Pré-requis
Création du groupe GNETWORK dans l’annuaire Active Directory.
Les deux serveurs doivent être membres du domaine HOME.
Installation et configuration
Installer TACACS+ :
# aptitude update && aptitude install tacacs+
Sauvegarder le fichier de configuration de TACACS+ :
# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.original
Editer le fichier de configuration de TACACS+ :
# > /etc/tacacs+/tac_plus.conf # vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) # See man(5) tac_plus.conf for more details # Define where to log accounting data, this is the default. accounting file = /var/log/tac_plus.acct # This is the key that clients have to use to access Tacacs+ key = "abcdefgh" # Groups group = admins { default service = permit login = PAM service = exec { priv-lvl = 15 idletime = 10 } } # Users user = test1 { member = admins } user = test2 { member = admins } # Much more features are availables, like ACL, more service compatibilities, # commands authorization, scripting authorization. # See the man page for those features.
Créer un fichier de configuration TACACS+ pour Nortel :
# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus_nortel.conf
Editer le fichier de configuration de TACACS+ pour Nortel :
# vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) # See man(5) tac_plus.conf for more details # Define where to log accounting data, this is the default. accounting file = /var/log/tac_plus_nortel.acct # This is the key that clients have to use to access Tacacs+ key = "abcdefgh" # Groups group = admins { default service = permit login = PAM service = exec { priv-lvl = 6 idletime = 10 } } # Users user = test1 { member = admins } user = test2 { member = admins } # Much more features are availables, like ACL, more service compatibilities, # commands authorization, scripting authorization. # See the man page for those features.
Editer le fichier de configuration des options par défaut de TACACS+ :
# vim /etc/default/tacacs+
# This is the configuration file for /etc/init.d/tacacs+ # You can overwrite default arguments passed to the daemon here. # See man(8) tac_plus DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -d16"
Créer un fichier de configuration des options par défaut de TACACS+ pour Nortel :
# cp /etc/default/tacacs+ /etc/default/tacacs+_nortel
Editer le fichier de configuration des options par défaut de TACACS+ pour Nortel :
# vim /etc/default/tacacs+_nortel
# This is the configuration file for /etc/init.d/tacacs+ # You can overwrite default arguments passed to the daemon here. # See man(8) tac_plus DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949 -d16 -l /var/log/tac_plus_nortel.log"
Créer un script d’init pour le serveur TACACS+ pour Nortel et le rendre exécutable :
# cp /etc/init.d/tacacs_plus /etc/init.d/tacacs_plus_nortel && chmod +x /etc/init.d/tacacs_plus_nortel
Modifier le script d’init pour le serveur TACACS+ pour Nortel :
# vim /etc/init.d/tacacs_plus_nortel
#!/bin/sh ### BEGIN INIT INFO # Provides: tacacs+_nortel # Required-Start: $network $local_fs $syslog $remote_fs # Required-Stop: $network $local_fs $remote_fs # Should-Start: $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: TACACS+ authentication daemon for Nortel ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/sbin/tac_plus NAME="tacacs+_nortel" DESC="TACACS+ authentication daemon for Nortel" LOGDIR=/var/log/ STARTTIME=1 PIDFILE="/var/run/tac_plus.pid.4949" test -x $DAEMON || exit 0 . /lib/lsb/init-functions # Default options, these can be overriden by the information # at /etc/default/$NAME DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949" # Additional options given to the server LOGFILE=$LOGDIR/tac_plus_nortel.log # Server logfile # Include defaults if available if [ -f /etc/default/$NAME ] ; then . /etc/default/$NAME fi # Check that the user exists (if we set a user) # Does the user exist? if [ -n "$DAEMONUSER" ] ; then if getent passwd | grep -q "^$DAEMONUSER:"; then # Obtain the uid and gid DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'` DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'` else log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist." exit 1 fi fi set -e running_pid() { # Check if a given process pid's cmdline matches a given name pid=$1 name=$2 [ -z "$pid" ] && return 1 [ ! -d /proc/$pid ] && return 1 cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` # Is this the expected server [ "$cmd" != "$name" ] && return 1 return 0 } running() { # Check if the process is running looking at /proc # (works for all users) # No pidfile, probably no daemon present [ ! -f "$PIDFILE" ] && return 1 pid=`cat $PIDFILE` running_pid $pid $DAEMON || return 1 return 0 } start_server() { # Start the process using the wrapper start-stop-daemon --start --quiet --pidfile $PIDFILE \ --exec $DAEMON -- $DAEMON_OPTS errcode=$? return $errcode } stop_server() { # Stop the process using the wrapper if [ -z "$DAEMONUSER" ] ; then killproc -p $PIDFILE $DAEMON errcode=$? else # if we are using a daemonuser then look for process that match start-stop-daemon --stop --quiet --pidfile $PIDFILE \ --user $DAEMONUSER \ --exec $DAEMON errcode=$? fi return $errcode } reload_server() { [ ! -f "$PIDFILE" ] && return 1 pid=`cat $PIDFILE` # This is the daemon's pid # Send a SIGHUP kill -1 $pid return $? } force_stop() { # Force the process to die killing it manually [ ! -e "$PIDFILE" ] && return if running ; then kill -15 $pid # Is it really dead? sleep "$DIETIME"s if running ; then kill -9 $pid sleep "$DIETIME"s if running ; then echo "Cannot kill $NAME (pid=$pid)!" exit 1 fi fi fi rm -f $PIDFILE } case "$1" in start) log_daemon_msg "Starting $DESC " "$NAME" # Check if it's running first if running ; then log_progress_msg "apparently already running" log_end_msg 0 exit 0 fi if start_server ; then # NOTE: Some servers might die some time after they start, # this code will detect this issue if STARTTIME is set # to a reasonable value [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time if running ; then # It's ok, the server started and is running log_end_msg 0 else # It is not running after we did start log_end_msg 1 fi else # Either we could not start it log_end_msg 1 fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if running ; then # Only stop the server if we see it running errcode=0 stop_server || errcode=$? log_end_msg $errcode else # If it's not running don't do anything log_progress_msg "apparently not running" log_end_msg 0 exit 0 fi ;; force-stop) # First try to stop gracefully the program $0 stop if running; then # If it's still running try to kill it more forcefully log_daemon_msg "Stopping (force) $DESC" "$NAME" errcode=0 force_stop || errcode=$? log_end_msg $errcode fi ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" errcode=0 stop_server || errcode=$? # Wait some sensible amount, some server need this [ -n "$DIETIME" ] && sleep $DIETIME start_server || errcode=$? [ -n "$STARTTIME" ] && sleep $STARTTIME running || errcode=$? log_end_msg $errcode ;; status) log_daemon_msg "Checking status of $DESC" "$NAME" if running ; then log_progress_msg "running" log_end_msg 0 else log_progress_msg "apparently not running" log_end_msg 1 exit 1 fi ;; # Use this if the daemon cannot reload reload) log_daemon_msg "Reloading $DESC configuration files" "$NAME" if reload_server ; then if running ; then log_end_msg 0 else log_progress_msg "$NAME not running" log_end_msg 1 fi else log_progress_msg "Reload failled" log_end_msg 1 fi ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 exit 1 ;; esac exit 0
Activer le script d’init pour le serveur TACACS+ pour Nortel :
# insserv tacacs_plus_nortel
Relancer le serveur TACACS+ :
# /etc/init.d/tacacs_plus restart
Lancer le serveur TACACS+ our Nortel :
# /etc/init.d/tacacs_plus_nortel start
Configuration des équipements
3Com 5500G-EI
# hwtacacs scheme mytac primary authentication 10.20.30.1 secondary authentication 10.20.30.2 primary authorization 10.20.30.1 secondary authorization 10.20.30.2 primary accounting 10.20.30.1 secondary accounting 10.20.30.2 key authentication abcdefgh key authorization abcdefgh key accounting abcdefgh user-name-format without-domain # domain mytac scheme hwtacacs-scheme mytac local access-limit enable 10 # domain default enable mytac #
H3C S5500-52C-EI
# hwtacacs scheme mytac primary authentication 10.20.30.1 secondary authentication 10.20.30.2 primary authorization 10.20.30.1 secondary authorization 10.20.30.2 primary accounting 10.20.30.1 secondary accounting 10.20.30.2 key authentication abcdefgh key authorization abcdefgh user-name-format without-domain # domain mytac authentication login hwtacacs-scheme mytac local authorization login hwtacacs-scheme mytac local access-limit enable 10 state active idle-cut disable self-service-url disable # domain default enable mytac #
3Com 4210G 48-Port
# hwtacacs scheme mytac primary authentication 10.20.30.1 secondary authentication 10.20.30.2 primary authorization 10.20.30.1 secondary authorization 10.20.30.2 primary accounting 10.20.30.1 secondary accounting 10.20.30.2 key authentication abcdefgh key authorization abcdefgh user-name-format without-domain # domain mytac authentication login hwtacacs-scheme mytac local authorization login hwtacacs-scheme mytac local access-limit enable 10 state active idle-cut disable self-service-url disable # domain default enable mytac #
Cisco WS-CBS3020-HPQ
! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local ! tacacs-server host 10.20.30.1 timeout 5 tacacs-server host 10.20.30.2 timeout 5 tacacs-server directed-request tacacs-server key abcdefgh !
Nortel Application Switch 2208 E
Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+
/cfg/sys/tacacs port 4949 prisrv 10.20.30.1 secsrv 10.20.30.2 secret secret2 secbd e on apply
HP ProLiant BL p-Class C-GbE2 Interconnect Switch
Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+
/cfg/sys/tacacs+ port 4949 prisrv 10.20.30.1 secsrv 10.20.30.2 secret secret2 telnet e on apply