | |
| - | cmd=exit { permit .* } | + | |
| - | cmd=logout { permit .* } | + | |
| - | cmd=* { permit .* } | + | |
| - | } | + | |
| - | </code> | + | |
использование_протоколов_связанных_с_aaa.1346230244.txt.gz · Last modified: 2013/05/22 13:50 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
