Download file จาก site shrubbury.net
root@ubuntu10:~# wget -q ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz
แตก file tacacs ที download มา
root@ubuntu10:~# tar zxvf tacacs+-F4.0.4.19.tar.gz
...
root@ubuntu10:~# cd tacacs+-F4.0.4.19
install packet สำหรับ install tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19#apt-get install flex bison libwrap0-dev gcc make libc6-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
config tacacs ก่อนติดตั้ง
root@ubuntu10:~/tacacs+-F4.0.4.19# ./configure --prefix /opt/tac-plus --with-acctfile=/var/log/tac_acc.log --with-logfile=/var/log/tac_plus.log --quiet
root@ubuntu10:~/tacacs+-F4.0.4.19# make install
...
ตรวจสอบ file หลัง install
root@ubuntu10:~/tacacs+-F4.0.4.19# ls -al /opt/tac-plus/bin/
total 276
drwxr-xr-x 2 root root 4096 2010-06-02 18:22 .
drwxr-xr-x 6 root root 4096 2010-06-02 18:22 ..
-rwxr-xr-x 1 root root 261484 2010-06-02 18:22 tac_plus
-rwxr-xr-x 1 root root 12264 2010-06-02 18:22 tac_pwd
root@ubuntu10:~/tacacs+-F4.0.4.19#
หลังจากติดตั้งอย่าลืม ldconfig
root@ubuntu10:~/tacacs+-F4.0.4.19#ldconfig
root@ubuntu10:~/tacacs+-F4.0.4.19# netstat -l 2>&1 | grep tac
tcp 0 0 *:tacacs *:* LISTEN
root@ubuntu10:~/tacacs+-F4.0.4.19#
สร้าง script file สำหรับ run tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19#vi /opt/tac-plus/bin/tac_plus.sh
#!/bin/sh
# script run file
/opt/tac-plus/bin/tac_plus -C /etc/tac_plus.conf
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19#chmod 755 /opt/tac-plus/bin/tac_plus.sh
สร้าง script สำหรับ start/stop program
root@ubuntu10:~/tacacs+-F4.0.4.19# vi /etc/init.d/tac_plus
#!/bin/sh
# Start/stop the TACACS+ daemon.
test -f /opt/tac-plus/bin/tac_plus || exit 0
case "$1" in
start) echo -n "Starting TACACS+ Daemon: tac_plus"
start-stop-daemon --start --quiet --exec /opt/tac-plus/bin/tac_plus.sh
echo "."
;;
stop) echo -n "Stopping TACACS+ Daemon: tac_plus"
start-stop-daemon --stop --quiet --exec /opt/tac-plus/bin/tac_plus
echo "."
;;
restart) echo -n "Restarting TACACS+ Daemon: tac_plus"
start-stop-daemon --stop --quiet --exec /opt/tac-plus/bin/tac_plus
start-stop-daemon --start --quiet --exec /opt/tac-plus/bin/tac_plus.sh
echo "."
;;
reload) echo -n "Reloading TACACS+ Configuration: tac_plus"
start-stop-daemon --stop --signal USR1 --quiet --exec /opt/tac-plus/bin/tac_plus
echo "."
;;
*) echo "Usage: /etc/init.d/tacacs start|stop|restart|reload"
exit 1
;;
esac
exit 0
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19# chmod 755 /etc/init.d/tac_plus
สร้าง link สำหรับ auto start program
root@ubuntu10:~/tacacs+-F4.0.4.19# ln -s ../init.d/tac_plus /etc/rc2.d/S92tac_plus
root@ubuntu10:~/tacacs+-F4.0.4.19# ln -s ../init.d/tac_plus /etc/rc3.d/S92tac_plus
สร้าง file config ของ tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19# touch /etc/tac_plus.conf
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19# chmod 600 /etc/tac_plus.conf
แก้ไข config file สำหรับ tacacs โดยสามารถ copy file ไปใช้งานได้เลย
root@ubuntu10:~/tacacs+-F4.0.4.19# vi /etc/tac_plus.conf
#key tac_plus
key = telnethost
# Daemon-Log --> /var/log/tac_plus.log
# Logging of priv-15 commands
accounting file = /var/log/tac_acc.log
#enable account default
#enable account default
user = $enable$ {
login = cleartext "cisco"
}
# Group Account
group = admin {
default service = permit
service = exec {
priv-lvl = 1
}
service = junos-exec {
allow-commands = "all"
}
}
group = user {
default service = deny
service = exec {
priv-lvl = 1
}
cmd = show {
permit .*
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
cmd = logout {
permit .*
}
cmd = configure {
permit "terminal"
deny .*
}
cmd = ip {
permit "route-cache flow |flow ingress |flow egress "
}
cmd = interface {
permit "FastEthernet|Multilink|BVI|Serial|GigabitEthernet|Vlan"
}
cmd = no {
permit "route-cache flow |flow ingress |flow egress "
}
cmd = telnet {
permit .*
}
cmd = clear {
permit "arp|counter|nat"
deny .*
}
cmd = do {
permit "run|sh|couter"
}
}
user = admindes {
login = des J6bHZh48sXJ3E
enable = des VC8o2ox/i5xMY
member = admin
}
# user group user
user = user {
login = cleartext "user"
member = user
}
ในส่วนของการสั่ง start/stop/restart program ทำได้ดังนี้
root@ubuntu10:~# /etc/init.d/tac_plus start
root@ubuntu10:~# /etc/init.d/tac_plus stop
root@ubuntu10:~# /etc/init.d/tac_plus restart
ตัวอย่าง config สำหรับ router
aaa new-model
!
