IOS 上的 AAA 授权

网络工程 思科 思科-ios 啊啊啊 塔卡克斯 授权
2021-07-07 04:20:37

仍在为一个项目工作(不是用于现实生活中的部署,所以不用担心看到密码)。

我为集中式 AAA 设置了 Tacacs 服务器。我正在尝试设置两个用户,具有完全管理访问权限的“admin”和具有有限命令访问权限的“basic”。这非常适合我的 ASA 防火墙,但我也想在基于 IOS 的路由器上启用它。

这适用于路由器,只要以用户身份登录并正确提示输入密码即可。但是,当我以“基本”身份登录时尝试使用命令时,应该禁止它们被允许。从 Wireshark 跟踪中,我可以看到路由器没有尝试联系 tacacs 服务器以获取命令授权。我需要添加/更改什么才能使路由器查看服务器以获取命令授权?

路由器配置:


!
! Last configuration change at 20:03:48 GMT Mon Nov 29 2021 by basic
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login HQTACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ 
aaa authorization commands 15 default group tacacs+ 
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username localadmin privilege 15 secret 5 $1$mX0o$aBpVy.ik5ak8ev4wq9IRf1
!
redundancy
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 no shutdown
 description TO THE ISP-HQ NETWORK 209.165.200.224/30
 ip address 209.165.200.226 255.255.255.224
!
interface Ethernet0/1
 no shutdown
 description TO THE HQ NETWORK 192.168.10.0/24
 ip address 192.168.20.1 255.255.255.252
!
interface Ethernet0/2
 no shutdown
 no ip address
 shutdown
!
interface Ethernet0/3
 no shutdown
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.1.1.0 255.255.255.252 Ethernet0/0
ip route 10.1.10.0 255.255.255.0 Ethernet0/0
ip route 192.31.7.32 255.255.255.224 Ethernet0/0
ip route 192.168.10.10 255.255.255.255 192.168.20.2
ip route 198.133.219.0 255.255.255.252 Ethernet0/0
ip route 209.165.200.227 255.255.255.255 192.168.20.2
ip route 209.165.200.228 255.255.255.255 192.168.20.2
!
!
!
tacacs-server directed-request
tacacs server HQTACACS
 address ipv4 192.168.10.10
 key testing123
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 transport input none
!
!
end

Tacacs 服务器配置:

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
 
# Define where to log accounting data, this is the default.
 
accounting file = /var/log/tac_plus.acct
 
# This is the key that clients have to use to access Tacacs+
 
key = testing123
 
# Use /etc/passwd file to do authentication
 
#default authentication = file /etc/passwd
 
 
# You can use feature like per host key with different enable passwords
#host = 127.0.0.1 {
#        key = test 
#        type = cisco
#        enable = <des|cleartext> enablepass
#        prompt = "Welcome XXX ISP Access Router \n\nUsername:"
#}
 
# We also can define local users and specify a file where data is stored.
# That file may be filled using tac_pwd
#user = test1 {
#    name = "Test User"
#    member = staff
#    login = file /etc/tacacs/tacacs_passwords
#}
 
# We can also specify rules valid per group of users.
#group = group1 {
#   cmd = conf {
#       deny
#   }
#}
 
# Another example : forbid configure command for some hosts
# for a define range of clients
#group = group1 {
#   login = PAM
#   service = ppp
#   protocol = ip {
#       addr = 10.10.0.0/24
#   }
#   cmd = conf {
#       deny .*
#   }
#}
 
user = admin {
    default service = permit
    member = admingroup
    login = cleartext Cisco
    enable = cleartext Cisco
}
 
user = basic {
    login = cleartext Cisco
    member = readonly
    enable = cleartext Cisco
}
 
group = admingroup {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
}
 
group = readonly {
    default service = deny
    service = exec {
        priv-lvl = 0
    }
 
 
    cmd = show {
        permit .*
    }
 
    cmd = traceroute {
        permit .*
    }
 
    cmd = ping {
        permit .*
    }
 
    cmd = exit {
        permit .*
    }
}
 
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

根据答案编辑的配置现在包含以下行:

aaa authentication login default group tacacs+ local
aaa authentication login HQTACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 HQTACACS group tacacs+ 
aaa authorization commands 15 HQTACACS group tacacs+

但仍然给出相同的行为?

更新 2:

我没有定义服务器组,HQTACACS 是服务器名称。以这种方式使用它的配置中的行看起来像是我的错误。登录身份验证和启用模式身份验证使用此结构

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

但是,当我使用相同的结构(更正使用级别 0 而不是 1,感谢 Ricky)时,我可以通过wireshark 看到,正在尝试使用 priv 级别 15“admin”和 priv 级别 0“basic”帐户.

aaa authorization commands 0 default group tacacs+
aaa authorization commands 15 default group tacacs+

我需要定义一个服务器组来使用 Tacacs 进行授权吗?

1个回答

编辑:

您使用组 tacacs+ 进行身份验证,但尚未为此配置服务器组。这是一个更正的配置:

aaa authentication login default group HQTACACS local
aaa authentication enable default group HQTACACS enable
aaa authorization commands 0 default group HQTACACS if-authenticated
aaa authorization commands 15 default group HQTACACS if-authenticated

额外的:

aaa group server tacacs+ HQTACACS
 server name HQTACACS

更新 2:

如果通过控制台(不是 vty)连接,则需要此附加行:

aaa authorization console
其它你可能感兴趣的问题
上一篇以太网协议如何与 10BASE5 等以太网类型相关? 下一篇接收路由汇总 - BGP