您如何在 Ubuntu 16.04 上配置 TACACS+ tac_plus 服务器以针对 Microsoft Active Directory 进行身份验证?
您如何在 Ubuntu 16.04 上配置 TACACS+ tac_plus 服务器以针对 Microsoft Active Directory 进行身份验证?
网络工程
思科
验证
塔卡克斯
授权
会计
2021-07-16 03:48:37
1个回答
更新 01/10/2018:添加缺少的库以启用 Perl 正则表达式支持 (libpcre3-dev)
2017 年 7 月 11 日更新:MAVIS 中存在错误。如果在端口 636 或 3269 上使用 LDAPS 时遇到问题,请从 tac_plus.cfg 中完全删除 USE_TLS 配置变量。这将解决问题。我已将我的发现通过电子邮件发送给作者。
本指南将引导您在 Ubuntu Server 16.04 上设置 TACACS+ 服务器(使用无偿版本的 tac_plus),该服务器针对 Active Directory 进行身份验证。本指南假定您熟悉安装/配置 Ubuntu Server,并且可以在具有 Internet 访问权限的 LAN 上部署新的 Ubuntu 服务器。
首先部署一个只有标准系统实用程序和 OpenSSH 服务器包的新 Ubuntu 16.04 服务器。只要安装完成并且您已验证到 LAN 和 Internet 的网络连接,您就可以继续进行了。
SSH 到新服务器并输入下面列出的命令(在出现提示时按照说明进行操作):
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install build-essential libnet-ldap-perl libpcre3-dev
cd ~
wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
cd PROJECTS
sudo make
sudo make install
sudo mkdir /var/log/tac_plus
sudo mkdir /var/log/tac_plus/access
sudo mkdir /var/log/tac_plus/accounting
sudo mkdir /var/log/tac_plus/authentication
注意:/var/log/tac_plus(和子文件夹)需要有 chmod 755 权限。在 Ubuntu 上,每当您为 tac_plus 创建文件夹时,这些权限都应该从 /var/log 继承。如果 tac_plus 没有记录日志,您需要验证 /var/log/tac_plus 文件夹的 chmod 权限并在必要时进行调整。您可以通过运行以下命令来验证 chmod 权限:
stat --format '%a' /var/log/tac_plus
此时,您已经安装了运行 tac_plus 和 mavis 身份验证后端所需的所有软件包。为确保一切安装正确,请运行以下命令并比较您的输出:
/usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 277, <DATA> line 755.
如果有一些错误消息说“无法在@INC 中找到 Net/LDAP.pm”,您需要仔细检查指南开头的命令。确保它们都成功完成,没有任何错误。如果您的输出与上述匹配,请继续并输入以下命令:
cd /usr/local/etc
sudo touch tac_plus.cfg
sudo chmod 755 tac_plus.cfg
sudo nano tac_plus.cfg
输入上面列出的命令后,您会发现自己在 nano 编辑一个空的 tac_plus.cfg。现在是配置 tac_plus 以与您的 Active Directory 环境通信的时候了。我的示例配置如下所示。修改它以满足您的需要并将其保存到 /usr/local/etc/tac_plus.cfg (需要 chmod 755)
您还需要为 tac_plus 创建一个 Active Directory 服务帐户以用于查询 Active Directory。我建议创建一个名为“svc_tacplus”的帐户,并且只让它成为“域用户”的成员。我还建议禁用密码过期(AD 服务帐户的标准做法)。
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
#Uncomment the line below for IPv6 support
#listen = { address = :: port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
#If you are using Microsoft Global Catalog with secure LDAP (SSL)
#setenv LDAP_HOSTS = "ldaps://10.0.0.100:3269"
#If you are using Microsoft Global Catalog with regular LDAP (non-SSL)
setenv LDAP_HOSTS = "10.0.0.100:3268"
setenv LDAP_BASE = "DC=domain,DC=name"
setenv LDAP_SCOPE = sub
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "svc_tacplus@domain.name"
setenv LDAP_PASSWD = "ServiceAccountPassword"
#Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
#I'm not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does
setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
