This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
использование_протоколов_связанных_с_aaa [2012/08/22 08:51] val |
использование_протоколов_связанных_с_aaa [2013/10/07 15:24] val [Настройка сервера (FreeBSD/Ubuntu)] |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Использование протокола RADIUS ===== | ===== Использование протокола RADIUS ===== | ||
- | ==== FreeBSD/Ubuntu ==== | + | ==== Настройка сервера (FreeBSD/Ubuntu) ==== |
- | [[Сервис FreeRADIUS]] | + | * [[Сервис FreeRADIUS#Инсталяция сервера]] |
+ | * [[Сервис FreeRADIUS#Настройка хранилища базы данных пользователей]] | ||
+ | * [[Сервис FreeRADIUS#Регистрация клиентов]] | ||
+ | * [[Сервис FreeRADIUS#Создание базы данных пользователей]] | ||
- | <code> | + | ==== Настройка клиента Cisco ==== |
- | server# cat clients.conf | + | |
- | </code><code> | + | |
- | ... | + | |
- | client switch { | + | |
- | secret = testing123 | + | |
- | shortname = switch | + | |
- | } | + | |
- | </code><code> | + | |
- | root@server# cat users | + | |
- | </code><code> | + | |
- | user1 Cleartext-Password := "rpassword1" | + | |
- | user2 Cleartext-Password := "rpassword2" | + | * [[AAA#Настройка клиента RADIUS]] |
- | Service-Type = NAS-Prompt-User, | + | |
- | cisco-avpair = "shell:priv-lvl=14" | + | |
- | </code> | + | |
- | ==== Cisco ==== | + | ==== Аутентификации telnet подключений ==== |
- | === Настройка клиента RADIUS === | ||
<code> | <code> | ||
- | radius-server host server auth-port 1812 acct-port 1813 | + | switch(config)#no username user1 |
- | radius-server key testing123 | + | |
</code> | </code> | ||
- | === Использование RADIUS для аутентификации telnet подключений ===== | + | * [[AAA#Использование RADIUS для аутентификации telnet подключений]] |
- | <code> | + | |
- | aaa authentication login default group radius enable | + | |
- | aaa authorization exec default local none | + | |
- | </code> | + | |
- | === Использование RADIUS для протокола 802.1x ===== | + | ==== Протокол 802.1x ==== |
- | <code> | + | |
- | !!! may not be in some ealer ios !!! | + | |
- | dot1x system-auth-control | + | |
- | aaa authentication dot1x default group radius | + | * [[AAA#Использование RADIUS для протокола 802.1x]] |
+ | * [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]] | ||
+ | * Настройка Windows (http://open1x.sourceforge.net/) | ||
+ | * Учет ресурсов | ||
- | aaa accounting dot1x default start-stop group radius | ||
- | |||
- | interface FastEthernet0/2 | ||
- | switchport mode access | ||
- | spanning-tree portfast | ||
- | dot1x port-control auto | ||
- | </code><code> | ||
- | switch#show dot1x interface f0/2 | ||
- | </code> | ||
- | |||
- | === Настройка Windows === | ||
- | |||
- | http://open1x.sourceforge.net/ | ||
- | |||
- | === Testing === | ||
<code> | <code> | ||
root@server:~# tail -f /var/log/freeradius/radacct/192.168... | root@server:~# tail -f /var/log/freeradius/radacct/192.168... | ||
Line 69: | Line 37: | ||
===== Использование протокола TACACS+ ===== | ===== Использование протокола TACACS+ ===== | ||
- | ==== Установка TACACS+ сервера ==== | + | * [[Сервис TACACS+]] |
+ | * [[AAA#Настройка клиента TACACS+]] | ||
+ | * [[AAA#Использование TACACS+ для аутентификации telnet подключений]] | ||
- | === FreeBSD === | ||
- | <code> | ||
- | [server:~] # pkg_add -r tac_plus | ||
- | |||
- | [server:~] # cd /usr/local/etc/ | ||
- | </code> | ||
- | |||
- | === Ubuntu/Debian/CentOS/SL === | ||
- | |||
- | Необходимые пакеты: flex bison libwrap0-dev | ||
- | |||
- | [[Управление ПО в Linux]] | ||
- | |||
- | Работа с исходными текстами | ||
- | <code> | ||
- | root@server:~# apt-get install flex bison libwrap0-dev | ||
- | |||
- | root@server:~# cd /usr/src | ||
- | |||
- | root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz | ||
- | root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.26.tar.gz | ||
- | root@server:/usr/src# cd tacacs+-F4.0.4.26 | ||
- | |||
- | root@server:/usr/src/tacacs+-F4.0.4.26# ./configure --prefix=/usr/local/tac_plus | ||
- | root@server:/usr/src/tacacs+-F4.0.4.26# make install clean | ||
- | |||
- | root@server:/usr/src/tacacs+-F4.0.4.26# cd /etc | ||
- | </code> | ||
- | |||
- | ==== Настройка ==== | ||
- | |||
- | === FreeBSD/Ubuntu === | ||
- | <code> | ||
- | # htpasswd -n user1 | ||
- | New password: tpassword1 | ||
- | ... | ||
- | |||
- | # cat tac_plus.conf | ||
- | </code><code> | ||
- | key = tackey123 | ||
- | |||
- | user=user1 { | ||
- | default service = permit | ||
- | login = des "DWRr6OSzYvMH." | ||
- | service = exec { | ||
- | priv-lvl = 15 | ||
- | } | ||
- | } | ||
