Pré-requis
Création du groupe GNETWORK dans l’annuaire Active Directory.
Les deux serveurs doivent être membres du domaine HOME.
Installation et configuration
Installer TACACS+ :
# aptitude update && aptitude install tacacs+
Sauvegarder le fichier de configuration de TACACS+ :
# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.original
Editer le fichier de configuration de TACACS+ :
# > /etc/tacacs+/tac_plus.conf # vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = "abcdefgh"
# Groups
group = admins {
default service = permit
login = PAM
service = exec {
priv-lvl = 15
idletime = 10
}
}
# Users
user = test1 {
member = admins
}
user = test2 {
member = admins
}
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
Créer un fichier de configuration TACACS+ pour Nortel :
# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus_nortel.conf
Editer le fichier de configuration de TACACS+ pour Nortel :
# vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus_nortel.acct
# This is the key that clients have to use to access Tacacs+
key = "abcdefgh"
# Groups
group = admins {
default service = permit
login = PAM
service = exec {
priv-lvl = 6
idletime = 10
}
}
# Users
user = test1 {
member = admins
}
user = test2 {
member = admins
}
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
Editer le fichier de configuration des options par défaut de TACACS+ :
# vim /etc/default/tacacs+
# This is the configuration file for /etc/init.d/tacacs+ # You can overwrite default arguments passed to the daemon here. # See man(8) tac_plus DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -d16"
Créer un fichier de configuration des options par défaut de TACACS+ pour Nortel :
# cp /etc/default/tacacs+ /etc/default/tacacs+_nortel
Editer le fichier de configuration des options par défaut de TACACS+ pour Nortel :
# vim /etc/default/tacacs+_nortel
# This is the configuration file for /etc/init.d/tacacs+ # You can overwrite default arguments passed to the daemon here. # See man(8) tac_plus DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949 -d16 -l /var/log/tac_plus_nortel.log"
Créer un script d’init pour le serveur TACACS+ pour Nortel et le rendre exécutable :
# cp /etc/init.d/tacacs_plus /etc/init.d/tacacs_plus_nortel && chmod +x /etc/init.d/tacacs_plus_nortel
Modifier le script d’init pour le serveur TACACS+ pour Nortel :
# vim /etc/init.d/tacacs_plus_nortel
#!/bin/sh
### BEGIN INIT INFO
# Provides: tacacs+_nortel
# Required-Start: $network $local_fs $syslog $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: TACACS+ authentication daemon for Nortel
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/tac_plus
NAME="tacacs+_nortel"
DESC="TACACS+ authentication daemon for Nortel"
LOGDIR=/var/log/
STARTTIME=1
PIDFILE="/var/run/tac_plus.pid.4949"
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
# Default options, these can be overriden by the information
# at /etc/default/$NAME
DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949" # Additional options given to the server
LOGFILE=$LOGDIR/tac_plus_nortel.log # Server logfile
# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
. /etc/default/$NAME
fi
# Check that the user exists (if we set a user)
# Does the user exist?
if [ -n "$DAEMONUSER" ] ; then
if getent passwd | grep -q "^$DAEMONUSER:"; then
# Obtain the uid and gid
DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'`
DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'`
else
log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist."
exit 1
fi
fi
set -e
running_pid() {
# Check if a given process pid's cmdline matches a given name
pid=$1
name=$2
[ -z "$pid" ] && return 1
[ ! -d /proc/$pid ] && return 1
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
# Is this the expected server
[ "$cmd" != "$name" ] && return 1
return 0
}
running() {
# Check if the process is running looking at /proc
# (works for all users)
# No pidfile, probably no daemon present
[ ! -f "$PIDFILE" ] && return 1
pid=`cat $PIDFILE`
running_pid $pid $DAEMON || return 1
return 0
}
start_server() {
# Start the process using the wrapper
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- $DAEMON_OPTS
errcode=$?
return $errcode
}
stop_server() {
# Stop the process using the wrapper
if [ -z "$DAEMONUSER" ] ; then
killproc -p $PIDFILE $DAEMON
errcode=$?
else
# if we are using a daemonuser then look for process that match
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--user $DAEMONUSER \
--exec $DAEMON
errcode=$?
fi
return $errcode
}
reload_server() {
[ ! -f "$PIDFILE" ] && return 1
pid=`cat $PIDFILE` # This is the daemon's pid
# Send a SIGHUP
kill -1 $pid
return $?
