Replacing FreeRADIUS, TACACS AAA configuration

Time:2021-7-13

I have recently completed the configuration of enterprise network devices to authenticate the windows network policy server through radius, but the following functions are not complete:
1. Radius authorization is very troublesome, it can’t be configured simply, and it needs to add devices, avpair attributes and other operations.
2. It’s easy to use for users with billing function, but it’s not enough detailed for the detailed accounting of operation and maintenance personnel
If you want to further present the operation records of users on router / switch, TACACS + is a good open source software, which can make up for the functions that radius can’t show. It’s very simple to build. Let’s start the configuration!

install

Software download address:http://pan.baidu.com/s/1i4x3jrJ
#Bzip2 – DC level. Tar. Bz2 | tar xvfp – # unzip the downloaded package
# cd PROJECTS
# make
# make install
# cp tac_ plus/extra/tac_ plus.cfg-ads /usr/local/etc/tac_ Add. CFG # copy the configuration file to the specified directory

Yes, TAC_ Edit the plus.cfg configuration file
vim /usr/local/etc/tac_plus.cfg

#!/usr/local/sbin/tac_plus
id = spawnd {
    listen = { port = 49 }
    spawn = {
            instances min = 1
            instances max = 10
    }
background = no
}      
id = tac_plus {
   access log = /var/log/tac_plus/access/%Y%m%d.log
   accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external {
        setenv LDAP_SERVER_TYPE = "microsoft"
        setenv LDAP_ Hosts = "ad server IP: 3268 ads02:3268"
        setenv LDAP_BASE = "dc=my-domain,dc=com"
        setenv LDAP_USER = "[email protected]"
        setenv LDAP_PASSWD = "xxxxx"
        setenv REQUIRE_TACACS_GROUP_PREFIX = 1
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
#This is an optional configuration. If you need to have specific permissions for a specific group of devices, you can study it yourself.
login backend = mavis
user backend = mavis
#pap backend = mavis

host = world {
        address = ::/0
        prompt = "Welcome\n"
        enable 15 = clear secret
        key = XXXX
}
#Here we define the administrator select all group admin, and the login permission is 15
group = admin {   
        message= "[Admin privileges]"
        default service = permit
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
        }
}
#Here we define the normal user group guest, with login permission of 1, allow "show version / interface", reject "show IP interface", and reject "enable"
group = guest {
        enable = deny
        service = shell {
                default cmd = deny
                message deny="Command Denied by tacacs server"
                default attribute = deny
                cmd = show {
                              deny /ip interface/
                              permit /version/
                              permit /interface */
                              deny //
                              message deny="Access Deny"
                       }
                cmd = quit {
                             permit //
                      }
                set priv-lvl = 1
                
        }
}
 user = 111 {
        password = clear 111
        member = guest 
}
#Here we create two accounts for the operation and maintenance engineer, belonging to the Admin Group
user = cisco {
        password = clear cisco
        member = admin
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
        }
}
user = atomlqws {
        password = clear "xxxxx" 
        member = admin
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
        }
}
group = medium {
        default service = permit
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
                cmd = configure { deny .*}
                cmd = enable { deny .* }
        }
}


user = readonly {
        password = clear readonly
        member = guest
}

}
#(we need to create users and groups in AD, and TACACS users in the configuration file above are used to query ad. There are also two groups set in the configuration file, one is admin and the other is guest. Different permissions are set. We need to set corresponding groups in ad to correspond to these two groups. The default prefix is TACACS, that is, the tacacsadmin group in AD corresponds to the Admin Group in TACACS +, the tacacsguest group corresponds to the guest group in TACACS +, and the TACACS in Mavis is used_ GROUP_ The prefix parameter can modify this prefix. setenv REQUIRE_ TACACS_ GROUP_ Prefix = 1 means that only users belonging to the group with TACACS prefix can log in to the switch. Testa belongs to tacacsguest and testc belongs to tacacsadmin)

/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
#Test TAC_ Is there an error in plus.cfg
cp tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
chmod +x /etc/init.d/tac_plus
#Copy TAC_ Add the script to / etc / init. D
/etc/init.d/tac_plus start
or
/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg
#Start TAC_ plus

TACACS + configuration of network equipment

Our on-line network equipment includes: Cisco / H3C, different brands and models:
H3C HWTACACS configuration

hwtacacs scheme XXXX(key)
primary authentication 192.168.1.100(TAcacs server IP)
primary authorization 192.168.1.100
primary accounting 192.168.1.100
key authentication cipher $c$3$a2e4q/H2M6r4Pw0T/jPldYtCqJppuQiZe6g=
key authorization cipher $c$3$axYZ0PzHI5l9+QVsTOcbfl+0PlVy7d0SoVw=
key accounting cipher $c$3$VEdNEyM+HH7ybBW8yAhk9l0Puo2R5siPDx4=
user-name-format without-domain
nas-ip 10.2.254.101

domain sinobbd-domain
authentication login hwtacacs-scheme XXXX local
authorization login hwtacacs-scheme XXXX local
accounting login hwtacacs-scheme XXXX local

line vty 0 10
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 30 0

Nexus series equipment configuration
feature tacacs+

tacacs-server host 192.168.1.100 key 7 “VertTBY”
aaa group server tacacs+ XXXX(key)
server 192.168.1.100
source-interface loopback0

aaa authentication login default group XXXX local
aaa authentication login console local
aaa authorization commands default group XXXX local
aaa accounting default group SinoBBD

IOS series configuration (ASR 1K, 36502960, etc.)
aaa authentication login default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 192.168.1.100
tacacs-server key 7 113A100B18302928

ASR 9K configuration
tacacs source-interface Loopback0 vrf default
tacacs-server host 192.168.1.100 port 49
!
tacacs-server key 7 113A100B18302928
!
aaa accounting commands default start-stop group tacacs+
aaa authorization commands default group tacacs+
aaa authentication login console local
aaa authentication login default group tacacs+ local
aaa default-taskgroup root-system

line template T_vty
accounting commands default