Linux(centos7.9)搭建TACACS+服务器
<p><span style="font-size: 18px"><strong>一、TACACS+是什么</strong></span></p><ul>
<li><span style="font-size: 14px">TACACS+(Terminal Access Controller Access Control System),终端访问控制器控制系统协议,与Radius协议相近,为网络设备和访问服务器提供身份验证,授权和计费服务。</span></li>
</ul>
<p> </p>
<ul>
<li><strong><span style="font-size: 16px"><span style="font-size: 16px">TACACS+和RADIUS的比较</span></span></strong>
<p><img src="https://img2023.cnblogs.com/blog/2992980/202305/2992980-20230524135003006-1683203893.png" alt="" loading="lazy"></p>
</li>
<li>
<p>更多细节,自行查看 https://www.h3c.com/cn/d_201309/922099_30005_0.htm</p>
</li>
</ul>
<p> </p>
<p><span style="font-size: 18px"><strong>二、linux搭建<strong>TACACS+</strong>服务器</strong></span></p>
<p><em>以下服务器信息为该文档安装TACACS+服务环境</em></p>
<p> </p>
<p><em>服务器信息:CentOS7 </em></p>
<p> </p>
<p><em>内核版本:3.10.0-1160.el7.x86_64</em></p>
<p> </p>
<p><em>注意:搭建该服务器单纯为了工作中测试此功能的认证</em></p>
<p>1.具体安装步骤</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 0, 1)">wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2<br>bzip2 -dc DEVEL.tar.bz2 | tar xvfp -<br>sudo yum install rpm-build redhat-rpm-config gcc bison flex m4 pam-devel tcp_wrappers tcp_wrappers-devel<br>yum -y install perl-Digest-MD5<br>yum install perl-LDAP<br>cd PROJECTS<br>make<br>make install<br>mkdir /var/log/tac_plus<br>mkdir /var/log/tac_plus/access<br>mkdir /var/log/tac_plus/accounting<br>mkdir /var/log/tac_plus/authentication<br>mkdir /var/log/tac_plus/authorization<br>chmod 755 /var/log/tac_plus<br>cp tac_plus/extra/tac_plus.service /etc/systemd/system/<br></span></pre>
</div>
<p>2.创建配置文件</p>
<div class="cnblogs_code">
<pre>cd /usr/local/<span style="color: rgba(0, 0, 0, 1)">etc
</span><span style="color: rgba(0, 0, 255, 1)">touch</span><span style="color: rgba(0, 0, 0, 1)"> tac_plus.cfg
</span><span style="color: rgba(0, 0, 255, 1)">chmod</span> <span style="color: rgba(128, 0, 128, 1)">755</span><span style="color: rgba(0, 0, 0, 1)"> tac_plus.cfg
</span><span style="color: rgba(0, 0, 255, 1)">sudo</span> vim tac_plus.cfg</pre>
</div>
<p>3.编辑配置文件内容</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">more</span><span style="color: rgba(0, 0, 0, 1)"> tac_plus.cfg
#</span>!../../../sbin/<span style="color: rgba(0, 0, 0, 1)">tac_plus
</span><span style="color: rgba(0, 0, 255, 1)">id</span> =<span style="color: rgba(0, 0, 0, 1)"> spawnd {
# tacacs</span>+默认端口为49,wireshark可将目的端口为49的tcp解析为tacacs+<span style="color: rgba(0, 0, 0, 1)">报文
listen </span>= { port = <span style="color: rgba(128, 0, 128, 1)">49</span><span style="color: rgba(0, 0, 0, 1)"> }
spawn </span>=<span style="color: rgba(0, 0, 0, 1)"> {
instances min </span>= <span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
instances max </span>= <span style="color: rgba(128, 0, 128, 1)">100</span><span style="color: rgba(0, 0, 0, 1)">
}
background </span>=<span style="color: rgba(0, 0, 0, 1)"> no
}
</span><span style="color: rgba(0, 0, 255, 1)">id</span> =<span style="color: rgba(0, 0, 0, 1)"> tac_plus {
#debug </span>=<span style="color: rgba(0, 0, 0, 1)"> PACKET AUTHEN AUTHOR
access log </span>= /var/log/tac_plus/access/<span style="color: rgba(0, 0, 0, 1)">access.log
authorization log </span>= /var/log/tac_plus/authorization/<span style="color: rgba(0, 0, 0, 1)">authorization.log
authentication log </span>= /var/log/tac_plus/authentication/<span style="color: rgba(0, 0, 0, 1)">authentication.l
