Shigarwa da Kanfigareshan TACACS+ tare da Cisco Router akan Debian 8 Jessie

Fasaha a yau ta dogara kacokan akan na'urorin sadarwar da kuma daidaitaccen tsari na waccan kayan sadarwar. Masu gudanarwa suna da alhakin tabbatar da cewa ba a gwada sauye-sauyen tsarin ba kawai kafin aiwatarwa amma kuma duk wani canje-canjen na'urorin ana yin su ta hanyar mutane waɗanda aka ba da izini don yin canje-canje tare da tabbatar da cewa an shigar da canje-canje.

An san wannan ƙa'idar tsaro da AAA (Triple-A) ko Tabbatarwa, izini, da Lissafi. Akwai fitattun tsare-tsare guda biyu waɗanda ke ba da ayyukan AAA don masu gudanarwa don amintaccen damar yin amfani da na'urori da hanyoyin sadarwar waɗancan na'urorin ke aiki.

RADIUS (Sabis na Kiran Samun Nisa) da TACACS+ (Tsarin Sabis na Sarrafa Mai Sarrafa Tasha).

Ana amfani da Radius a al'ada don tabbatar da masu amfani don samun damar hanyar sadarwar da ta bambanta da TACACS a cikin TACACS ana amfani da ita a al'ada don sarrafa na'ura. Ɗaya daga cikin manyan bambance-bambance tsakanin waɗannan ka'idoji guda biyu shine ikon TACACS don raba ayyukan AAA zuwa ayyuka masu zaman kansu.

Amfanin rabuwar TACACS na ayyukan AAA shine cewa ana iya sarrafa ikon mai amfani don aiwatar da wasu umarni. Wannan yana da fa'ida sosai ga ƙungiyoyi waɗanda ke son samar da ma'aikatan sadarwar ko wasu masu gudanar da IT tare da gata na umarni daban-daban a matakin ƙarami.

Wannan labarin zai yi tafiya ta hanyar kafa tsarin Debian don aiki azaman tsarin TACACS +.

    An shigar da Debian 8 kuma saita tare da haɗin cibiyar sadarwa. Da fatan za a karanta wannan labarin kan yadda ake shigar da Debian 8
  1. Cisco network switch 2940 (Yawancin sauran na'urorin Cisco suma zasuyi aiki amma umarni akan sauya/na'ura mai ba da hanya tsakanin hanyoyin sadarwa na iya bambanta).

Shigar da software na TACACS+ akan Debian 8

Mataki na farko na kafa wannan sabuwar uwar garken TACACS shine samun software daga ma'ajiyar. Ana aiwatar da wannan cikin sauƙi tare da amfani da umarnin 'dace'.

# apt-get install tacacs+

Umurnin da ke sama zai shigar da fara sabis na uwar garke a tashar jiragen ruwa 49. Ana iya tabbatar da wannan tare da yawancin kayan aiki.

# lsof -i :49
# netstat -ltp | grep tac

Ya kamata waɗannan umarni guda biyu su dawo da layin da ke nuna TACACS yana sauraron tashar jiragen ruwa 49 akan wannan tsarin.

A wannan lokacin TACACS yana sauraron haɗin kai akan wannan na'ura. Yanzu lokaci ya yi da za a saita sabis na TACACS da masu amfani.

Yana daidaita Sabis na TACACS da Masu amfani

Gabaɗaya yana da kyau a ɗaure sabis zuwa takamaiman adiresoshin IP idan uwar garken ya sami adiresoshin da yawa. Don cim ma wannan aikin, ana iya canza tsoffin zaɓuɓɓukan daemon don tantance adireshin IP.

# nano /etc/default/tacacs+

Wannan fayil ɗin yana ƙayyade duk saitunan daemon tsarin TACACS yakamata ya fara. Shigar da tsohowar zai ƙayyade fayil ɗin sanyi kawai. Ta ƙara hujjar '-B' zuwa wannan fayil ɗin, ana iya amfani da takamaiman adireshin IP don TACACS don saurare.

DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf " - Original Line
DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -B X.X.X.X " - New line, where X.X.X.X is the IP address to listen on

Bayanan kula na musamman a Debian: Don wasu dalilai ƙoƙarin sake kunna sabis na TACACS+ don karanta sabbin zaɓuɓɓukan daemon bai yi nasara ba (ta hanyar sabis tacacs_plus sake farawa).

Batun a nan yana da alama lokacin da aka fara TACACS ta hanyar rubutun init, PID an saita shi sosai zuwa PIDFILE=/var/run/tac_plus.pid duk da haka lokacin da aka ayyana \-B X.X.X.X azaman zaɓi na daemon, an canza sunan pid file zuwa \/var/run/tac_plus.pid.X.X.X.X.

