其他文章:
Tacacs+协议原理Tacacs+服务搭建与配置详解Tacacs+各厂商交换机配置Tacacs+协议交互报文抓包示例
以下为整理的常见厂商的交换机tacacs+认证配置。
交换机配置Tacacs+认证思路
交换机全局开启Tacacs+认证配置tacacs+认证模板,主要配置tacacs+认证的服务器地址,端口,密钥。配置tacacs+的认证,授权,计费列表全局内调用tacacs+认证方式vty,console下调用tacacs+认证方式
华为交换机tacacs+认证配置
[Huawei
]
hwtacacs
enable
hwtacacs server template acs
hwtacacs server authentication 192.168.147.135 49 shared-key tacacs@123
hwtacacs server authorization 192.168.147.135 49 shared-key tacacs@123
hwtacacs server accounting 192.168.147.135 49 shared-key tacacs@123
hwtacacs server user-name domain-excluded
hwtacacs server source-ip 192.168.147.136
hwtacacs server timer response-timeout 3
aaa
domain system
quit
local-user admin password
local-user admin service-type terminal telnet
ssh
local-user admin level 3
authentication-scheme acs
authentication-mode hwtacacs local
authorization-scheme acs
authorization-mode hwtacacs local
authorization-cmd 0 hwtacacs local
authorization-cmd 1 hwtacacs local
authorization-cmd 2 hwtacacs local
authorization-cmd 3 hwtacacs local
authorization-cmd 4 hwtacacs local
authorization-cmd 5 hwtacacs local
authorization-cmd 6 hwtacacs local
authorization-cmd 7 hwtacacs local
authorization-cmd 8 hwtacacs local
authorization-cmd 9 hwtacacs local
authorization-cmd 10 hwtacacs local
authorization-cmd 11 hwtacacs local
authorization-cmd 12 hwtacacs local
authorization-cmd 13 hwtacacs local
authorization-cmd 14 hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme acs
accounting-mode hwtacacs
domain acs
authentication-scheme acs
authorization-scheme acs
accounting-scheme acs
hwtacacs server acs
recording-scheme acs
system recording-scheme acs
outbound recording-scheme acs
cmd recording-scheme acs
default-domain admin acs
user-interface con 0
authentication-mode aaa
idle-timeout 10 0
user-interface vty 0 4
acl 3900 inbound
authentication-mode aaa
user privilege level 3
华三交换机tacacs+认证配置
[H3C
]
ssh server
enable
hwtacacs scheme acs
primary authentication 192.168.147.135 49 single-connection key simple tacacs@123
primary authorization 192.168.147.135 49 single-connection key simple tacacs@123
primary accounting 192.168.147.135 49 single-connection key csimple tacacs@123
user-name-format without-domain
timer response-timeout 3
nas-ip 192.168.147.134
domain acs
authentication default hwtacacs-scheme acs local
authorization default hwtacacs-scheme acs local
accounting default hwtacacs-scheme acs local
domain system
domain default
enable acs
local-user admin class manage
password simple Admin@123
service-type
ssh terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
line vty 0 63
authentication-mode scheme
user-role network-admin
protocol inbound
ssh
command authorization
command accounting
锐捷交换机tacacs+认证配置
Ruijie
!创建本地用户
username admin privilege 15 password Admin@123
!启用aaa认证
aaa new-model
!配置tacacs认证模板
ip tacacs source-interface loopback 0
tacacs-server host 192.168.147.135 port 49 key tacacs@123
!配置认证,授权,计费列表
aaa authentication login vty group tacacs+ local
aaa authorization
exec execauth group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 6 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 9 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 11 default group tacacs+ local
aaa authorization commands 12 default group tacacs+ local
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting
exec execaccount start-stop group tacacs+
aaa accounting commands 0 commaccout start-stop group tacacs+
aaa accounting commands 1 commaccout start-stop group tacacs+
aaa accounting commands 2 commaccout start-stop group tacacs+
aaa accounting commands 3 commaccout start-stop group tacacs+
aaa accounting commands 4 commaccout start-stop group tacacs+
aaa accounting commands 5 commaccout start-stop group tacacs+
aaa accounting commands 6 commaccout start-stop group tacacs+
aaa accounting commands 7 commaccout start-stop group tacacs+
aaa accounting commands 8 commaccout start-stop group tacacs+
aaa accounting commands 9 commaccout start-stop group tacacs+
aaa accounting commands 10 commaccout start-stop group tacacs+
aaa accounting commands 11 commaccout start-stop group tacacs+
aaa accounting commands 12 commaccout start-stop group tacacs+
aaa accounting commands 13 commaccout start-stop group tacacs+
aaa accounting commands 14 commaccout start-stop group tacacs+
aaa accounting commands 15 commaccout start-stop group tacacs+
aaa authorization config-commands
!在vty线路下调用tacacs认证
line vty 0 15
exec-timeout 60 0
accounting
exec execaccount
accounting commands 0 commaccout
accounting commands 1 commaccout
accounting commands 2 commaccout
accounting commands 3 commaccout
accounting commands 4 commaccout
accounting commands 5 commaccout
accounting commands 6 commaccout
accounting commands 7 commaccout
accounting commands 8 commaccout
accounting commands 9 commaccout
accounting commands 10 commaccout
accounting commands 11 commaccout
accounting commands 12 commaccout
accounting commands 13 commaccout
accounting commands 14 commaccout
accounting commands 15 commaccout
authorization
exec execauth
login authentication vty
思科交换机tacacs+认证配置
Cisco
! 开启tacacs认证
feature tacacs+
!配置本地用户
username admin password 0 Admin@123 role network-admin
!