og
accounting log </span>= /var/log/tac_plus/accounting/<span style="color: rgba(0, 0, 0, 1)">accounting.log
host </span>=<span style="color: rgba(0, 0, 0, 1)"> world {
address </span>= ::/<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">
prompt </span>= <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Welcome\n</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
key </span>= <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">tacacs@123</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
}
group </span>=<span style="color: rgba(0, 0, 0, 1)"> admin {
default service </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
service </span>=<span style="color: rgba(0, 0, 0, 1)"> shell {
default command </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
default attribute </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
set priv</span>-lvl = <span style="color: rgba(128, 0, 128, 1)">15</span><span style="color: rgba(0, 0, 0, 1)">
}
}
group </span>=<span style="color: rgba(0, 0, 0, 1)"> guest {
default service </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
enable </span>=<span style="color: rgba(0, 0, 0, 1)"> deny
service </span>=<span style="color: rgba(0, 0, 0, 1)"> shell {
default command </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
default attribute </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
set priv</span>-lvl = <span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
}
}
user </span>=<span style="color: rgba(0, 0, 0, 1)"> tacacsuser {
#使用明文密码
password </span>= <span style="color: rgba(0, 0, 255, 1)">clear</span><span style="color: rgba(0, 0, 0, 1)"> tacacs123
member </span>=<span style="color: rgba(0, 0, 0, 1)"> admin
service </span>=<span style="color: rgba(0, 0, 0, 1)"> shell {
default command </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
default attribute </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
set priv</span>-lvl = <span style="color: rgba(128, 0, 128, 1)">15</span><span style="color: rgba(0, 0, 0, 1)">
}
}
user </span>=<span style="color: rgba(0, 0, 0, 1)"> user1 {
#使用密文密码,密文可通过如下命令生成
#openssl </span><span style="color: rgba(0, 0, 255, 1)">passwd</span> -<span style="color: rgba(0, 0, 0, 1)">crypt user123
password </span>=<span style="color: rgba(0, 0, 0, 1)"> crypt Ljk4p8tGXkuVw
member </span>=<span style="color: rgba(0, 0, 0, 1)"> admin
service </span>=<span style="color: rgba(0, 0, 0, 1)"> shell {
default command </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
default attribute </span>=<span style="color: rgba(0, 0, 0, 1)"> permit
set priv</span>-lvl = <span style="color: rgba(128, 0, 128, 1)">15</span><span style="color: rgba(0, 0, 0, 1)">
}
}
user </span>=<span style="color: rgba(0, 0, 0, 1)"> readonly {
password </span>= <span style="color: rgba(0, 0, 255, 1)">clear</span><span style="color: rgba(0, 0, 0, 1)"> readonly
member </span>=<span style="color: rgba(0, 0, 0, 1)"> guest
}
}</span></pre>
</div>
<p>4.启动服务</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">systemctl restart tac_plus
systemctl status tac_plus</span></pre>
</div>
<p><img src="https://img2023.cnblogs.com/blog/2992980/202305/2992980-20230524141416427-71563907.png" alt="" loading="lazy"></p>
<p> 至此,一个简易的TACACS+服务器就部署完成了。</p>
<p> </p><br><br>
来源:https://www.cnblogs.com/Mourinkun/p/17428184.html
頁:
[1]