#Clear default setting of tacplus for AD_GROUP_PREFIX
setenv AD_GROUP_PREFIX = ""
#Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
#DO NOT SET THE USE_TLS ENVIRONMENT VARIABLE
#TLS WILL AUTOMATICALLY BE ENABLED IF NEEDED
#FORCING THIS VARIABLE TO 1 WILL BREAK MAVIS IF TLS IS NEEDED
#setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
#Allow any IPv4 device
address = 0.0.0.0/0
#Uncomment the line below for IPv6 support
#address = ::/0
#Uncomment the line below to inject a login prompt
#prompt = "Put your custom welcome message here.\n"
#Change this to your own secure TACACS+ key
key = "cisco"
}
#Example group that grants admin on Cisco IOS/XE/XR and NX-OS
group = admin {
#Permit all services by default
default service = permit
#Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)
enable = login
service = shell {
#Permit all commands
default command = permit
#Permit all command attributes
default attribute = permit
#Set privilege level to 15 on IOS/XE
set priv-lvl = 15
#Uncomment the line below for NX-OS support
#set shell:roles="\"network-admin vdc-admin\""
#Uncomment the line below for IOS XR support
#set task = "#root-system"
}
}
#Example AD user mapping
user = jsmith {
password = mavis
member = admin
}
}
Cisco AAA TACACS+ 注意:如果不需要 NX-OS/IOS XR 自定义属性,请不要取消注释。这将为您的 tac_plus 服务器提供尽可能高的兼容性。许多较旧的 IOS 版本(尤其是低于 12.2 的任何版本)将无法与发送附加属性的 TACACS+ 服务器一起使用。例如,如果 tac_plus 配置为发送 NX-OS / IOS XR 属性,Cisco 2950 交换机只能运行 IOS 12.1,并且不能与 tac_plus 一起使用。如果一切似乎都配置正确,但您仍然遇到问题,请尝试将您的 Cisco 设备升级到它可以运行的最新 IOS 映像。Cisco 的支持站点将为您提供任何未过时设备的推荐版本。
保存 tac_plus.cfg 文件后,现在是测试它的时候了。运行以下命令并确保没有错误:
/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
如果 tac_plus 报告任何错误,您需要再次编辑 tac_plus.cfg 文件并更正错误。在您更正所有错误之前,不要继续本指南中的内容。有关完整的配置参考,请参阅http://www.pro-bono-publico.de/projects/tac_plus.html。您可能还想查看文件 /usr/local/lib/mavis/mavis_tacplus_ldap.pl 以获得 LDAP 变量的详细说明。
一旦您的 tac_plus.cfg 文件没有错误,您将需要验证您的 Active Directory 配置是否正确。运行以下命令进行测试(将 SomeUserName / SomeUserPassword 替换为您要测试的 Active Directory 帐户的用户名和密码):
/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS SomeUserName SomeUserPassword
{mavistest debug output omitted}
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-2501-1509172787-0
USER SomeUserName
PASSWORD SomeUserPassword
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-2501-1509172787-0
USER SomeUserName
RESULT ACK
PASSWORD SomeUserPassword
SERIAL QrWVmlId0OZADDRU/hy/pw=
DBPASSWORD SomeUserPassword
TACMEMBER [List of Active Directory security groups]
TACTYPE AUTH
具体查看 RESULT 值。如果您收到 ACK,则意味着您的 Active Directory 查询成功。如果您收到 NACK、BFD 或 ERR……那意味着出现了问题。您需要仔细检查 tac_plus.cfg 文件中的 Active Directory 环境变量。可以帮助您正确配置环境变量的一个方便的工具是 LDAP 浏览器:http ://www.ldapbrowser.com/download.htm 在您可以运行 mavistest 并在一个或多个 Active Directory 上获得 ACK 结果之前,不要继续进行下去帐户。