}
force_stop() {
# Force the process to die killing it manually
[ ! -e "$PIDFILE" ] && return
if running ; then
kill -15 $pid
# Is it really dead?
sleep "$DIETIME"s
if running ; then
kill -9 $pid
sleep "$DIETIME"s
if running ; then
echo "Cannot kill $NAME (pid=$pid)!"
exit 1
fi
fi
fi
rm -f $PIDFILE
}
case "$1" in
start)
log_daemon_msg "Starting $DESC " "$NAME"
# Check if it's running first
if running ; then
log_progress_msg "apparently already running"
log_end_msg 0
exit 0
fi
if start_server ; then
# NOTE: Some servers might die some time after they start,
# this code will detect this issue if STARTTIME is set
# to a reasonable value
[ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time
if running ; then
# It's ok, the server started and is running
log_end_msg 0
else
# It is not running after we did start
log_end_msg 1
fi
else
# Either we could not start it
log_end_msg 1
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if running ; then
# Only stop the server if we see it running
errcode=0
stop_server || errcode=$?
log_end_msg $errcode
else
# If it's not running don't do anything
log_progress_msg "apparently not running"
log_end_msg 0
exit 0
fi
;;
force-stop)
# First try to stop gracefully the program
$0 stop
if running; then
# If it's still running try to kill it more forcefully
log_daemon_msg "Stopping (force) $DESC" "$NAME"
errcode=0
force_stop || errcode=$?
log_end_msg $errcode
fi
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
errcode=0
stop_server || errcode=$?
# Wait some sensible amount, some server need this
[ -n "$DIETIME" ] && sleep $DIETIME
start_server || errcode=$?
[ -n "$STARTTIME" ] && sleep $STARTTIME
running || errcode=$?
log_end_msg $errcode
;;
status)
log_daemon_msg "Checking status of $DESC" "$NAME"
if running ; then
log_progress_msg "running"
log_end_msg 0
else
log_progress_msg "apparently not running"
log_end_msg 1
exit 1
fi
;;
# Use this if the daemon cannot reload
reload)
log_daemon_msg "Reloading $DESC configuration files" "$NAME"
if reload_server ; then
if running ; then
log_end_msg 0
else
log_progress_msg "$NAME not running"
log_end_msg 1
fi
else
log_progress_msg "Reload failled"
log_end_msg 1
fi
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
Activer le script d’init pour le serveur TACACS+ pour Nortel :
# insserv tacacs_plus_nortel
Relancer le serveur TACACS+ :
# /etc/init.d/tacacs_plus restart
Lancer le serveur TACACS+ our Nortel :
# /etc/init.d/tacacs_plus_nortel start
Configuration des équipements
3Com 5500G-EI
# hwtacacs scheme mytac primary authentication 10.20.30.1 secondary authentication 10.20.30.2 primary authorization 10.20.30.1 secondary authorization 10.20.30.2 primary accounting 10.20.30.1 secondary accounting 10.20.30.2 key authentication abcdefgh key authorization abcdefgh key accounting abcdefgh user-name-format without-domain # domain mytac scheme hwtacacs-scheme mytac local access-limit enable 10 # domain default enable mytac #
H3C S5500-52C-EI
# hwtacacs scheme mytac primary authentication 10.20.30.1 secondary authentication 10.20.30.2 primary authorization 10.20.30.1 secondary authorization 10.20.30.2 primary accounting 10.20.30.1 secondary accounting 10.20.30.2 key authentication abcdefgh key authorization abcdefgh user-name-format without-domain # domain mytac authentication login hwtacacs-scheme mytac local authorization login hwtacacs-scheme mytac local access-limit enable 10 state active idle-cut disable self-service-url disable # domain default enable mytac #
3Com 4210G 48-Port
# hwtacacs scheme mytac primary authentication 10.20.30.1 secondary authentication 10.20.30.2 primary authorization 10.20.30.1 secondary authorization 10.20.30.2 primary accounting 10.20.30.1 secondary accounting 10.20.30.2 key authentication abcdefgh key authorization abcdefgh user-name-format without-domain # domain mytac authentication login hwtacacs-scheme mytac local authorization login hwtacacs-scheme mytac local access-limit enable 10 state active idle-cut disable self-service-url disable # domain default enable mytac #
Cisco WS-CBS3020-HPQ
! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local ! tacacs-server host 10.20.30.1 timeout 5 tacacs-server host 10.20.30.2 timeout 5 tacacs-server directed-request tacacs-server key abcdefgh !
Nortel Application Switch 2208 E
Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+
/cfg/sys/tacacs port 4949 prisrv 10.20.30.1 secsrv 10.20.30.2 secret secret2 secbd e on apply
HP ProLiant BL p-Class C-GbE2 Interconnect Switch
Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+
/cfg/sys/tacacs+ port 4949 prisrv 10.20.30.1 secsrv 10.20.30.2 secret secret2 telnet e on apply