Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- sudo apt-get update && sudo apt-get upgrade
- sudo apt-get install build-essential libnet-ldap-perl
- cd ~
- wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
- bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
- cd PROJECTS
- sudo make
- sudo make install
- sudo mkdir /var/log/tac_plus
- sudo mkdir /var/log/tac_plus/access
- sudo mkdir /var/log/tac_plus/accounting
- sudo mkdir /var/log/tac_plus/authentication
- stat --format '%a' /var/log/tac_plus
- /usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
- Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
- LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 277, <DATA> line 755.
- cd /usr/local/etc
- sudo touch tac_plus.cfg
- sudo chmod 755 tac_plus.cfg
- sudo nano tac_plus.cfg
- #!/usr/local/sbin/tac_plus
- id = spawnd {
- listen = { address = 0.0.0.0 port = 49 }
- #Uncomment the line below for IPv6 support
- #listen = { address = :: port = 49 }
- spawn = {
- instances min = 1
- instances max = 10
- }
- background = yes
- }
- id = tac_plus {
- access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
- accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
- authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt
- mavis module = external {
- setenv LDAP_SERVER_TYPE = "microsoft"
- #If you are using Microsoft Global Catalog with LDAP SSL
- #setenv LDAP_HOSTS = "ldaps://10.0.0.100:3269"
- #If you are using Microsoft Global Catalog with LDAP (non-SSL)
- setenv LDAP_HOSTS = "10.0.0.100:3268"
- setenv LDAP_BASE = "DC=domain,DC=name"
- setenv LDAP_SCOPE = sub
- setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
- setenv LDAP_USER = "svc_tacplus@domain.name"
- setenv LDAP_PASSWD = "ServiceAccountPassword"
- #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group
- setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
- #I'm not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does
- setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
- #Clear default setting of tacplus for AD_GROUP_PREFIX
- setenv AD_GROUP_PREFIX = ""
- #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
- setenv REQUIRE_TACACS_GROUP_PREFIX = 0
- #Set USE_TLS to 1 if you are using port 636 or 3269, set to 0 for port 389 or 3268
- setenv USE_TLS = 0
- exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
- }
- login backend = mavis
- user backend = mavis
- pap backend = mavis
- host = world {
- #Allow any IPv4 device
- address = 0.0.0.0/0
- #Uncomment the line below for IPv6 support
- #address = ::/0
- #Uncomment the line below to inject a login prompt
- #prompt = "Put your custom welcome message here.n"
- #Change this to your own secure TACACS+ key
- key = "cisco"
- }
- #Example group that grants admin on Cisco IOS/XE/XR and NX-OS
- group = admin {
- #Permit all services by default
- default service = permit
- #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)
- enable = login
- service = shell {
- #Permit all commands
- default command = permit
- #Permit all command attributes
- default attribute = permit
- #Set privilege level to 15 on IOS/XE
- set priv-lvl = 15
- #Uncomment the line below for NX-OS support
- #set shell:roles=""network-admin vdc-admin""
- #Uncomment the line below for IOS XR support
- #set task = "#root-system"
- }
- }
- #Example AD user mapping
- user = jsmith {
- password = mavis
- member = admin
- }
- }
- /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
- /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS SomeUserName SomeUserPassword
- {mavistest debug output omitted}
- Input attribute-value-pairs:
- TYPE TACPLUS
- TIMESTAMP mavistest-2501-1509172787-0
- USER SomeUserName
- PASSWORD SomeUserPassword
- TACTYPE AUTH
- Output attribute-value-pairs:
- TYPE TACPLUS
- TIMESTAMP mavistest-2501-1509172787-0
- USER SomeUserName
- RESULT ACK
- PASSWORD SomeUserPassword
- SERIAL QrWVmlId0OZADDRU/hy/pw=
- DBPASSWORD SomeUserPassword
- TACMEMBER [List of Active Directory security groups]
- TACTYPE AUTH
- cd /etc/init.d
- sudo cp ~/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
- sudo chmod 755 /etc/init.d/tac_plus
- sudo chown root:root /etc/init.d/tac_plus
- sudo update-rc.d tac_plus defaults
- sudo service tac_plus start
- sudo netstat -tulpen
- Active Internet connections (only servers)
- Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
- tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 0 25680 1911/tac_plus: 0 co
- tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 16105 1023/sshd
- tcp6 0 0 :::22 :::* LISTEN 0 16113 1023/sshd
- sudo nano /usr/local/etc/tac_plus.cfg
- sudo service tac_plus stop
- sudo service tac_plus start
- sudo systemctl status tac_plus.service
- sudo journalctl -xe
- /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
- LDAP_SERVER_TYPE
- One of: generic tacacs_schema microsoft
- Default: tacacs_schema
- LDAP_HOST
- Space-separated list of LDAP URLs or IP addresses or hostnames
- Examples: "ldap01 ldap02", "ldaps://ads01:636 ldaps://ads02:636"
- LDAP_SCOPE
- LDAP search scope (base, one, sub)
- Default: sub
- LDAP_BASE
- Base DN of your LDAP server
- Example: "dc=example,dc=com"
- LDAP_FILTER
- LDAP search filter
- Defaults depend on LDAP_SERVER_TYPE:
- - generic: "(uid=%s)"
- - tacacs_schema: "(&(uid=%s)(objectClass=tacacsAccount))"
- - microsoft: "(&(objectclass=user)(sAMAccountName=%s))"
- LDAP_FILTER_CHPW
- LDAP search filter for password changes
- Defaults depend on LDAP_SERVER_TYPE:
- - generic: "(uid=%s)"
- - tacacs_schema: "(&(uid=%s)(objectClass=tacacsAccount)(!(tacacsFlag=staticpasswd))"
- - microsoft: "(&(objectclass=user)(sAMAccountName=%s))"
- LDAP_USER
- User to use for LDAP bind if server doesn't permit anonymous searches.