最后一步是最简单的。我们只需要设置 tac_plus 守护进程在启动时启动,并启动 tac_plus 服务本身。运行以下命令:
cd /etc/init.d
sudo cp ~/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
sudo chmod 755 /etc/init.d/tac_plus
sudo chown root:root /etc/init.d/tac_plus
sudo update-rc.d tac_plus defaults
sudo service tac_plus start
上述命令安装 tac_plus init.d 脚本,以便 tac_plus 服务在启动时启动。它还会手动启动 tac_plus 服务,因此您无需重新启动即可开始使用新的 TACACS+ 服务器。要验证 tac_plus 服务是否成功启动,请运行以下命令:
sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 0 25680 1911/tac_plus: 0 co
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 16105 1023/sshd
tcp6 0 0 :::22 :::* LISTEN 0 16113 1023/sshd
如果您看到 tac_plus 在 TPC 端口 49 上侦听,则 tac_plus 服务正在运行,您已准备好开始将所有启用 TACACS+ 的设备指向新的 TACACS+ 服务器。如果您没有看到与上面显示的类似的输出,则需要仔细检查所有内容并定位/纠正问题。
如果对 /usr/local/etc/tac_plus.cfg 进行任何更改,则需要重新启动 tac_plus 服务才能生效。请参阅下面的示例:
sudo nano /usr/local/etc/tac_plus.cfg
sudo service tac_plus stop
sudo service tac_plus start
如果 tac_plus 无法启动,则表示您的 tac_plus.cfg 文件中存在错误。您需要在服务重新启动之前更正它们。以下命令可以帮助您识别 tac_plus.cfg 文件中的错误:
sudo systemctl status tac_plus.service
sudo journalctl -xe
/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
希望本指南对您有所帮助。如果您发现任何错误或难以理解的内容,请告诉我。我坐下来写了这个指南,因为我必须浏览其他几个指南/博客才能找到为我的环境配置 tac_plus 所需的所有信息。
下面列出了 mavis_tacplus_ldap.pl 中的环境变量和一些 Cisco AAA 配置示例,以供参考:
来自 mavis_tacplus_ldap.pl 的环境变量:
LDAP_SERVER_TYPE
One of: generic tacacs_schema microsoft
Default: tacacs_schema
LDAP_HOST
Space-separated list of LDAP URLs or IP addresses or hostnames
Examples: "ldap01 ldap02", "ldaps://ads01:636 ldaps://ads02:636"
LDAP_SCOPE
LDAP search scope (base, one, sub)
Default: sub
LDAP_BASE
Base DN of your LDAP server
Example: "dc=example,dc=com"
LDAP_FILTER
LDAP search filter
Defaults depend on LDAP_SERVER_TYPE:
- generic: "(uid=%s)"
- tacacs_schema: "(&(uid=%s)(objectClass=tacacsAccount))"
- microsoft: "(&(objectclass=user)(sAMAccountName=%s))"
LDAP_FILTER_CHPW
LDAP search filter for password changes
Defaults depend on LDAP_SERVER_TYPE:
- generic: "(uid=%s)"
- tacacs_schema: "(&(uid=%s)(objectClass=tacacsAccount)(!(tacacsFlag=staticpasswd))"
- microsoft: "(&(objectclass=user)(sAMAccountName=%s))"
LDAP_USER
User to use for LDAP bind if server doesn't permit anonymous searches.
Default: unset
LDAP_PASSWD
Password for LDAP_USER
Default: unset
AD_GROUP_PREFIX
An AD group starting with this prefix will be used for tacacs group membership.
Default: tacacs
REQUIRE_AD_GROUP_PREFIX
If set, user needs to be in one of the AD_GROUP_PREFIX groups.
Default: unset
UNLIMIT_AD_GROUP_MEMBERSHIP
If unset, the number of groups a user can be member of is limited to one.