ip domain-lookup
ip tacacs source-interface loopback0
tacacs-server
timeout 3
tacacs-server host 192.168.147.135 key 0 tacacs@123 port 49
aaa group server tacacs+ tacacs-server
server 192.168.147.135
! 全局调用tacacs认证
aaa authentication login default group tacacs-server local
aaa authentication login console local
aaa authorization config-commands default group tacacs-server local
aaa authorization commands default group tacacs-server local
aaa accounting default group tacacs-server
Arista交换机tacacs+认证配置
Arista
!配置tacacs认证模板
tacacs-server
timeout 3
tacacs-server host 192.168.147.135 port 49 key tacacs@123
!配置使用tacacs+认证,授权,计费
aaa authentication login default group tacacs+ local
aaa authorization
exec default group tacacs+ local
aaa authentication login console local
aaa authorization commands all default group tacacs+ local
aaa accounting commands all default start-stop group tacacs+
!
no aaa root
!配置本地用户
username admin123 privilege 15 role network-admin secret 0 Admin@123
!
ip tacacs source-interface Loopback0
!
如何绕过Tacacs+认证,使用本地认证?
华三交换机:
华三交换机在系统下默认有system域,可以通过在登陆时使用交换机本地用户加指定域来进行本地认证。
例如:交换机本地用户名为admin
即:ssh admin@system@x.x.x.x,输入本地用户密码即可绕过tacacs+认证。
若华三交换机在system域下调用Tacacs+认证,则没法绕过。
华为交换机:
华为交换机默认系统下没有system域,如果配置了tacacs+认证服务器,那么只能通过使用tacacs+服务器来认证。如果想绕过tacacs+认证,需要提前在交换机上配置一个域来进行本地认证。
例如:在华为交换机下创建system域,在需要使用本地认证时,可使用本地用户名admin+域名进行本地认证,从而绕过tacacs+认证。
domain system
ssh admin@system@x.x.x.x
锐捷交换机:
锐捷交换机在认证时,需要指定认证源,一般交换机认证会使用带内或带外认证。如果某一认证源接口与tacacs+服务器无法通信时,可使用交换机本地账号进行认证。输入本地用户密码即可在tacacs+认证失效的情况下通过本地认证。
ssh admin@x.x.x.x
目前锐捷设备新版本一般支持AAA认证检测并自动带内/带外切换
no ip tacacs source-interface mgmt 0,需要删除认证源接口。
tacacs-server host oob 192.168.147.135 port 49 key XXX//首先采用带外通信
tacacs-server host 192.168.147.135 port 49 key XXX//带外不通达到超时后,切换带内
tacacs-server
timeout 3 //必配,配置AAA server超时时间3秒,超时后切换
tacacs-server deadtime 5 //必配,配置dead的AAA server 恢复的时间为5分钟。
Arista交换机:
Arista的交换机的认证同Ruijie交换机。
其他文章:
Tacacs+协议原理Tacacs+服务搭建与配置详解Tacacs+各厂商交换机配置Tacacs+协议交互报文抓包示例
参考资料:
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101225&lang=zh&idPath=24030814%7C21782165%7C21782236%7C22318638%7C7542409
http://www.h3c.com/cn/d_202004/1280734_30005_0.htm
https://www.arista.com/en/um-eos/eos-section-4-6-tacacs-configuration-examples
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16/sec-usr-tacacs-xe-16-book/sec-cfg-tacacs.html
