====== Сервис TACACS+ ======

  * [[http://www.shrubbery.net/tac_plus/|TACACS+ daemon]]
  * [[https://habrahabr.ru/post/194750/|Другой tacacs+]]

===== Установка TACACS+ сервера =====

==== Ubuntu<11/Debian<20 ====

<code>
root@server:~# apt install tacacs+
</code>

==== Docker ====

  * [[https://www.nixcraft.com/t/ubuntu-server-20-04-installing-tacacs/3452|Ubuntu Server 20.04 Installing TACACS+]]
  * [[Технология Docker]]
  * [[https://hub.docker.com/r/lfkeitel/tacacs_plus|TACACS+ Docker Image]]

<code>
# mkdir tacacs_server

# cd tacacs_server/

# cat Dockerfile
</code><code>
FROM openswitch/tacacs_server

RUN printf "%s\n%s" '#!/bin/sh' "/usr/local/bin/tac_plus -G -C /etc/tacacs/tac_plus.conf" > /start.sh && chmod +x /start.sh
#RUN echo -e '#!/bin/sh\n/usr/local/bin/tac_plus -G -C /etc/tacacs/tac_plus.conf' > /start.sh && chmod +x /start.sh

ENTRYPOINT ["/start.sh"]
</code><code>
# docker build -t corp/tacacs_server .

# mkdir /etc/tacacs+/
</code>

===== Настройка =====

==== FreeBSD/Ubuntu ====
<code>
# htpasswd -n -d user1
New password: tpassword1
...

# cat /etc/tacacs+/tac_plus.conf
</code><code>
key = tackey123

accounting file = /var/log/tac_plus.acct

user=root {
        default service = permit
        login = des "hPkKtADs9JXn2"
        service = exec {
                priv-lvl = 15
        }
}

user=user1 {
        default service = permit
        login = des "DWRr6OSzYvMH."
        service = exec {
                priv-lvl = 1
        }
}
</code>

===== Запуск =====

==== Ubuntu/Debian ====
<code>
# service tacacs_plus restart
</code>

==== Docker ====
<code>
# docker run --name tacacs_server -d -p 49:49 -v /etc/tacacs+/:/etc/tacacs/ -v /var/log/:/var/log/ --restart=always corp/tacacs_server
</code>

===== Мониторинг =====

!!! Файл появится в результате действий пользователя в CLI

<code>
# tail -f /var/log/tac_plus.acct
</code>

===== Дополнительные материалы =====

<code>
# cat tac_plus.conf
</code><code>
key = tackey123

user=user1 {
        default service = permit
        login = des "DWRr6OSzYvMH."
        service = exec {
                priv-lvl = 15
        }
}

user=user2 {
        default service = permit
        login = des "QMN3UmwtTO/GU"
        service = exec {
                priv-lvl = 15
        }
        member = group_restrict
}

acl = acl_restrict {
        permit = 172.16.1.3
        permit = 172.16.1.4
        permit = 172.16.1.5
}

group = group_restrict {
        acl = acl_restrict
}
</code><code>
# cat /usr/local/etc/tac_plus.conf
</code><code>
...
user=user1 {
        default service = permit
        login = des "xxxxxxxxx" 
        service = exec { 
                priv-lvl = 15 
        }
        member=level15
}

group=level15 {
  cmd=enable { permit .* }
  cmd=configure { permit terminal }
#  cmd=cli { permit terminal }
  cmd=radius-server { permit .* }
  cmd=vlan { permit .* }
  cmd=interface { permit .* }
  cmd=ip { permit .* }
  cmd=router { permit .* }
  cmd=network { permit .* }
  cmd=eapol { permit .* }
  cmd=show { permit .* }
  cmd=copy { permit .* }
  cmd=reload { permit .* }
  cmd=end { permit .* }
  cmd=exit { permit .* }
  cmd=logout { permit .* }
  cmd=* { permit .* }
}
</code><code>
# cat /usr/local/etc/tac_plus.conf.example
</code><code>
    # This is example from old version of tac_plus. It will work
    # but config file have new features. I recomend to read
    # /usr/local/share/doc/tac_plus/users_guide

user=fred {
    name = "Fred Flintstone"
    login = des mEX027bHtzTlQ

    # Remember that authorization is also recursive over groups, in
    # the same way that password lookups are recursive. Thus, if you
    # place a user in a group, the daemon will look in the group for
    # authorization parameters if it cannot find them in the user
    # declaration.
    member = admin

    expires = "May 23 2010"

    service = exec {
        # When Fred starts an exec, his connection access list is 5
        acl = 5

        # We require this autocmd to be done at startup
        autocmd = "telnet foo"
    }

    # All commands except telnet 131.108.13.* are denied for Fred
    cmd = telnet {
        # Fred can run the following telnet command
        permit 131\.108\.13\.[0-9]+

        deny .*
    }

    service = ppp protocol = ip {
        # Fred can run ip over ppp only if he uses one
        # of the following mandatory addresses If he supplies no
        # address, the first one here will be mandated
        addr=131.108.12.11
        addr=131.108.12.12
        addr=131.108.12.13
        addr=131.108.12.14

        # Fred's mandatory input access list number is 101
        inacl=101

        # We will suggest an output access list of 102, but Fred may
        # choose to ignore or override it
        optional outacl=102
    }

    service = slip {
        # Fred can run slip. When he does, he will have to use
        # these mandatory access lists
        inacl=101
        outacl=102
    }

    # set a timeout in the lcp layer of ppp
    service = ppp protocol = lcp {
        timeout = 10
    }
}

user = wilma {
    # Wilma has no password of her own, but she's a group member so
    # she'll use the group password if there is one. Same for her
    # password expiry date
    member = admin
}

group = admin {
    # group members who don't have their own password will be looked
    # up in /etc/passwd
    login = file /etc/passwd

    # group members who have no expiry date set will use this one
    expires = "Jan 1 2038"
}
</code>