linux安裝tacacs+服務器

tacacs+服務器搭建

軟件下載地址：http://pan.baidu.com/s/1i4x3jrJ

bzip2 -dc DEVEL.tar.bz2 | tar xvfp -    #解壓下載好的包

cd PROJECTS

make

make install

cp tac_plus/doc/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg

#復制配置文件到指定目錄

vi /usr/local/etc/tac_plus.cfg

#根據需要更改tac_plus.cfg，如下：

#!/usr/local/bin/tac_plus

id = spawnd {

        listen = { port = 49 }

        spawn = {

                instances min = 1

                instances max = 10

        }

        background = yes

}

id = tac_plus {

         access log = /var/log/tac_plus/access/%Y%m%d.log

         accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        mavis module = external {

                setenv LDAP_SERVER_TYPE = “microsoft”

                setenv LDAP_HOSTS = “10.10.0.3:3268 TestDC-tacacs:3268″

                setenv LDAP_BASE = “dc=test,dc=cn”

                setenv LDAP_USER = “tacacs@test.cn”

                setenv LDAP_PASSWD = “abcd.1234″

                setenv REQUIRE_TACACS_GROUP_PREFIX = 1

                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

        }

        login backend = mavis

        user backend = mavis

        pap backend = mavis

        host = world {

                address = ::/0

                prompt = “Welcome\n”

                enable 15 = clear cisco    #switch enable password 為cisco

                key = cisco

        }

        group = admin {

                default service = permit

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 15

                }

        }

        group = guest {

                default service = permit

        #       enable = deny

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 9

                }

        }

}     

:wq

#保存退出

#（我們需要在AD中建立用戶和組，上邊配置文件中的 tacacs用戶用來查詢AD。配置文件中還設定了2個組，一個是admin，一個是guest，設置不同的權限，我們需要再AD中設置相應的組，來對應這兩個組。默認的前綴為tacacs，即在AD 中建立tacacsadmin組對應tacacs+中的admin組，tacacsguest組對應tacacs+中的guest組，使用mavis中的TACACS_GROUP_PREFIX參數可以修改此前綴。setenv REQUIRE_TACACS_GROUP_PREFIX = 1 的意思是只有屬於有tacacs前綴的組的用戶才能登陸了交換機。testa屬於tacacsguest，testc屬於tacacsadmin）

/usr/local/bin/tac_plus -P /usr/local/etc/tac_plus.cfg

#測試tac_plus.cfg有沒有錯誤

cp tac_plus/doc/etc_init.d_tac_plus /etc/init.d/tac_plus

#復制tac_plus的腳本到/etc/init.d

/etc/init.d/tac_plus start

or

/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg

#啟動tac_plus

交換機配置：

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 9 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+

aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

aaa accounting network default stop-only group tacacs+
aaa session-id common
tacacs-server host 10.10.0.1 single-connection
tacacs-server directed-request

tacacs-server key 7 cisco

#雙向加密(type 7) ： 命令service password-encryption自動對配置中的密碼加密。