TACACS+: Difference between revisions
| Line 20: | Line 20: | ||
==Teenuse seadistamine== | ==Teenuse seadistamine== | ||
Konfiguratsioonifaili manual: | Konfiguratsioonifaili manual: | ||
<pre>man tac_plus.conf</pre> | <pre>man tac_plus.conf</pre> | ||
Aruandluse logifail: | Aruandluse logifail: | ||
<pre>/var/log/tac_plus.acct</pre> | <pre>/var/log/tac_plus.acct</pre> | ||
TACACS+ konfiguratsioonifaili asukoht: | |||
<pre>/etc/tacacs+/tac_plus.conf</pre> | |||
Algupärane konfiguratsioonifail: | |||
<pre> | |||
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) | |||
# See man(5) tac_plus.conf for more details | |||
# Define where to log accounting data, this is the default. | |||
accounting file = /var/log/tac_plus.acct | |||
# This is the key that clients have to use to access Tacacs+ | |||
key = testing123 | |||
# Use /etc/passwd file to do authentication | |||
#default authentication = file /etc/passwd | |||
# You can use feature like per host key with different enable passwords | |||
#host = 127.0.0.1 { | |||
# key = test | |||
# type = cisco | |||
# enable = <des|cleartext> enablepass | |||
# prompt = "Welcome XXX ISP Access Router \n\nUsername:" | |||
#} | |||
# We also can define local users and specify a file where data is stored. | |||
# That file may be filled using tac_pwd | |||
#user = test1 { | |||
# name = "Test User" | |||
# member = staff | |||
# login = file /etc/tacacs/tacacs_passwords | |||
#} | |||
# We can also specify rules valid per group of users. | |||
#group = group1 { | |||
# cmd = conf { | |||
# deny | |||
# } | |||
#} | |||
# Another example : forbid configure command for some hosts | |||
# for a define range of clients | |||
#group = group1 { | |||
# login = PAM | |||
# service = ppp | |||
# protocol = ip { | |||
# addr = 10.10.0.0/24 | |||
# } | |||
# cmd = conf { | |||
# deny .* | |||
# } | |||
#} | |||
user = DEFAULT { | |||
login = PAM | |||
service = ppp protocol = ip {} | |||
} | |||
# Much more features are availables, like ACL, more service compatibilities, | |||
# commands authorization, scripting authorization. | |||
# See the man page for those features. | |||
</pre> | |||
Kasutajate autentimist on võimalik tac_plus's seadistada kolmel moel: | Kasutajate autentimist on võimalik tac_plus's seadistada kolmel moel: | ||
Revision as of 21:26, 15 December 2012
Autor
Margus Kurnikov AK21
Sissejuhatus
TACACS+ (Terminal Access Controller Access-Control System Plus) on võrguseadmete ligipääsukontrolli protokoll, mis hõlmab endas nii autentimise, autoriseerimise kui ka aruandluse teenuseid. Andmevahetuseks kasutatakse TCP porti 49.
Erinevalt RADIUS'st, mis on TACACS+ alternatiiv, eristab viimast autoriseerimise funktsionaalsuse lahutamine, mis võimaldab paindlikumat ligipääsukontrolli - kes võib käivitada käske, milliseid käske, millises seadmes. Iga kasutaja poolt sisestatud käsk saadetakse kesksesse TACACS+ serverisse autoriseerimiseks, kus kontrollitakse, kas vastavat käsku on lubatud käivitada konkreetsel kasutajal või grupil. TACACS+ on võimalik luua käskude käivitamisele näiteks kasutaja-, seadme-, või ajapõhiseid reegleid.
TACACS+ protokolli tugi on olemas levinud suuremate tootjate võrguseadmetes - Cisco, Juniper/Netscreen, HP, Alcatel/Lucent, Ericsson jt.
Paigaldamine
TACACS+ teenus paigaldatud Ubuntu 12.04-le.
Testitava ruuterina kasutusel Cisco 1812.
TACACS+ teenuse paigaldus:
apt-get install tacacs+
Teenuse seadistamine
Konfiguratsioonifaili manual:
man tac_plus.conf
Aruandluse logifail:
/var/log/tac_plus.acct
TACACS+ konfiguratsioonifaili asukoht:
/etc/tacacs+/tac_plus.conf
Algupärane konfiguratsioonifail:
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = testing123
# Use /etc/passwd file to do authentication
#default authentication = file /etc/passwd
# You can use feature like per host key with different enable passwords
#host = 127.0.0.1 {
# key = test
# type = cisco
# enable = <des|cleartext> enablepass
# prompt = "Welcome XXX ISP Access Router \n\nUsername:"
#}
# We also can define local users and specify a file where data is stored.
# That file may be filled using tac_pwd
#user = test1 {
# name = "Test User"
# member = staff
# login = file /etc/tacacs/tacacs_passwords
#}
# We can also specify rules valid per group of users.
#group = group1 {
# cmd = conf {
# deny
# }
#}
# Another example : forbid configure command for some hosts
# for a define range of clients
#group = group1 {
# login = PAM
# service = ppp
# protocol = ip {
# addr = 10.10.0.0/24
# }
# cmd = conf {
# deny .*
# }
#}
user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
Kasutajate autentimist on võimalik tac_plus's seadistada kolmel moel:
- Autentimine lokaalse passwd faili alusel - /etc/passwd
- Autentimine /etc/tac_plus/tac_plus.conf faili konfigureeritud paroolidega
- Autentimine PAM-ga LDAP serveri pihta
Käsitlen kahte esimest varianti:
