网络设备AAA认证

1. 交换机配置（以华三交换机为例，v7版本）
   hwtacacs scheme tacacs
   primary authentication 172.18.34.45
   primary authorization 172.18.34.45
   primary accounting 172.18.34.45
   key authentication cipher $c$3$GVL2qE1HsQSyRlEI5UiDXl7Se/giCmx7fXzy
   key authorization cipher $c$3$SQRKlqv25kY6zvoAtPfqkKyr42LdnT57kh7V
   key accounting cipher $c$3$gklXXuVEMVLUcHFL0WX1t33g7BDhXciJRcb2
   user-name-format without-domain
   #
   domain hwtacacs
   authorization command hwtacacs-scheme tacacs
   accounting command hwtacacs-scheme tacacs
   authentication default hwtacacs-scheme tacacs local
   authorization default hwtacacs-scheme tacacs local
   accounting default hwtacacs-scheme tacacs local
   #
   domain default enable hwtacacs
   #
   line vty 0 15
   command authorization
   command accounting
   !
2. 用户管理平台FreeIPA安装
   系统版本 CentOS Linux release 7.3.1611 (Core)，关闭防火墙
   yum install ipa-server bind bind-dyndb-ldap
   echo "172.18.34.45 ipa.test.org ipa" >>/etc/hosts
   ipa-server-install 会自动安装全部默认回车
   https://ipa.test.org/ 安装过程中会提示用户名和输入密码，默认用户admin
   可能会遇到的报错
   如遇到messagebus服务报错，执行以下命令，然后卸载重装。
   https://bugzilla.redhat.com/show_bug.cgi?id=636876
   systemctl restart messagebus
   systemctl start certmonger
   ipa-server-install —uninstall
   ipa-server-install
   日志目录
   tail -f /var/log/dirsrv/slapd-TEST-ORG/access
   tail -f /var/log/dirsrv/slapd-TEST-ORG/errors
   设置IPA：
   
   添加用户
   

添加用户到用户组

3. TACACS 安装配置
   yum install gcc perl-LDAP wget
   wget http://www.pro-bono-publico.de/projects/src/DEVEL.201706241310.tar.bz2
   tar xvfj DEVEL.201706241310.tar.bz2
   cd /PROJECTS
   ./configure
   make && make install
   mkdir /var/log/tac_plus
   mkdir /var/log/tac_plus/access
   mkdir /var/log/tac_plus/acct
   mkdir /var/log/tac_plus/authen
   mkdir /var/log/tac_plus/author
   chmod 760 -R /var/log/tac_plus/
   cp ~/PROJECTS/tac_plus/extra/tac_plus.service /etc/systemd/system/
   systemctl daemon-reload
   cp ~/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg
   chmod 660 /usr/local/etc/tac_plus.cfg
   TACACS 配置文件
   #!/usr/local/sbin/tac_plus
   id = spawnd {
   listen = { port = 49 }
   spawn = {
   instances min = 1
   instances max = 10
   }
   background = yes
   }

id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/authen/%Y%m%d.log
authorization log = /var/log/tac_plus/author/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external {
    setenv LDAP_SERVER_TYPE = "microsoft"
    setenv LDAP_HOSTS = "ldap://ipa.test.org:389"
    setenv LDAP_SCOPE = "sub"
    setenv LDAP_BASE = "cn=users,cn=accounts,dc=test,dc=org"
    setenv LDAP_FILTER= "(uid=%s)"
    setenv REQUIRE_TACACS_GROUP_PREFIX = 1
    setenv FLAG_USE_MEMBEROF = 1
    exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}

login backend = mavis
user backend = mavis
pap backend = mavis
      skip missing groups = yes
        cache timeout = 21600

host = world {
    address = ::/0
    prompt = "Welcome\n"
    enable 15 = clear secret
    key = XXXX (与交换机key一致)
}

group = admin {
    default service = permit
    service = shell {
        default command = permit
        default attribute = permit
        set priv-lvl = 15
    }
}

group = guest {
    default service = deny
    enable = deny
    service = shell {
        default command = deny
        default attribute = permit
        set priv-lvl = 1
        cmd = display {
              deny diagnostic-information
              permit .*
        }
        cmd = ping { permit .* }
    }
}

}
tacacs服务管理：
systemctl enable tac_plus
systemctl restart tac_plus
systemctl status tac_plus
tacacs日志管理：
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/authen/%Y%m%d.log
authorization log = /var/log/tac_plus/author/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log