- 交換機配置(以華三交換機為例�,v7版本)
hwtacacs scheme tacacs
primary authentication 172.18.34.45
primary authorization 172.18.34.45
primary accounting 172.18.34.45
key authentication cipher $c$3$GVL2qE1HsQSyRlEI5UiDXl7Se/giCmx7fXzy
key authorization cipher $c$3$SQRKlqv25kY6zvoAtPfqkKyr42LdnT57kh7V
key accounting cipher $c$3$gklXXuVEMVLUcHFL0WX1t33g7BDhXciJRcb2
user-name-format without-domain
#
domain hwtacacs
authorization command hwtacacs-scheme tacacs
accounting command hwtacacs-scheme tacacs
authentication default hwtacacs-scheme tacacs local
authorization default hwtacacs-scheme tacacs local
accounting default hwtacacs-scheme tacacs local
#
domain default enable hwtacacs
#
line vty 0 15
command authorization
command accounting
! - 用戶管理平臺FreeIPA安裝
系統(tǒng)版本 CentOS Linux release 7.3.1611 (Core),關(guān)閉防火墻
yum install ipa-server bind bind-dyndb-ldap
echo "172.18.34.45 ipa.test.org ipa" >>/etc/hosts
ipa-server-install 會自動安裝全部默認回車
https://ipa.test.org/ 安裝過程中會提示用戶名和輸入密碼����,默認用戶admin
可能會遇到的報錯
如遇到messagebus服務(wù)報錯���,執(zhí)行以下命令����,然后卸載重裝����。
https://bugzilla.redhat.com/show_bug.cgi?id=636876
systemctl restart messagebus
systemctl start certmonger
ipa-server-install —uninstall
ipa-server-install
日志目錄
tail -f /var/log/dirsrv/slapd-TEST-ORG/access
tail -f /var/log/dirsrv/slapd-TEST-ORG/errors
設(shè)置IPA:
添加用戶
添加用戶到用戶組
在普蘭等地區(qū),都構(gòu)建了全面的區(qū)域性戰(zhàn)略布局�����,加強發(fā)展的系統(tǒng)性��、市場前瞻性���、產(chǎn)品創(chuàng)新能力�����,以專注����、極致的服務(wù)理念,為客戶提供成都做網(wǎng)站�����、網(wǎng)站設(shè)計 網(wǎng)站設(shè)計制作按需制作,公司網(wǎng)站建設(shè),企業(yè)網(wǎng)站建設(shè),品牌網(wǎng)站建設(shè),營銷型網(wǎng)站建設(shè),外貿(mào)網(wǎng)站建設(shè),普蘭網(wǎng)站建設(shè)費用合理��。
- TACACS 安裝配置
yum install gcc perl-LDAP wget
wget http://www.pro-bono-publico.de/projects/src/DEVEL.201706241310.tar.bz2
tar xvfj DEVEL.201706241310.tar.bz2
cd /PROJECTS
./configure
make && make install
mkdir /var/log/tac_plus
mkdir /var/log/tac_plus/access
mkdir /var/log/tac_plus/acct
mkdir /var/log/tac_plus/authen
mkdir /var/log/tac_plus/author
chmod 760 -R /var/log/tac_plus/
cp ~/PROJECTS/tac_plus/extra/tac_plus.service /etc/systemd/system/
systemctl daemon-reload
cp ~/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg
chmod 660 /usr/local/etc/tac_plus.cfg
TACACS 配置文件
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/authen/%Y%m%d.log
authorization log = /var/log/tac_plus/author/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://ipa.test.org:389"
setenv LDAP_SCOPE = "sub"
setenv LDAP_BASE = "cn=users,cn=accounts,dc=test,dc=org"
setenv LDAP_FILTER= "(uid=%s)"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
skip missing groups = yes
cache timeout = 21600
host = world {
address = ::/0
prompt = "Welcome\n"
enable 15 = clear secret
key = XXXX (與交換機key一致)
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = deny
enable = deny
service = shell {
default command = deny
default attribute = permit
set priv-lvl = 1
cmd = display {
deny diagnostic-information
permit .*
}
cmd = ping { permit .* }
}
}
}
tacacs服務(wù)管理:
systemctl enable tac_plus
systemctl restart tac_plus
systemctl status tac_plus
tacacs日志管理:
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/authen/%Y%m%d.log
authorization log = /var/log/tac_plus/author/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
文章標題:網(wǎng)絡(luò)設(shè)備AAA認證
URL分享:
http://weahome.cn/article/pogpis.html
重慶分公司
重慶分公司
