Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

AAA authentication of network equipment

2024-10-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Switch configuration (take Huasan switch as an example, v7 version)

hwtacacs scheme tacacs

primary authentication 172.18.34.45

primary authorization 172.18.34.45

primary accounting 172.18.34.45

key authentication cipher $c$3$GVL2qE1HsQSyRlEI5UiDXl7Se/giCmx7fXzy

key authorization cipher $c$3$SQRKlqv25kY6zvoAtPfqkKyr42LdnT57kh7V

key accounting cipher $c$3$gklXXuVEMVLUcHFL0WX1t33g7BDhXciJRcb2

user-name-format without-domain

#

domain hwtacacs

authorization command hwtacacs-scheme tacacs

accounting command hwtacacs-scheme tacacs

authentication default hwtacacs-scheme tacacs local

authorization default hwtacacs-scheme tacacs local

accounting default hwtacacs-scheme tacacs local

#

domain default enable hwtacacs

#

line vty 0 15

command authorization

command accounting

! User Management Platform FreeIPA Installation

CentOS Linux release 7.3.1611 (Core), firewall turned off

yum install ipa-server bind bind-dyndb-ldap

echo "172.18.34.45 ipa.test.org ipa" >>/etc/hosts

ipa-server-install will automatically install all default carriage returns

https://ipa.test.org/ installation process will prompt for user name and password, default user admin

You may encounter errors.

If you encounter messagebus service error, execute the following command, and then uninstall reload.

https://bugzilla.redhat.com/show_bug.cgi? id=636876

systemctl restart messagebus

systemctl start certmonger

ipa-server-install -uninstall

ipa-server-install

log directory

tail -f /var/log/dirsrv/slapd-TEST-ORG/access

tail -f /var/log/dirsrv/slapd-TEST-ORG/errors

Set IPA:

add users

添加用户到用户组

TACACS 安装配置

yum install gcc perl-LDAP wget

wget http://www.pro-bono-publico.de/projects/src/DEVEL.201706241310.tar.bz2

tar xvfj DEVEL.201706241310.tar.bz2

cd /PROJECTS

./configure

make && make install

mkdir /var/log/tac_plus

mkdir /var/log/tac_plus/access

mkdir /var/log/tac_plus/acct

mkdir /var/log/tac_plus/authen

mkdir /var/log/tac_plus/author

chmod 760 -R /var/log/tac_plus/

cp ~/PROJECTS/tac_plus/extra/tac_plus.service /etc/systemd/system/

systemctl daemon-reload

cp ~/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg

chmod 660 /usr/local/etc/tac_plus.cfg

TACACS 配置文件

#!/usr/local/sbin/tac_plus

id = spawnd {

listen = { port = 49 }

spawn = {

instances min = 1

instances max = 10

}

background = yes

}

id = tac_plus {

access log = /var/log/tac_plus/access/%Y%m%d.log

authentication log = /var/log/tac_plus/authen/%Y%m%d.log

authorization log = /var/log/tac_plus/author/%Y%m%d.log

accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "ldap://ipa.test.org:389" setenv LDAP_SCOPE = "sub" setenv LDAP_BASE = "cn=users,cn=accounts,dc=test,dc=org" setenv LDAP_FILTER= "(uid=%s)" setenv REQUIRE_TACACS_GROUP_PREFIX = 1 setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl}login backend = mavisuser backend = mavispap backend = mavis skip missing groups = yes cache timeout = 21600host = world { address = ::/0 prompt = "Welcome\n" enable 15 = clear secret key = XXXX (与交换机key一致)}group = admin { default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 }}group = guest { default service = deny enable = deny service = shell { default command = deny default attribute = permit set priv-lvl = 1 cmd = display { deny diagnostic-information permit .* } cmd = ping { permit .* } }}

}

tacacs服务管理:

systemctl enable tac_plus

systemctl restart tac_plus

systemctl status tac_plus

tacacs日志管理:

access log = /var/log/tac_plus/access/%Y%m%d.log

authentication log = /var/log/tac_plus/authen/%Y%m%d.log

authorization log = /var/log/tac_plus/author/%Y%m%d.log

accounting log = /var/log/tac_plus/acct/%Y%m%d.log

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report