This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
использование_протоколов_связанных_с_aaa [2012/08/30 09:37] val |
использование_протоколов_связанных_с_aaa [2013/10/07 16:19] val [Протокол 802.1x] |
||
---|---|---|---|
Line 7: | Line 7: | ||
* [[Сервис FreeRADIUS#Инсталяция сервера]] | * [[Сервис FreeRADIUS#Инсталяция сервера]] | ||
* [[Сервис FreeRADIUS#Настройка хранилища базы данных пользователей]] | * [[Сервис FreeRADIUS#Настройка хранилища базы данных пользователей]] | ||
- | * Регистрация клиентов сервиса | + | * [[Сервис FreeRADIUS#Регистрация клиентов]] |
- | + | * [[Сервис FreeRADIUS#Создание базы данных пользователей]] | |
- | <code> | + | |
- | server# cat clients.conf | + | |
- | </code><code> | + | |
- | ... | + | |
- | client switch { | + | |
- | secret = testing123 | + | |
- | shortname = switch | + | |
- | } | + | |
- | </code> | + | |
- | + | ||
- | * Создание базы данных пользователей | + | |
- | + | ||
- | <code> | + | |
- | root@server# cat users | + | |
- | </code><code> | + | |
- | user1 Cleartext-Password := "rpassword1" | + | |
- | + | ||
- | user2 Cleartext-Password := "rpassword2" | + | |
- | Service-Type = NAS-Prompt-User, | + | |
- | cisco-avpair = "shell:priv-lvl=14" | + | |
- | </code> | + | |
==== Настройка клиента Cisco ==== | ==== Настройка клиента Cisco ==== | ||
Line 47: | Line 26: | ||
* [[AAA#Использование RADIUS для протокола 802.1x]] | * [[AAA#Использование RADIUS для протокола 802.1x]] | ||
* [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]] | * [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]] | ||
- | * Настройка Windows (http://open1x.sourceforge.net/) | + | * Настройка Windows ([[http://open1x.sourceforge.net/]]) |
- | * Учет ресурсов | + | * [[Сервис FreeRADIUS#Учет ресурсов потребляемых пользователями]] |
- | + | ||
- | <code> | + | |
- | root@server:~# tail -f /var/log/freeradius/radacct/192.168... | + | |
- | + | ||
- | [server:~] # tail -f /var/log/radacct/192.168... | + | |
- | </code> | + | |
===== Использование протокола TACACS+ ===== | ===== Использование протокола TACACS+ ===== | ||
- | ==== Установка TACACS+ сервера ==== | + | * [[Сервис TACACS+]] |
- | + | * [[AAA#Настройка клиента TACACS+]] | |
- | === FreeBSD === | + | * [[AAA#Использование TACACS+ для аутентификации telnet подключений]] |
- | <code> | + | |
- | [server:~] # pkg_add -r tac_plus | + | |
- | + | ||
- | [server:~] # cd /usr/local/etc/ | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu/Debian/CentOS/SL === | + | |
- | + | ||
- | Необходимые пакеты: flex bison libwrap0-dev | + | |
- | + | ||
- | [[Управление ПО в Linux]] | + | |
- | + | ||
- | Работа с исходными текстами | + | |
- | <code> | + | |
- | root@server:~# apt-get install flex bison libwrap0-dev | + | |
- | + | ||
- | root@server:~# cd /usr/src | + | |
- | + | ||
- | root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz | + | |
- | root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.26.tar.gz | + | |
- | root@server:/usr/src# cd tacacs+-F4.0.4.26 | + | |
- | + | ||
- | root@server:/usr/src/tacacs+-F4.0.4.26# ./configure --prefix=/usr/local/tac_plus | + | |
- | root@server:/usr/src/tacacs+-F4.0.4.26# make install clean | + | |
- | + | ||
- | root@server:/usr/src/tacacs+-F4.0.4.26# cd /etc | + | |
- | </code> | + | |
- | + | ||
- | ==== Настройка ==== | + | |
- | + | ||
- | === FreeBSD/Ubuntu === | + | |
- | <code> | + | |
- | # htpasswd -n -d user1 | + | |
- | New password: tpassword1 | + | |
- | ... | + | |
- | + | ||
- | # cat tac_plus.conf | + | |
- | </code><code> | + | |
- | key = tackey123 | + | |
- | + | ||
- | user=user1 { | + | |
- | default service = permit | + | |
- | login = des "DWRr6OSzYvMH." | + | |
- | service = exec { | + | |
- | priv-lvl = 15 | + | |
- | } | + | |
- | } | + | |
- | </code> | + | |
- | + | ||
- | ==== Запуск ==== | + | |
- | + | ||
- | === FreeBSD === | + | |
- | <code> | + | |
- | # /usr/local/etc/rc.d/tac_plus rcvar | + | |
- | + | ||
- | # /usr/local/etc/rc.d/tac_plus start | + | |
- | Starting tac_plus. | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu/Debian/CentOS/SL === | + | |
- | <code> | + | |
- | root@server:~# cat /etc/rc.local | + | |
- | </code><code> | + | |
- | ... | + | |
- | /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
- | + | ||
- | exit 0 | + | |
- | </code><code> | + | |
- | root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
- | </code> | + | |
