分类: LINUX
2008-04-13 10:59:38
Under the installation is particularly straight forward. The following command will install the tac-plus service:
#apt-get install tac-plus
/usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d 16
The following command shows debugging information of the tac-plus service
tail -f /var/tmp/tac-plus.log
to kill....
kill -USR1 `cat /etc/tac-plus.pid`
To restart...
/etc/init.d/tac-plus restart
Files
/var/log/tac-plus/account.log (must make this file writable)
/var/tmp/tac_plus.log (service logfile)
/etc/init.d/tac-plus (startup script)
/etc/tac-plus/tacacs.conf (users and )
/usr/sbin/tac_plus (executable)
create des encrypted password: htpasswd -n debianhelp
Config file
/etc/tac-plus/tacacs.conf
#This user can do anything
user = admins {
default service = permit
login = des 70e4lCVGyWSKM
}
#this user can only run 'show ip' and ‘show interface’ commands
user = users {
default service = deny
login = cleartext test
cmd = show
{
permit ip
permit interface
deny .*
}
}
Each AAA command specified in the describes the authentication and authorization and the order in which these methods are attempted.
Config for
aaa new-model
#Authentication order
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
#For connections (until tested with TACAcs+ will get to stage where use TACACS then local if unavailable)....
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
#Must have the following 2 lines to explicitly authorize commands
#User level commands will be allowed even if tacacs server unavailable assuming user has been authenticated
aaa authorization commands 1 tacacs+ if-authenticated
{#If TACACS server is unavailable Enable level commands can only be run from a console (e.g. configire terminal, copy cmd etc) }
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization tacacs+
#Enable passwd if tacacs server unavailable
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable password tester
If the tacacs server is unavailable you will be prompted with the standard login however instead of using a VTY password and an enable password you would use the 'enable' password for both login and to enable to router.
For example:
Verification
Password:
As apposed to :
User Access Verification
Username:
NOTE: Username and password are case-sensitive
The following cmd allows any commands if TACACS unavailable
aaa authorization exec tacacs+ none
Building configuration...
Current configuration:
!
version 11.1
service config
no service udp-small-servers
no service tcp-small-servers
!
hostname tacacstest
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
aaa authorization commands 1 tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable secret 5 $1$y1cB$sSAl.2azaTPo9GoPO3fp0.
!
!
interface Ethernet0
192.168.100.58 255.255.255.0
no cdp enable
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no cdp enable
!
interface BRI0
no ip address
shutdown
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.5
logging buffered
tacacs-server host 172.18.1.2
tacacs-server host 192.168.100.59
!
line con 0
exec-timeout 0 0
password whatever
login authentication conmethod
line aux 0
line vty 0 4
exec-timeout 0 0
!
end
