This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
использование_протоколов_связанных_с_aaa [2012/08/24 12:17] val |
использование_протоколов_связанных_с_aaa [2013/10/07 16:19] val [Протокол 802.1x] |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Использование протокола RADIUS ===== | ===== Использование протокола RADIUS ===== | ||
- | ==== FreeBSD/Ubuntu ==== | + | ==== Настройка сервера (FreeBSD/Ubuntu) ==== |
- | [[Сервис FreeRADIUS]] | + | * [[Сервис FreeRADIUS#Инсталяция сервера]] |
+ | * [[Сервис FreeRADIUS#Настройка хранилища базы данных пользователей]] | ||
+ | * [[Сервис FreeRADIUS#Регистрация клиентов]] | ||
+ | * [[Сервис FreeRADIUS#Создание базы данных пользователей]] | ||
- | <code> | + | ==== Настройка клиента Cisco ==== |
- | server# cat clients.conf | + | |
- | </code><code> | + | |
- | ... | + | |
- | client switch { | + | |
- | secret = testing123 | + | |
- | shortname = switch | + | |
- | } | + | |
- | </code><code> | + | |
- | root@server# cat users | + | |
- | </code><code> | + | |
- | user1 Cleartext-Password := "rpassword1" | + | |
- | user2 Cleartext-Password := "rpassword2" | + | * [[AAA#Настройка клиента RADIUS]] |
- | Service-Type = NAS-Prompt-User, | + | |
- | cisco-avpair = "shell:priv-lvl=14" | + | |
- | </code> | + | |
- | ==== Cisco ==== | + | ==== Аутентификации telnet подключений ==== |
- | [[AAA#Аутентификация с использованием RADIUS]] | ||
- | |||
- | === Использование RADIUS для протокола 802.1x ===== | ||
<code> | <code> | ||
- | !!! may not be in some ealer ios !!! | + | switch(config)#no username user1 |
- | dot1x system-auth-control | + | |
- | + | ||
- | aaa authentication dot1x default group radius | + | |
- | + | ||
- | aaa accounting dot1x default start-stop group radius | + | |
- | + | ||
- | interface FastEthernet0/2 | + | |
- | switchport mode access | + | |
- | spanning-tree portfast | + | |
- | dot1x port-control auto | + | |
- | </code><code> | + | |
- | switch#show dot1x interface f0/2 | + | |
</code> | </code> | ||
- | === Настройка Windows === | + | * [[AAA#Использование RADIUS для аутентификации telnet подключений]] |
- | http://open1x.sourceforge.net/ | + | ==== Протокол 802.1x ==== |
- | === Testing === | + | * [[AAA#Использование RADIUS для протокола 802.1x]] |
- | <code> | + | * [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]] |
- | root@server:~# tail -f /var/log/freeradius/radacct/192.168... | + | * Настройка Windows ([[http://open1x.sourceforge.net/]]) |
- | + | * [[Сервис FreeRADIUS#Учет ресурсов потребляемых пользователями]] | |
- | [server:~] # tail -f /var/log/radacct/192.168... | + | |
- | </code> | + | |
===== Использование протокола TACACS+ ===== | ===== Использование протокола TACACS+ ===== | ||
- | ==== Установка TACACS+ сервера ==== | + | * [[Сервис TACACS+]] |
- | + | * [[AAA#Настройка клиента TACACS+]] | |
- | === FreeBSD === | + | * [[AAA#Использование TACACS+ для аутентификации telnet подключений]] |
- | <code> | + | |
- | [server:~] # pkg_add -r tac_plus | + | |
- | + | ||
- | [server:~] # cd /usr/local/etc/ | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu/Debian/CentOS/SL === | + | |
- | + | ||
- | Необходимые пакеты: flex bison libwrap0-dev | + | |
- | + | ||
- | [[Управление ПО в Linux]] | + | |
- | + | ||
- | Работа с исходными текстами | + | |
- | <code> | + | |
- | root@server:~# apt-get install flex bison libwrap0-dev | + | |
- | + | ||
- | root@server:~# cd /usr/src | + | |
- | + | ||
- | root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz | + | |
- | root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.26.tar.gz | + | |
- | root@server:/usr/src# cd tacacs+-F4.0.4.26 | + | |
- | + | ||
- | root@server:/usr/src/tacacs+-F4.0.4.26# ./configure --prefix=/usr/local/tac_plus | + | |
- | root@server:/usr/src/tacacs+-F4.0.4.26# make install clean | + | |
- | + | ||
- | root@server:/usr/src/tacacs+-F4.0.4.26# cd /etc | + | |
- | </code> | + | |
- | + | ||
- | ==== Настройка ==== | + | |
- | + | ||
- | === FreeBSD/Ubuntu === | + | |
- | <code> | + | |
- | # htpasswd -n user1 | + | |
- | New password: tpassword1 | + | |
- | ... | + | |
- | + | ||
- | # cat tac_plus.conf | + | |
- | </code><code> | + | |
- | key = tackey123 | + | |
- | + | ||
- | user=user1 { | + | |
- | default service = permit | + | |
- | login = des "DWRr6OSzYvMH." | + | |
- | service = exec { | + | |
- | priv-lvl = 15 | + | |
- | } | + | |
- | } | + | |
- | </code> | + | |
- | + | ||
- | ==== Запуск ==== | + | |
- | + | ||
- | === FreeBSD === | + | |
- | <code> | + | |
- | # /usr/local/etc/rc.d/tac_plus rcvar | + | |
- | + | ||
- | # /usr/local/etc/rc.d/tac_plus start | + | |
- | Starting tac_plus. | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu/Debian/CentOS/SL === | + | |
