среда, 7 сентября 2016 г.

TACAS+ on Linux (Cisco/Active Directory)

This note about tacacs+ service on Linux with Active Directory authentication for Cisco devices.
It's not a super exclusive material, just yet another set of instructions.

Assume that you have installed Ubuntu server, in my case it was 16.04.1.
You should download non-standard version of tacacs+ :

wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2

Installation is simple enough, decompress, configure, make and install. My own suggestion, use checkinstall, don't use make install ever!
Here is the original instructions:
http://www.pro-bono-publico.de/projects/howto-tac_plus-ads.html

When you finish installation procedure, you need to install required perl packages for mavis module, in ubuntu this packet called libnet-ldap-perl

By default you need to add init scripts from archive:

cp /usr/local/etc/mavis/sample/tac_plus.cfg /usr/local/etc/


or just use mine:

#!/usr/local/sbin/tac_plus

id = spawnd {

        listen = { port = 49 }

        spawn = {

                instances min = 1

                instances max = 10

        }

        background = yes

}



id = tac_plus {

  # logging

        access log = ">/var/log/tac_plus/access/%Y%m%d.log"

        accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log"

  

  # Active Directory

        mavis module = external {

                setenv LDAP_SERVER_TYPE = "microsoft"

                setenv LDAP_HOSTS = "10.1.110.155:3268" # ipaddress of AD server

                setenv LDAP_SCOPE = sub

                setenv LDAP_BASE = "dc=domain,dc=name" # domain.name

                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"

                setenv LDAP_USER = "user@domain.name" # user which can read AD tree

                setenv LDAP_PASSWD ="user_password"

                setenv REQUIRE_TACACS_GROUP_PREFIX = 1

                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

        }



        login backend = mavis

        user backend = mavis

        pap backend = mavis



        host = world {

                address = ::/0

                welcome banner = "Welcome\n"

  enable 15 = clear secret

                key = "TACACSSECRET"

        }

        # ADMIN GROUP

        group = admin {

            message = "[Admin privileges]"

            default service = permit

            service = shell {

                default command = permit

                default attribute = permit

                set priv-lvl = 15

            }

        }

}


Be sure that you have tacacsadmin group in active directory. 

Check if LDAP connection is working properly

/usr/local/bin/mavistest /usr/local/etc/tac_plus.cfg tac_plus TACPLUS user_from_group user's_password

0 коммент.:

Отправить комментарий