Default: unset
EXPAND_AD_GROUP_MEMBERSHIP
If set, AD group memberships will be expanded.
Default: unset
USE_TLS (DO NOT SET THIS VARIABLE!!!)
If set, the server is required to support start_tls.
Default: unset
FLAG_CHPW
Permit password changes via this backend.
Default: unset
FLAG_PWPOLICY
Enforce a simplicistic password policy.
Default: unset
FLAG_CACHE_CONNECTION
Keep connection to LDAP server open.
Default: unset
FLAG_FALLTHROUGH
If LDAP search fails, try next module (if any).
Default: unset
FLAG_USE_MEMBEROF
Use the memberof attribute for determining group membership.
Default: unset
FLAG_AUTHORIZE_ONLY
Don't attempt to authenticate users.
Cisco IOS TACACS+ AAA 配置示例:
! Example Cisco IOS TACACS+ AAA configuration
!
! Don't forget to change Vlan1 to either the VLAN or physical interface that can
! reach your tacplus server
!
! Run "show aaa user all" to verify privilege level after you login
!
! NOTE: It is highly recommended that you turn on service password encryption!
! Some IOS images contain bugs that prevent TACACS+ from working unless service
! password encryption is enabled!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
service password-encryption
ip tacacs source-interface Vlan1
tacacs-server host IP_OF_TACPLUS_SERVER single-connection key 0 cisco
tacacs-server directed-request
Cisco ASA TACACS+ AAA 配置示例:
! Sample Cisco ASA TACACS+ AAA configuration
! Don't forget to change (inside) to the interface that can reach your tacplus server
! Run "show curpriv" to verify privilege level after you login
!
! NOTE: Please make sure the ASA IOS image you are running isn't exploitable
!
! See Cisco Advisory ID: cisco-sa-20160210-asa-ike for more information
! See Cisco Bug IDs: CSCux29978, CSCux42019 for more information
!
! Cisco TAC will provide a patched image to you free of charge even if you don't have a
! service contact! Open a Cisco TAC case with your ASA's serial number and include the
! advisory ID as proof of entitlement and they will provide the image file to you!
aaa-server tacplus protocol tacacs+
aaa-server tacplus (inside) host IP_OF_TACPLUS_SERVER
key cisco
aaa authentication ssh console tacplus LOCAL
aaa authentication serial console tacplus LOCAL
aaa authentication enable console tacplus LOCAL
aaa authentication http console tacplus LOCAL
aaa accounting command tacplus
aaa accounting ssh console tacplus
aaa accounting enable console tacplus
Cisco NX-OS TACACS+ AAA 配置示例:
! Sample NX-OS aaa tac_plus configuration
! Don't forget to change the VRF to one that can reach your tacplus server
! Run "show user-account" to verify roles after you login successfully
tacacs-server directed-request
tacacs-server host IP_OF_TACPLUS_SERVER key 0 "cisco"
aaa group server tacacs+ tacplus
server IP_OF_TACPLUS_SERVER
use-vrf default
aaa authentication login default group tacplus local
aaa authentication login console group tacplus local
aaa authorization config-commands default group tacplus local
aaa authorization commands default group tacplus local
aaa accounting default group tacplus
Cisco IOS XR TACACS+ AAA 配置示例:
! Example Cisco IOS XR TACACS+ AAA configuration (IOS XR formal syntax)
! Don't forget to change the interface/vrf to a pair that can reach your tacplus server
! Run "show user tasks" to verify task levels after you login
tacacs source-interface TenGigE0/0/2/0 vrf default
tacacs-server host IP_OF_TACPLUS_SERVER port 49
tacacs-server host IP_OF_TACPLUS_SERVER port 49 key 0 cisco
tacacs-server host IP_OF_TACPLUS_SERVER port 49 single-connection
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ local
aaa authorization commands default group tacacs+
aaa authentication login default group tacacs+ local
其它你可能感兴趣的问题