千家信息网

网络设备AAA认证

发表于:2024-04-13 作者:千家信息网编辑
千家信息网最后更新 2024年04月13日,交换机配置(以华三交换机为例,v7版本)hwtacacs scheme tacacsprimary authentication 172.18.34.45primary authorization 1
千家信息网最后更新 2024年04月13日网络设备AAA认证
  1. 交换机配置(以华三交换机为例,v7版本)
    hwtacacs scheme tacacs
    primary authentication 172.18.34.45
    primary authorization 172.18.34.45
    primary accounting 172.18.34.45
    key authentication cipher $c$3$GVL2qE1HsQSyRlEI5UiDXl7Se/giCmx7fXzy
    key authorization cipher $c$3$SQRKlqv25kY6zvoAtPfqkKyr42LdnT57kh7V
    key accounting cipher $c$3$gklXXuVEMVLUcHFL0WX1t33g7BDhXciJRcb2
    user-name-format without-domain
    #
    domain hwtacacs
    authorization command hwtacacs-scheme tacacs
    accounting command hwtacacs-scheme tacacs
    authentication default hwtacacs-scheme tacacs local
    authorization default hwtacacs-scheme tacacs local
    accounting default hwtacacs-scheme tacacs local
    #
    domain default enable hwtacacs
    #
    line vty 0 15
    command authorization
    command accounting
    !
  2. 用户管理平台FreeIPA安装
    系统版本 CentOS Linux release 7.3.1611 (Core),关闭防火墙
    yum install ipa-server bind bind-dyndb-ldap
    echo "172.18.34.45 ipa.test.org ipa" >>/etc/hosts
    ipa-server-install 会自动安装全部默认回车
    https://ipa.test.org/ 安装过程中会提示用户名和输入密码,默认用户admin
    可能会遇到的报错
    如遇到messagebus服务报错,执行以下命令,然后卸载重装。
    https://bugzilla.redhat.com/show_bug.cgi?id=636876
    systemctl restart messagebus
    systemctl start certmonger
    ipa-server-install -uninstall
    ipa-server-install
    日志目录
    tail -f /var/log/dirsrv/slapd-TEST-ORG/access
    tail -f /var/log/dirsrv/slapd-TEST-ORG/errors
    设置IPA:

    添加用户

添加用户到用户组

  1. TACACS 安装配置
    yum install gcc perl-LDAP wget
    wget http://www.pro-bono-publico.de/projects/src/DEVEL.201706241310.tar.bz2
    tar xvfj DEVEL.201706241310.tar.bz2
    cd /PROJECTS
    ./configure
    make && make install
    mkdir /var/log/tac_plus
    mkdir /var/log/tac_plus/access
    mkdir /var/log/tac_plus/acct
    mkdir /var/log/tac_plus/authen
    mkdir /var/log/tac_plus/author
    chmod 760 -R /var/log/tac_plus/
    cp ~/PROJECTS/tac_plus/extra/tac_plus.service /etc/systemd/system/
    systemctl daemon-reload
    cp ~/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg
    chmod 660 /usr/local/etc/tac_plus.cfg
    TACACS 配置文件
    #!/usr/local/sbin/tac_plus
    id = spawnd {
    listen = { port = 49 }
    spawn = {
    instances min = 1
    instances max = 10
    }
    background = yes
    }

id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/authen/%Y%m%d.log
authorization log = /var/log/tac_plus/author/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external {    setenv LDAP_SERVER_TYPE = "microsoft"    setenv LDAP_HOSTS = "ldap://ipa.test.org:389"    setenv LDAP_SCOPE = "sub"    setenv LDAP_BASE = "cn=users,cn=accounts,dc=test,dc=org"    setenv LDAP_FILTER= "(uid=%s)"    setenv REQUIRE_TACACS_GROUP_PREFIX = 1    setenv FLAG_USE_MEMBEROF = 1    exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl}login backend = mavisuser backend = mavispap backend = mavis      skip missing groups = yes        cache timeout = 21600host = world {    address = ::/0    prompt = "Welcome\n"    enable 15 = clear secret    key = XXXX (与交换机key一致)}group = admin {    default service = permit    service = shell {        default command = permit        default attribute = permit        set priv-lvl = 15    }}group = guest {    default service = deny    enable = deny    service = shell {        default command = deny        default attribute = permit        set priv-lvl = 1        cmd = display {              deny diagnostic-information              permit .*        }        cmd = ping { permit .* }    }}

}
tacacs服务管理:
systemctl enable tac_plus
systemctl restart tac_plus
systemctl status tac_plus
tacacs日志管理:
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/authen/%Y%m%d.log
authorization log = /var/log/tac_plus/author/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log

0