Authentification centralisée avec tac plus sous GNU/Linux Debian

Pré-requis

Création du groupe GNETWORK dans l’annuaire Active Directory.

Les deux serveurs doivent être membres du domaine HOME.

Installation et configuration

Installer TACACS+ :

# aptitude update && aptitude install tacacs+

Sauvegarder le fichier de configuration de TACACS+ :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.original

Editer le fichier de configuration de TACACS+ :

# > /etc/tacacs+/tac_plus.conf
# vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Créer un fichier de configuration TACACS+ pour Nortel :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus_nortel.conf

Editer le fichier de configuration de TACACS+ pour Nortel :

# vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Editer le fichier de configuration des options par défaut de TACACS+ :

# vim /etc/default/tacacs+
# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -d16"

Créer un fichier de configuration des options par défaut de TACACS+ pour Nortel :

# cp /etc/default/tacacs+ /etc/default/tacacs+_nortel

Editer le fichier de configuration des options par défaut de TACACS+ pour Nortel :

# vim /etc/default/tacacs+_nortel
# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949 -d16 -l /var/log/tac_plus_nortel.log"

Créer un script d’init pour le serveur TACACS+ pour Nortel et le rendre exécutable :

# cp /etc/init.d/tacacs_plus /etc/init.d/tacacs_plus_nortel && chmod +x /etc/init.d/tacacs_plus_nortel

Modifier le script d’init pour le serveur TACACS+ pour Nortel :

# vim /etc/init.d/tacacs_plus_nortel
#!/bin/sh
### BEGIN INIT INFO
# Provides:          tacacs+_nortel
# Required-Start:    $network $local_fs $syslog $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Should-Start:      $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: TACACS+ authentication daemon for Nortel
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/sbin/tac_plus
NAME="tacacs+_nortel"
DESC="TACACS+ authentication daemon for Nortel"
LOGDIR=/var/log/
STARTTIME=1

PIDFILE="/var/run/tac_plus.pid.4949"

test -x $DAEMON || exit 0

. /lib/lsb/init-functions

# Default options, these can be overriden by the information
# at /etc/default/$NAME
DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949"          # Additional options given to the server


LOGFILE=$LOGDIR/tac_plus_nortel.log  # Server logfile

# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
        . /etc/default/$NAME
fi

# Check that the user exists (if we set a user)
# Does the user exist?
if [ -n "$DAEMONUSER" ] ; then
    if getent passwd | grep -q "^$DAEMONUSER:"; then
        # Obtain the uid and gid
        DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'`
        DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'`
    else
        log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist."
        exit 1
    fi
fi


set -e

running_pid() {
# Check if a given process pid's cmdline matches a given name
    pid=$1
    name=$2
    [ -z "$pid" ] && return 1
    [ ! -d /proc/$pid ] &&  return 1
    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
    # Is this the expected server
    [ "$cmd" != "$name" ] &&  return 1
    return 0
}

running() {
# Check if the process is running looking at /proc
# (works for all users)

    # No pidfile, probably no daemon present
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE`
    running_pid $pid $DAEMON || return 1
    return 0
}

start_server() {
# Start the process using the wrapper
        start-stop-daemon --start --quiet --pidfile $PIDFILE \
               --exec $DAEMON -- $DAEMON_OPTS
        errcode=$?
        return $errcode
}

stop_server() {
# Stop the process using the wrapper
        if [ -z "$DAEMONUSER" ] ; then
            killproc -p $PIDFILE $DAEMON
            errcode=$?
        else
# if we are using a daemonuser then look for process that match
            start-stop-daemon --stop --quiet --pidfile $PIDFILE \
                        --user $DAEMONUSER \
                        --exec $DAEMON
            errcode=$?
        fi

        return $errcode
}

reload_server() {
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE` # This is the daemon's pid
    # Send a SIGHUP
    kill -1 $pid
    return $?
}

force_stop() {
# Force the process to die killing it manually
        [ ! -e "$PIDFILE" ] && return
        if running ; then
                kill -15 $pid
        # Is it really dead?
                sleep "$DIETIME"s
                if running ; then
                        kill -9 $pid
                        sleep "$DIETIME"s
                        if running ; then
                                echo "Cannot kill $NAME (pid=$pid)!"
                                exit 1
                        fi
                fi
        fi
        rm -f $PIDFILE
}


case "$1" in
  start)
        log_daemon_msg "Starting $DESC " "$NAME"
        # Check if it's running first
        if running ;  then
            log_progress_msg "apparently already running"
            log_end_msg 0
            exit 0
        fi
        if start_server ; then
            # NOTE: Some servers might die some time after they start,
            # this code will detect this issue if STARTTIME is set
            # to a reasonable value
            [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time
            if  running ;  then
                # It's ok, the server started and is running
                log_end_msg 0
            else
                # It is not running after we did start
                log_end_msg 1
            fi
        else
            # Either we could not start it
            log_end_msg 1
        fi
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        if running ; then
            # Only stop the server if we see it running
                        errcode=0
            stop_server || errcode=$?
            log_end_msg $errcode
        else
            # If it's not running don't do anything
            log_progress_msg "apparently not running"
            log_end_msg 0
            exit 0
        fi
        ;;
  force-stop)
        # First try to stop gracefully the program
        $0 stop
        if running; then
            # If it's still running try to kill it more forcefully
            log_daemon_msg "Stopping (force) $DESC" "$NAME"
                        errcode=0
            force_stop || errcode=$?
            log_end_msg $errcode
        fi
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
                errcode=0
        stop_server || errcode=$?
        # Wait some sensible amount, some server need this
        [ -n "$DIETIME" ] && sleep $DIETIME
        start_server || errcode=$?
        [ -n "$STARTTIME" ] && sleep $STARTTIME
        running || errcode=$?
        log_end_msg $errcode
        ;;
  status)

        log_daemon_msg "Checking status of $DESC" "$NAME"
        if running ;  then
            log_progress_msg "running"
            log_end_msg 0
        else
            log_progress_msg "apparently not running"
            log_end_msg 1
            exit 1
        fi
        ;;
  # Use this if the daemon cannot reload
  reload)
        log_daemon_msg "Reloading $DESC configuration files" "$NAME"
        if reload_server ; then
                if running ; then
                        log_end_msg 0
                else
                        log_progress_msg "$NAME not running"
                        log_end_msg 1
                fi
        else
                log_progress_msg "Reload failled"
                log_end_msg 1
        fi
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Activer le script d’init pour le serveur TACACS+ pour Nortel :

# insserv tacacs_plus_nortel

Relancer le serveur TACACS+ :

# /etc/init.d/tacacs_plus restart

Lancer le serveur TACACS+ our Nortel :

# /etc/init.d/tacacs_plus_nortel start

Configuration des équipements

3Com 5500G-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 key accounting abcdefgh
 user-name-format without-domain
#
domain mytac
 scheme hwtacacs-scheme mytac local
 access-limit enable 10
#
 domain default enable mytac
#

H3C S5500-52C-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

3Com 4210G 48-Port

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

Cisco WS-CBS3020-HPQ

!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
tacacs-server host 10.20.30.1 timeout 5
tacacs-server host 10.20.30.2 timeout 5
tacacs-server directed-request
tacacs-server key abcdefgh
!

Nortel Application Switch 2208 E

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
secbd e
on
apply

HP ProLiant BL p-Class C-GbE2 Interconnect Switch

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs+
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
telnet e
on
apply

Leave a Reply