- | </code> | ||
- | |||
- | ==== Запуск ==== | ||
- | |||
- | === FreeBSD === | ||
- | <code> | ||
- | # /usr/local/etc/rc.d/tac_plus rcvar | ||
- | |||
- | # /usr/local/etc/rc.d/tac_plus start | ||
- | Starting tac_plus. | ||
- | </code> | ||
- | |||
- | === Ubuntu/Debian/CentOS/SL === | ||
- | <code> | ||
- | root@server:~# cat /etc/rc.local | ||
- | </code><code> | ||
- | ... | ||
- | /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | ||
- | |||
- | exit 0 | ||
- | </code><code> | ||
- | root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | ||
- | </code> | ||
- | ==== Настройка Cisco на использование TACACS+ сервера ==== | ||
- | <code> | ||
- | tacacs-server host server | ||
- | tacacs-server key tackey123 | ||
- | |||
- | aaa authentication login default group tacacs+ enable | ||
- | |||
- | aaa authorization exec default group tacacs+ none | ||
- | </code> | ||
- | |||
- | ===== Дополнительные материалы ===== | ||
- | <code> | ||
- | # cat /usr/local/etc/tac_plus.conf.example | ||
- | # /usr/local/etc/tac_plus.conf | ||
- | |||
- | # This is example from old version of tac_plus. It will work | ||
- | # but config file have new features. I recomend to read | ||
- | # /usr/local/share/doc/tac_plus/users_guide | ||
- | |||
- | user=fred { | ||
- | name = "Fred Flintstone" | ||
- | login = des mEX027bHtzTlQ | ||
- | |||
- | # Remember that authorization is also recursive over groups, in | ||
- | # the same way that password lookups are recursive. Thus, if you | ||
- | # place a user in a group, the daemon will look in the group for | ||
- | # authorization parameters if it cannot find them in the user | ||
- | # declaration. | ||
- | member = admin | ||
- | |||
- | expires = "May 23 2010" | ||
- | |||
- | service = exec { | ||
- | # When Fred starts an exec, his connection access list is 5 | ||
- | acl = 5 | ||
- | |||
- | # We require this autocmd to be done at startup | ||
- | autocmd = "telnet foo" | ||
- | } | ||
- | |||
- | # All commands except telnet 131.108.13.* are denied for Fred | ||
- | cmd = telnet { | ||
- | # Fred can run the following telnet command | ||
- | permit 131\.108\.13\.[0-9]+ | ||
- | |||
- | deny .* | ||
- | } | ||
- | |||
- | service = ppp protocol = ip { | ||
- | # Fred can run ip over ppp only if he uses one | ||
- | # of the following mandatory addresses If he supplies no | ||
- | # address, the first one here will be mandated | ||
- | addr=131.108.12.11 | ||
- | addr=131.108.12.12 | ||
- | addr=131.108.12.13 | ||
- | addr=131.108.12.14 | ||
- | |||
- | # Fred's mandatory input access list number is 101 | ||
- | inacl=101 | ||
- | |||
- | # We will suggest an output access list of 102, but Fred may | ||
- | # choose to ignore or override it | ||
- | optional outacl=102 | ||
- | } | ||
- | |||
- | service = slip { | ||
- | # Fred can run slip. When he does, he will have to use | ||
- | # these mandatory access lists | ||
- | inacl=101 | ||
- | outacl=102 | ||
- | } | ||
- | |||
- | # set a timeout in the lcp layer of ppp | ||
- | service = ppp protocol = lcp { | ||
- | timeout = 10 | ||
- | } | ||
- | } | ||
- | |||
- | user = wilma { | ||
- | # Wilma has no password of her own, but she's a group member so | ||
- | # she'll use the group password if there is one. Same for her | ||
- | # password expiry date | ||
- | member = admin | ||
- | } | ||
- | |||
- | group = admin { | ||
- | # group members who don't have their own password will be looked | ||
- | # up in /etc/passwd | ||
- | login = file /etc/passwd | ||
- | |||
- | # group members who have no expiry date set will use this one | ||
- | expires = "Jan 1 2038" | ||
- | } | ||
- | |||
- | ----------------------------------------------- | ||
- | # cat /usr/local/etc/tac_plus.conf | ||
- | ... | ||
- | user=user1 { | ||
- | default service = permit | ||
- | login = des "xxxxxxxxx" | ||
- | service = exec { | ||
- | priv-lvl = 15 | ||
- | } | ||
- | member=level15 | ||
- | } | ||
- | |||
- | group=level15 { | ||
- | cmd=enable { permit .* } | ||
- | cmd=configure { permit terminal } | ||
- | # cmd=cli { permit terminal } | ||
- | cmd=radius-server { permit .* } | ||
- | cmd=vlan { permit .* } | ||
- | cmd=interface { permit .* } | ||
- | cmd=ip { permit .* } | ||
- | cmd=router { permit .* } | ||
- | cmd=network { permit .* } | ||
- | cmd=eapol { permit .* } | ||
- | cmd=show { permit .* } | ||
- | cmd=copy { permit .* } | ||
- | cmd=reload { permit .* } | ||
- | cmd=end { permit .* } | ||
- | cmd=exit { permit .* } | ||
- | cmd=logout { permit .* } | ||
- | cmd=* { permit .* } | ||
- | } | ||
- | </code> |