How to achieve AAA Authentication through TACACS + server on the switch
TACACS + encrypts the whole message, and the authentication and authorization can be separated. The username and password can be verified respectively, which is better than the security of radius. It is suitable for scenarios requiring high security.
Note: At present, 802.1X authentication of switch only supports the use with radius server. The functional configuration of TACACS + server only includes authentication and authorization, and the billing function can not be used.
Part 1. Build a simple TACACS + server on a Linux system
Step 1. TACACS+ installation
TACACS+ package is available in the Ubuntu repositories, enter the following command in root mode to install
apt-get install tacacs+
Step 2. TACACS+ configuration
Once that is installed, we proceed to configure the TACACS+ server to our needs. On a default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf Open the file with your favorite editor and make changes as below.
vi /etc/tacacs+/tac_plus.conf
#Make this a strong key
key = tplink2021
# Using local PAM which allows us to use local Linux users
default authentication = file /etc/passwd
#Define groups that we shall add users to later
#In this example I have defined 3 groups and assign them respective privileges. Test1 is administrator privilege, test2 and test3 are user privilege, but test3 can obtain administrator privilege according to the set additional password. The password is automatically generated according to the command tac_pwd as below.
group = test1 {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = test2 {
default service = deny
service = exec {
priv-lvl = 1
}
}
group = test3 {
default service = permit
login = file/etc/passwd
enable = Gbptgx46GpgrA
service = exec {
priv-lvl = 2
}
}
#Defining my users and assigning them to groups above
user = manager {
member = test1
}
user = user1 {
member = test2
}
user = user2 {
member = test3
}
Priv-lvl has 15 levels and four different management permissions on the switch:
1~4:User permissions, which can only be viewed and set, cannot be edited and modified, and L3 features cannot be viewed
5~9: Super user permission, you can view, edit, and modify some functions, such as VLAN, HTTPS config, Ping, etc
10~14: Operator permissions. On the basis of super user permissions, you can also perform lag, MAC address, access control, SSH config and other functions
15: Administrator privileges, you can view, edit, and modify all functions
#Save and exit the edited file of tac_plus.conf, create relevant users and set passwords on Linux system.
adduser manager
adduser user1
adduser user2
Step 3. TACACS+ start
# Start listening to port 49, indicating that the startup is successful.
/etc/init.d/tacacs_plus start
Note: After each modification of the configuration file, restart the TACACS + server.
Part 2. Configurations on the switch
Taking the topology in the following figure as an example, the management interface of the login switch needs to be authenticated by TACACS + server to ensure the security of the network.
Step 1. Choose the menu SECURITY > AAA > TACACS+ Config and click Add to load the following page. Configure the Server IP as 192.168.0.100, the Shared Key as tplink2021, the Server Port as 49.
Step 2. Choose the menu SECURITY > AAA > Method Config and click in the Authentication Login Method Config section. Specify the Method List Name as default and select the Pri1 as tacacs.
Step 3. On the same page, click in the Authentication Enable Method Config. Specify the Method List Name as default and select the Pri1 as tacacs. Click Create to set the method list for the Enable password authentication
Case 1. All login switch management methods need to be authenticated by TACACS + server
Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application Config section, select all Modules the Login Method and Enable Method as default.
At this point, the configuration of the switch is completed. Neither HTTP nor TELNET can log in to the management interface with the default admin account through client.
Case 2. Except Telnet, all login switch management methods need to be authenticated by TACACS + server.
Choose the menu SECURITY > AAA > Method Config and click in both the Authentication Login Method Config section and Authentication Enable Method Config section. Specify the Method List Name as telnet and select the Pri1 as local in the both sections.
Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application Config, select the Module of telnet the Login Method and Enable Method as telnet.
At this point, you can use the default admin account to log in to the switch through telnet.
Case 3. When logging in with user authority, set an additional administrator password on the TACACS + server, and enter the set password in the interface below to upgrade from user authority to administrator authority.
A fost util acest FAQ?
Părerea ta ne ajută să îmbunătățim acest site.