Tacacs+ Cisco Freebsd how to

Добавить комментарий

Имеем сервер с цстановленной на нем Freebsd 9.1
Задача: Настроить Tacacs сервер и авторизацию Tacacs на Cisco 2911

Поехали:

tacacs# cd /usr/ports/net/tac_plus4
tacacs# make install clean
tacacs# hash -r
tacacs# cat /etc/rc.conf | grep tac

tac_plus_enable=»YES»

tacacs# tac_pwd
Password to be encrypted: 123
3AKrt3koAVfQA
tacacs#
tacacs# cat /usr/local/etc/tac_plus.conf

# ENCYPTION KEY

accounting file = /var/log/tac_plus.acct
key = VerySecretTacacsKey

# Groups

group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
}

group = service {
default service = deny
service = exec {
priv-lvl = 15
}
}

# Users

user = adm {
member = admin
login = des 3AKrt3koAVfQA
}

user = audit {
member = admin
cmd = configure {
deny .*
}
cmd = enable {
deny .*
}
cmd = clear {
deny .*
}
cmd = reload {
deny .*
}

cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = erase {
deny .*
}
cmd = delete {
deny .*
}
cmd = archive {
deny .*
}
login = des 3AKrt3koAVfQA
}
user = event {
member = service
cmd = clear {
permit .*
}
cmd = tclsh {
permit .*
}
cmd = squeeze {
permit .*
}
cmd = event {
permit .*
}
cmd = more {
permit .*
}
cmd = show {
permit version
}
cmd = delete {
permit .*
}
cmd = «delete /force» {
permit .*
}
cmd = «enable» {
permit .*
}
login = des 3AKrt3koAVfQA
#End of tacacs file

Собственно настройка на Cisco 2911

Cisco-GW-23#conf t
Cisco-GW-23#tacacs-server timeout 2
Cisco-GW-23#tacacs-server directed-request

Cisco-GW-23#tacacs server AUTH
Cisco-GW-23#address ipv4 192.168.0.10
Cisco-GW-23#key VerySecretTacacsKey

Cisco-GW-23#aaa group server tacacs+ tac-int
Cisco-GW-23#server name AUTH

Cisco-GW-23#aaa authentication login admin group tac-int local
Cisco-GW-23#aaa authorization exec admin group tac-int local
Cisco-GW-23#aaa authorization commands 15 admin group tac-int local
Cisco-GW-23#aaa accounting update newinfo
Cisco-GW-23#aaa accounting commands 15 admin start-stop group tac-int

Cisco-GW-23#line vty 0 1114
Cisco-GW-23#authorization commands 15 admin
Cisco-GW-23#authorization exec admin
Cisco-GW-23#accounting commands 15 admin
Cisco-GW-23#login authentication admin

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

Time limit is exhausted. Please reload the CAPTCHA.

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.