Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Tacacs Ad

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

Tacacs + AD + CentOS = FREE

Posted: December 12, 2012 in Linux, Security Tags: aaa, Active directory, authentication, authorization, cisco, da!, da!s, tacacs"

Install Dependencies 1. yum install gcc 2. yum install g++ 3. yum install perl-IO-Socket-SSL 4. yum install pam-devel 5. yum install ld-linux.so.2 6. wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.39.tar.gz 7. tar xzvf perl-ldap-0.39.tar.gz 8. cd perl-ldap-0.39 9. perl Makefile.PL // say yes to everything 10. perl -e use IO::Socket::SSL 11. perl -e use Net::SSLeay 12. cpan a. > Install Net::LDAP // select yes to everything 13. Yum install perl-LDAP Install Tac_Plus 1. wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2 2. bzip2 -dc DEVEL.tar.bz2 | tar xvfp 3. cd PROJECTS 4. su 5. ./configure 6. Make

7. Make install Install tac_plus.cfg file 1. cd /usr/local/etc/ 2. vi tac_plus.cfg 3. cp /usr/local/sbin/tac_plus /etc/init.d/ 4. cd /etc/init.d/ 5. ll | grep tac_plus //make sure that permissions are set -rwxr-xr-x 6. tac_plus /usr/local/etc/tac_plus.cfg //verify the config file 7. env LDAP_HOSTS=<LDAP IP> /usr/local/lib/mavis/mavis_tacplus_ldap.pl //insert IP of LDAP server 8. vi resolve.conf a. add this line to the file: nameserver <ip of AD> Add AD to hosts file to enable LDAPS 1. vi /etc/hosts 2. add <IP Address> <Full Domain Name> Example: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.10.10. xxxxx.xxxx.local 3. wq id = spawnd { listen = { port = 49 } spawn = { instances min = 1

instances max = 10 } background = yes } id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log mavis module = external { script out = { # Require group membership: if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK # Don.t cache passwords: if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1 } setenv LDAP_SERVER_TYPE = microsoft setenv LDAP_HOSTS = ldaps://<AD domain>:636 #Insert domain name of AD server setenv LDAP_SCOPE = sub setenv LDAP_BASE = dc=lab,dc=local setenv LDAP_FILTER = (&(objectclass=user)(sAMAccountName=%s)) setenv LDAP_USER = XXXXXX@xxxxx.local # <AD Admin name>@<Domain> setenv LDAP_PASSWD = XXXXXXXX #AD Password setenv REQUIRE_TACACS_GROUP_PREFIX = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis

user backend = mavis pap backend = mavis host = labswitch4 { #Defines host or group of hosts address = ::/0 #insert address for specific host or ::/0 for all prompt = WARNING Unauthorized access prohibited Authorized access only This system is the property of Tenable Network Security. Disconnect IMMEDIATELY if you are not an authorized user! Contact ITS for help.\n failed authentication banner = NOTICE %M%D-%%c-%%C-%%u Failed authentication will be logged and reported enable 15 = clear <some password> #global enable Password key = <some key> #host tacacs key } group = admin { enable = login default service = permit

message =\n You are logged in with Admin Privs\n service = shell { default command = permit default attribute = permit set priv-lvl = 15 } } group = servicedesk { enable = login message = \n You are logged in with Service Desk Privs\n service = shell { cmd = enable {permit .*} cmd = show { permit running-config .* permit ip .* permit version .* deny .* message deny = ************************************************************* *You do not have the privilege level to execute this command* ************************************************************* } } }

group = serv { message = \n You are logged in with Server Group Privs\n enable = login service = shell { cmd = enable {permit .*} cmd = show { permit running-config .* permit ip .* permit version .* deny .* message deny = ************************************************************* *You do not have the privilege level to execute this command* ************************************************************* } } } group = security { message = \n You are logged in with Security Group Privs\n enable = login service = shell { cmd = enable {permit .*} cmd = show { permit running-config .*

permit ip .* permit version .* deny .* message deny = ************************************************************* *You do not have the privilege level to execute this command* ************************************************************* } } } } Cisco AAA configuration aaa new-model ! ! aaa authentication login CONSOLE local aaa authentication login TACSERV group tacacs+ aaa authentication enable default group tacacs+ aaa authorization config-commands aaa authorization exec TACSERV group tacacs+ if-authenticated aaa authorization commands 0 TACSERV group tacacs+ aaa authorization commands 1 TACSERV group tacacs+ aaa authorization commands 15 TACSERV group tacacs+ if-authenticated aaa authorization configuration TACSERV group tacacs+

! ! ! aaa session-id common line con 0 login authentication CONSOLE line vty 0 4 authorization commands 0 TACSERV authorization commands 1 TACSERV authorization commands 15 TACSERV authorization exec TACSERV login authentication TACSERV transport input ssh Setting up Active Directory Security Groups 1. Create 4 security groups in Active Directory named: a. tacacsadmin b. tacacssecurity c. tacacsserv d. tacacsservicedesk NOTE: Tac_Plus truncates the TACACS portion of the above groups. The tacacs portion is used as an identifier. 2. Assign users to each security group to give them access to a restricted set of commands Starting and Stopping the server NOTE: Every time a change must be made to the configuration (tac_plus.cfg) script located in /usr/local/etc the server must be restarted for changes to take effect. 1. Starting the server

a. /etc/init.d/tac_plus start 2. Stopping the server a. /etc/init.d/tac_plus stop 3. Restarting the server a. /etc/init.d/tac_plus restart Troubleshooting 1. LINUX: Netstat lp | grep tac //verify that TACACS is listening on port 49 2. LINUX: Tcpdump nn port 49 //view authentication or authorization traffic 3. LINUX: /usr/local/bin/mavistest d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS <USERNAME> <PASSWORD> Ex./usr/local/bin/mavistest d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS jsmith passW0rd NOTE: Will return output displaying active directory queries. 4. CISCO: debug aaa authentication //displays the aaa authentication attempts and successes 5. CISCO: debug aaa authorization //displays the aaa authorization attempts and successes

You might also like