Ban tabbata ba ko wannan kwaro ne ko a'a amma don magance lamarin na ɗan lokaci, mutum zai iya saita PIDFILE da hannu a cikin rubutun init ta hanyar canza layin zuwa PIDFILE=/var/run/tac_plus.pid.X.X.X.X inda X.X.X.X shine adireshin IP na TACACS yakamata a saurara sannan a fara sabis da:

# service tacacs_plus start

Bayan sake kunna sabis ɗin, ana iya sake amfani da umarnin lsof don tabbatar da cewa sabis na TACACS yana sauraron daidai adireshin IP.

# lsof -i :49

Kamar yadda aka gani a sama, TACACS yana sauraren adireshin IP akan takamaiman adireshin IP kamar yadda aka saita a cikin fayil ɗin kuskuren TACACS a sama. A wannan lokacin ana buƙatar ƙirƙirar masu amfani da takamaiman saitin umarni.

Ana sarrafa wannan bayanin ta wani fayil: '/etc/tacacs+/tac_plus.conf'. Bude wannan fayil ɗin tare da editan rubutu don yin gyare-gyaren da suka dace.

# nano /etc/tacacs+/tac_plus.conf

Wannan fayil shine inda duk ƙayyadaddun TACACS yakamata su zauna (izinin mai amfani, jerin ikon samun dama, maɓallan runduna, da sauransu). Abu na farko da ake buƙatar ƙirƙirar shine maɓalli don na'urorin sadarwar.

Akwai sassauci da yawa a cikin wannan matakin. Ana iya saita maɓalli ɗaya don duk na'urorin cibiyar sadarwa ko kuma ana iya saita maɓallai da yawa akan kowace na'ura. Zaɓin ya rage ga mai amfani amma wannan jagorar za ta yi amfani da maɓalli ɗaya don sauƙi.

key = "super_secret_TACACS+_key"

Da zarar an saita maɓalli, ya kamata a gina ƙungiyoyi waɗanda ke ƙayyadaddun izini waɗanda za a sanya masu amfani daga baya. Ƙirƙirar ƙungiyoyi yana sa wakilan izini sun fi sauƙi. A ƙasa akwai misalin ba da cikakken haƙƙin gudanarwa.

group = admins {
        default service = permit
        service = exec {
                priv-lvl = 15
        }
}

  1. An ƙayyade sunan rukuni ta layin \group = admins tare da admins shine sunan rukuni.
  2. Layin \default service = izini yana nuna cewa idan ba'a hana umarni a sarari ba, to ku kyale shi a fakaice.
  3. Sabis = exec {priv-lvl = 15 }” yana ba da damar matakin gata 15 a yanayin aiki akan na'urar Cisco (matakin gata 15 shine mafi girma akan kayan aikin Cisco).

Yanzu ana buƙatar mai amfani a sanya shi zuwa rukunin gudanarwa.

user = rob {
       member = admins
       login = des mjth124WPZapY
}

  1. Mai amfani = fashi” stanza yana ba da damar sunan mai amfani na fashi don samun damar wasu albarkatu.
  2. 'member = admins'' suna gaya wa TACACS+ don komawa zuwa rukunin baya da ake kira admins don jerin abubuwan da aka ba wannan mai amfani izinin yi.
  3. Layin ƙarshe, \login = des mjth124WPZapY kalmar sirri ce da aka ɓoye don wannan mai amfani don tantancewa (ji daɗin amfani da cracker don gano wannan babban misali na kalmar sirrin complex)!

Muhimmi: Gabaɗaya al'ada ce mafi kyau don sanya rufaffiyar kalmomin shiga cikin wannan fayil maimakon rubutu a sarari saboda yana ƙara ɗan ƙaramin tsaro idan wani ya karanta wannan fayil ɗin kuma bai kamata ya sami dama ba.

Kyakkyawan ma'aunin rigakafin don wannan shine aƙalla cire damar karanta duniya akan fayil ɗin sanyi kuma. Ana iya yin hakan ta hanyar umarni mai zuwa:

# chmod o-r /etc/tacacs+/tac_plus.conf
# service tacacs_plus reload

A wannan lokacin ɓangaren uwar garken yana shirye don haɗi daga na'urorin cibiyar sadarwa. Bari mu kan gaba zuwa canjin Cisco yanzu kuma saita shi don sadarwa tare da wannan uwar garken Debian TACACS+.