- | + | ||
- | ==== Настройка Cisco на использование TACACS+ сервера ==== | + | |
- | <code> | + | |
- | tacacs-server host server | + | |
- | + | ||
- | tacacs-server key tackey123 | + | |
- | + | ||
- | aaa authentication login default group tacacs+ enable | + | |
- | + | ||
- | aaa authorization exec default group tacacs+ none | + | |
- | </code> | + | |
- | + | ||
- | ===== Дополнительные материалы ===== | + | |
- | <code> | + | |
- | # cat /usr/local/etc/tac_plus.conf.example | + | |
- | # /usr/local/etc/tac_plus.conf | + | |
- | + | ||
- | # This is example from old version of tac_plus. It will work | + | |
- | # but config file have new features. I recomend to read | + | |
- | # /usr/local/share/doc/tac_plus/users_guide | + | |
- | + | ||
- | user=fred { | + | |
- | name = "Fred Flintstone" | + | |
- | login = des mEX027bHtzTlQ | + | |
- | + | ||
- | # Remember that authorization is also recursive over groups, in | + | |
- | # the same way that password lookups are recursive. Thus, if you | + | |
- | # place a user in a group, the daemon will look in the group for | + | |
- | # authorization parameters if it cannot find them in the user | + | |
- | # declaration. | + | |
- | member = admin | + | |
- | + | ||
- | expires = "May 23 2010" | + | |
- | + | ||
- | service = exec { | + | |
- | # When Fred starts an exec, his connection access list is 5 | + | |
- | acl = 5 | + | |
- | + | ||
- | # We require this autocmd to be done at startup | + | |
- | autocmd = "telnet foo" | + | |
- | } | + | |
- | + | ||
- | # All commands except telnet 131.108.13.* are denied for Fred | + | |
- | cmd = telnet { | + | |
- | # Fred can run the following telnet command | + | |
- | permit 131\.108\.13\.[0-9]+ | + | |
- | + | ||
- | deny .* | + | |
- | } | + | |
- | + | ||
- | service = ppp protocol = ip { | + | |
- | # Fred can run ip over ppp only if he uses one | + | |
- | # of the following mandatory addresses If he supplies no | + | |
- | # address, the first one here will be mandated | + | |
- | addr=131.108.12.11 | + | |
- | addr=131.108.12.12 | + | |
- | addr=131.108.12.13 | + | |
- | addr=131.108.12.14 | + | |
- | + | ||
- | # Fred's mandatory input access list number is 101 | + | |
- | inacl=101 | + | |
- | + | ||
- | # We will suggest an output access list of 102, but Fred may | + | |
- | # choose to ignore or override it | + | |
- | optional outacl=102 | + | |
- | } | + | |
- | + | ||
- | service = slip { | + | |
- | # Fred can run slip. When he does, he will have to use | + | |
- | # these mandatory access lists | + | |
- | inacl=101 | + | |
- | outacl=102 | + | |
- | } | + | |
- | + | ||
- | # set a timeout in the lcp layer of ppp | + | |
- | service = ppp protocol = lcp { | + | |
- | timeout = 10 | + | |
- | } | + | |
- | } | + | |
- | + | ||
- | user = wilma { | + | |
- | # Wilma has no password of her own, but she's a group member so | + | |
- | # she'll use the group password if there is one. Same for her | + | |
- | # password expiry date | + | |
- | member = admin | + | |
- | } | + | |
- | + | ||
- | group = admin { | + | |
- | # group members who don't have their own password will be looked | + | |
- | # up in /etc/passwd | + | |
- | login = file /etc/passwd | + | |
- | + | ||
- | # group members who have no expiry date set will use this one | + | |
- | expires = "Jan 1 2038" | + | |
- | } | + | |
- | + | ||
- | ----------------------------------------------- | + | |
- | # cat /usr/local/etc/tac_plus.conf | + | |
- | ... | + | |
- | user=user1 { | + | |
- | default service = permit | + | |
- | login = des "xxxxxxxxx" | + | |
- | service = exec { | + | |
- | priv-lvl = 15 | + | |
- | } | + | |
- | member=level15 | + | |
- | } | + | |
- | + | ||
- | group=level15 { | + | |
- | cmd=enable { permit .* } | + | |
- | cmd=configure { permit terminal } | + | |
- | # cmd=cli { permit terminal } | + | |
- | cmd=radius-server { permit .* } | + | |
- | cmd=vlan { permit .* } | + | |
- | cmd=interface { permit .* } | + | |
- | cmd=ip { permit .* } | + | |
- | cmd=router { permit .* } | + | |
- | cmd=network { permit .* } | + | |
- | cmd=eapol { permit .* } | + | |
- | cmd=show { permit .* } | + | |
- | cmd=copy { permit .* } | + | |
- | cmd=reload { permit .* } | + | |
- | cmd=end { permit .* } | + | |
- | cmd=exit { permit .* } | + | |
- | cmd=logout { permit .* } | + | |
- | cmd=* { permit .* } | + | |
- | } | + | |
- | </code> | + |