最近在开发tacacs+ 客户端功能,需要安装tacacs服务器进行测试。
tacacs服务器搭建
两种方式,第一种直接执行安装命令:
apt-get install tacacs+
第二种:
1. 下载文件,最新的版本可以在这里看到(ftp://ftp.shrubbery.net/pub/tac_plus)
2. sudo tar -zxvf tacacs-F4.0.4.28.tar.gz
3. sudo ./configure
如果有错误,执行如下语句。
sudo apt-get install libwrap0-dev flex bison
4. sudo make install
6. 添加库路径,修改该文件如下所示:
sudo vi /etc/ld.so.conf
//改成下面这样
include /etc/ld.so.conf.d/*.conf
/usr/lib
//改完后退出,然后在命令行上执行下面这条语句
sudo ldconfig
创建配置文件,/etc/tacacs+/tac_plus.conf ,内容如下:
#Make this a strong key,共享密钥
key = 12345678
#Am using local PAM which allows us to use local linux users, you can use any backend like Windows AD
default authentication = file /etc/passwd
#Define groups that we shall add users to later
#In this example I have defined 2 groups support and unicorns and assign them respective privileges
#*************************
#***USERS ACCOUNTS HERE***
#*************************
#
#像下面这样的用户需要添加到Linux里面,因为是使用linux自身的验证机制。
#
user = mason {
member = Network_Engineers #组的配置
}
user = huangjinxin {
member = Field_Techs
}
user = shawn {
member = Managers
}
#*************************
#*** GROUPS HERE ***
#*************************
group = Network_Engineers {
default service = permit #这个选项是授权(Author)使用的
login = file /etc/passwd #使用系统的用户名和密码验证机制
enable = file /etc/passwd
}
#仅开放部分cmd
group = Field_Techs {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = do {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit terminal
}
cmd = interface {
permit .*
}
cmd = shutdown {
permit .*
}
cmd = no {
permit shutdown
}
cmd = speed {
permit .*
}
cmd = duplex {
permit .*
}
cmd = write {
permit memory
}
cmd = copy {
permit running-config
}
}
group = Managers {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}
执行程序:
#重启tacacs_plus
root@m:~# sudo tac_plus -C /etc/tacacs+/tac_plus.conf -t -d 1
#查看log
root@m:~# tail -f /var/log/tac_plus.log
#添加用户
root@m:~# adduser mason
root@m:~# adduser huangjinxin
root@m:~# adduser shawn
实际测试可用。
如果运行失败,考虑是否是权限问题或者到/var/log/tac_plus.log看下原因
1. 参考文档:Ubuntu installing tacacs+ server for Cisco AAA | Blog