linux安装tacacs+服务器

tacacs+服务器搭建

软件下载地址：http://pan.baidu.com/s/1i4x3jrJ

bzip2 -dc DEVEL.tar.bz2 | tar xvfp -    #解压下载好的包

cd PROJECTS

make

make install

cp tac_plus/doc/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg

#复制配置文件到指定目录

vi /usr/local/etc/tac_plus.cfg

#根据需要更改tac_plus.cfg，如下：

#!/usr/local/bin/tac_plus

id = spawnd {

        listen = { port = 49 }

        spawn = {

                instances min = 1

                instances max = 10

        }

        background = yes

}

id = tac_plus {

         access log = /var/log/tac_plus/access/%Y%m%d.log

         accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        mavis module = external {

                setenv LDAP_SERVER_TYPE = “microsoft”

                setenv LDAP_HOSTS = “10.10.0.3:3268 TestDC-tacacs:3268″

                setenv LDAP_BASE = “dc=test,dc=cn”

                setenv LDAP_USER = “tacacs@test.cn”

                setenv LDAP_PASSWD = “abcd.1234″

                setenv REQUIRE_TACACS_GROUP_PREFIX = 1

                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

        }

        login backend = mavis

        user backend = mavis

        pap backend = mavis

        host = world {

                address = ::/0

                prompt = “Welcome\n”

                enable 15 = clear cisco    #switch enable password 为cisco

                key = cisco

        }

        group = admin {

                default service = permit

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 15

                }

        }

        group = guest {

                default service = permit

        #       enable = deny

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 9

                }

        }

}     

:wq

#保存退出

#（我们需要在AD中建立用户和组，上边配置文件中的 tacacs用户用来查询AD。配置文件中还设定了2个组，一个是admin，一个是guest，设置不同的权限，我们需要再AD中设置相应的组，来对应这两个组。默认的前缀为tacacs，即在AD 中建立tacacsadmin组对应tacacs+中的admin组，tacacsguest组对应tacacs+中的guest组，使用mavis中的TACACS_GROUP_PREFIX参数可以修改此前缀。setenv REQUIRE_TACACS_GROUP_PREFIX = 1 的意思是只有属于有tacacs前缀的组的用户才能登陆了交换机。testa属于tacacsguest，testc属于tacacsadmin）

/usr/local/bin/tac_plus -P /usr/local/etc/tac_plus.cfg

#测试tac_plus.cfg有没有错误

cp tac_plus/doc/etc_init.d_tac_plus /etc/init.d/tac_plus

#复制tac_plus的脚本到/etc/init.d

/etc/init.d/tac_plus start

or

/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg

#启动tac_plus

交换机配置：

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 9 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+

aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

aaa accounting network default stop-only group tacacs+
aaa session-id common
tacacs-server host 10.10.0.1 single-connection
tacacs-server directed-request

tacacs-server key 7 cisco

#双向加密(type 7) ： 命令service password-encryption自动对配置中的密码加密。