!
aaa authentication login TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
!
tacacs-server host
tacacs-server directed-request
tacacs-server key
!
line con 0
exec-timeout 15 0
login authentication TACACS
line aux 0
line vty 0 4
exec-timeout 15 0
login authentication TACACS
Template for CatOS
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login tacacs disable http
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs disable http
!
#tacacs+
set tacacs server *TACACS server IP* primary
set tacacs attempts 2
set tacacs directedrequest enable
set tacacs key *TACACS server key*
set tacacs timeout 5
Juniper set statements:
set system authentication-order [ tacplus password ]
set system tacplus-server
set system tacplus-server
set system accounting events [ login change-log interactive-commands]
set system accounting destination tacplus
# local user, when TACACS+ fails
set system login user fallback_user uid 2000
set system login user fallback_user class superuser
set system login user fallback_user authentication encrypted-password "
# user remote must exist. Otherwise tacacs auth won't work.
set system login user remote full-name tacacs_user
set system login user remote uid 9999
set system login user remote class super-user
Hierarchical:
system {
authentication-order [ tacplus password ];
tacplus-server {
secret "
source-address
}
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus;
}
}
login {
user fallback_user {
uid 2000;
class superuser;
authentication {
encrypted-password "
}
}
user remote {
full-name tacacs_user;
uid 9999;
class super-user;
}
}
}
========================
#ตัวอย่าง log file ใน /var/log/tac_plus.log
Thu Mar 5 23:27:35 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:35 2009 [11912]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:40 2009 [11912]: login query for 'net_adm' tty0 from gate rejected
Thu Mar 5 23:27:40 2009 [11912]: login failure: net_adm gate (192.168.222.250) tty0
Thu Mar 5 23:27:42 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:42 2009 [11913]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:49 2009 [11913]: login query for 'net_admin' tty0 from gate accepted
Thu Mar 5 23:27:49 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:49 2009 [11914]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:52 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:52 2009 [11915]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:53 2009 [11915]: enable query for 'net_admin' tty0 from gate accepted
#ตัวอย่าง log account /var/log/tac_acc.log
Thu Mar 5 23:36:18 2009 gate net_admin tty0 async start task_id=24 timezone=UTC service=shell
Thu Mar 5 23:36:41 2009 gate net_admin tty0 async stop task_id=24 timezone=UTC service=shell priv-lvl=15 cmd=configure terminal
Thu Mar 5 23:36:54 2009 gate net_admin tty0 async stop task_id=25 timezone=UTC service=shell priv-lvl=15 cmd=logging buffered
Thu Mar 5 23:37:07 2009 gate net_admin tty0 async stop task_id=24 timezone=UTC service=shell disc-cause=1 disc-cause-ext=9 pre-session-time=19 elapsed_time=49 stop_time=1014975481
Command line parameters
debian:/opt/tac-plus/bin# /opt/tac-plus/bin/tac_plus
Usage: tac_plus -C
-G stay in foreground; do not detach from the tty
-g single thread mode
-h display this message
-i inetd mode
-L lookup peer addresses for logs
-P parse the configuration file and exit
-s refuse SENDPASS
-t also log to /dev/console
-v display version information
Debug values
8 authorisation debugging
16 authentication debugging
32 password file processing debugging
64 accounting debugging
128 config file parsing & lookup
256 packet transmission/reception
512 encryption/decryption
1024 MD5 hash algorithm debugging
2048 very low level encryption/decryption
--> 248 = 128 + 64 + 32 + 16 + 8
please wrote comment if u have suggestion.
ReplyDelete