- | <code> | + | |
- | root@server:~# cat /etc/rc.local | + | |
- | </code><code> | + | |
- | ... | + | |
- | /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
- | + | ||
- | exit 0 | + | |
- | </code><code> | + | |
- | root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
- | </code> | + | |
- | ==== Настройка Cisco на использование TACACS+ сервера ==== | + | |
- | <code> | + | |
- | tacacs-server host server | + | |
- | tacacs-server key tackey123 | + | |
- | + | ||
- | aaa authentication login default group tacacs+ enable | + | |
- | + | ||
- | aaa authorization exec default group tacacs+ none | + | |
- | </code> | + | |
- | + | ||
- | ===== Дополнительные материалы ===== | + | |
- | <code> | + | |
- | # cat /usr/local/etc/tac_plus.conf.example | + | |
- | # /usr/local/etc/tac_plus.conf | + | |
- | + | ||
- | # This is example from old version of tac_plus. It will work | + | |
- | # but config file have new features. I recomend to read | + | |
- | # /usr/local/share/doc/tac_plus/users_guide | + | |
- | + | ||
- | user=fred { | + | |
- | name = "Fred Flintstone" | + | |
- | login = des mEX027bHtzTlQ | + | |
- | + | ||
- | # Remember that authorization is also recursive over groups, in | + | |
- | # the same way that password lookups are recursive. Thus, if you | + | |
- | # place a user in a group, the daemon will look in the group for | + | |
- | # authorization parameters if it cannot find them in the user | + | |
- | # declaration. | + | |
- | member = admin | + | |
- | + | ||
- | expires = "May 23 2010" | + | |
- | + | ||
- | service = exec { | + | |
- | # When Fred starts an exec, his connection access list is 5 | + | |
- | acl = 5 | + | |
- | + | ||
- | # We require this autocmd to be done at startup | + | |
- | autocmd = "telnet foo" | + | |
- | } | + | |
- | + | ||
- | # All commands except telnet 131.108.13.* are denied for Fred | + | |
- | cmd = telnet { | + | |
- | # Fred can run the following telnet command | + | |
- | permit 131\.108\.13\.[0-9]+ | + | |
- | + | ||
- | deny .* | + | |
- | } | + | |
- | + | ||
- | service = ppp protocol = ip { | + | |
- | # Fred can run ip over ppp only if he uses one | + | |
- | # of the following mandatory addresses If he supplies no | + | |
- | # address, the first one here will be mandated | + | |
- | addr=131.108.12.11 | + | |
- | addr=131.108.12.12 | + | |
- | addr=131.108.12.13 | + | |
- | addr=131.108.12.14 | + | |
- | + | ||
- | # Fred's mandatory input access list number is 101 | + | |
- | inacl=101 | + | |
- | + | ||
- | # We will suggest an output access list of 102, but Fred may | + | |
- | # choose to ignore or override it | + | |
- | optional outacl=102 | + | |
- | } | + | |
- | + | ||
- | service = slip { | + | |
- | # Fred can run slip. When he does, he will have to use | + | |
- | # these mandatory access lists | + | |
- | inacl=101 | + | |
- | outacl=102 | + | |
- | } | + | |
- | + | ||
- | # set a timeout in the lcp layer of ppp | + | |
- | service = ppp protocol = lcp { | + | |
- | timeout = 10 | + | |
- | } | + | |
- | } | + | |
- | + | ||
- | user = wilma { | + | |
- | # Wilma has no password of her own, but she's a group member so | + | |
- | # she'll use the group password if there is one. Same for her | + | |
- | # password expiry date | + | |
- | member = admin | + | |
- | } | + | |
- | + | ||
- | group = admin { | + | |
- | # group members who don't have their own password will be looked | + | |
- | # up in /etc/passwd | + | |
- | login = file /etc/passwd | + | |
- | + | ||
- | # group members who have no expiry date set will use this one | + | |
- | expires = "Jan 1 2038" | + | |
- | } | + | |
- | + | ||
- | ----------------------------------------------- | + | |
- | # cat /usr/local/etc/tac_plus.conf | + | |
- | ... | + | |
- | user=user1 { | + | |
- | default service = permit | + | |
- | login = des "xxxxxxxxx" | + | |
- | service = exec { | + | |
- | priv-lvl = 15 | + | |
- | } | + | |
- | member=level15 | + | |
- | } | + | |
- | + | ||
- | group=level15 { | + | |
- | cmd=enable { permit .* } | + | |
- | cmd=configure { permit terminal } | + | |
- | # cmd=cli { permit terminal } | + | |
- | cmd=radius-server { permit .* } | + | |
- | cmd=vlan { permit .* } | + | |
- | cmd=interface { permit .* } | + | |
- | cmd=ip { permit .* } | + | |
- | cmd=router { permit .* } | + | |
- | cmd=network { permit .* } | + | |
- | cmd=eapol { permit .* } | + | |
- | cmd=show { permit .* } | + | |
- | cmd=copy { permit .* } | + | |
- | cmd=reload { permit .* } | + | |
- | cmd=end { permit .* } | + | |
- | cmd=exit { permit .* } | + | |
- | cmd=logout { permit .* } | + | |
- | cmd=* { permit .* } | + | |
- | } | + | |
- | </code> | + |