- Default: unset
- LDAP_PASSWD
- Password for LDAP_USER
- Default: unset
- AD_GROUP_PREFIX
- An AD group starting with this prefix will be used for tacacs group membership.
- Default: tacacs
- REQUIRE_AD_GROUP_PREFIX
- If set, user needs to be in one of the AD_GROUP_PREFIX groups.
- Default: unset
- UNLIMIT_AD_GROUP_MEMBERSHIP
- If unset, the number of groups a user can be member of is limited to one.
- Default: unset
- EXPAND_AD_GROUP_MEMBERSHIP
- If set, AD group memberships will be expanded.
- Default: unset
- USE_TLS
- If set, the server is required to support start_tls.
- Default: unset
- FLAG_CHPW
- Permit password changes via this backend.
- Default: unset
- FLAG_PWPOLICY
- Enforce a simplicistic password policy.
- Default: unset
- FLAG_CACHE_CONNECTION
- Keep connection to LDAP server open.
- Default: unset
- FLAG_FALLTHROUGH
- If LDAP search fails, try next module (if any).
- Default: unset
- FLAG_USE_MEMBEROF
- Use the memberof attribute for determining group membership.
- Default: unset
- FLAG_AUTHORIZE_ONLY
- Don't attempt to authenticate users.
- ! Example Cisco IOS TACACS+ AAA configuration
- !
- ! Don't forget to change Vlan1 to either the VLAN or physical interface that can
- ! reach your tacplus server
- !
- ! Run "show aaa user all" to verify privilege level after you login
- !
- ! NOTE: It is highly recommended that you turn on service password encryption!
- ! Some IOS images contain bugs that prevent TACACS+ from working unless service
- ! password encryption is enabled!
- aaa new-model
- aaa authentication login default group tacacs+ local
- aaa authentication enable default group tacacs+ enable
- aaa authorization config-commands
- aaa authorization commands 1 default group tacacs+ local if-authenticated
- aaa authorization commands 15 default group tacacs+ local if-authenticated
- aaa authorization exec default group tacacs+ local if-authenticated
- aaa accounting exec default start-stop group tacacs+
- aaa accounting commands 1 default start-stop group tacacs+
- aaa accounting commands 15 default start-stop group tacacs+
- service password-encryption
- ip tacacs source-interface Vlan1
- tacacs-server host IP_OF_TACPLUS_SERVER single-connection key 0 cisco
- tacacs-server directed-request
- ! Sample Cisco ASA TACACS+ AAA configuration
- ! Don't forget to change (inside) to the interface that can reach your tacplus server
- ! Run "show curpriv" to verify privilege level after you login
- !
- ! NOTE: Please make sure the ASA IOS image you are running isn't exploitable
- !
- ! See Cisco Advisory ID: cisco-sa-20160210-asa-ike for more information
- ! See Cisco Bug IDs: CSCux29978, CSCux42019 for more information
- !
- ! Cisco TAC will provide a patched image to you free of charge even if you don't have a
- ! service contact! Open a Cisco TAC case with your ASA's serial number and include the
- ! advisory ID as proof of entitlement and they will provide the image file to you!
- aaa-server tacplus protocol tacacs+
- aaa-server tacplus (inside) host IP_OF_TACPLUS_SERVER
- key cisco
- aaa authentication ssh console tacplus LOCAL
- aaa authentication serial console tacplus LOCAL
- aaa authentication enable console tacplus LOCAL
- aaa authentication http console tacplus LOCAL
- aaa accounting command tacplus
- aaa accounting ssh console tacplus
- aaa accounting enable console tacplus
- ! Sample NX-OS aaa tac_plus configuration
- ! Don't forget to change the VRF to one that can reach your tacplus server
- ! Run "show user-account" to verify roles after you login successfully
- tacacs-server directed-request
- tacacs-server host IP_OF_TACPLUS_SERVER key 0 "cisco"
- aaa group server tacacs+ tacplus
- server IP_OF_TACPLUS_SERVER
- use-vrf default
- aaa authentication login default group tacplus local
- aaa authentication login console group tacplus local
- aaa authorization config-commands default group tacplus local
- aaa authorization commands default group tacplus local
- aaa accounting default group tacplus
- ! Example Cisco IOS XR TACACS+ AAA configuration (IOS XR formal syntax)
- ! Don't forget to change the interface/vrf to a pair that can reach your tacplus server
- ! Run "show user tasks" to verify task levels after you login
- tacacs source-interface TenGigE0/0/2/0 vrf default
- tacacs-server host IP_OF_TACPLUS_SERVER port 49
- tacacs-server host IP_OF_TACPLUS_SERVER port 49 key 0 cisco
- tacacs-server host IP_OF_TACPLUS_SERVER port 49 single-connection
- aaa accounting exec default start-stop group tacacs+
- aaa accounting system default start-stop group tacacs+
- aaa accounting commands default start-stop group tacacs+
- aaa authorization exec default group tacacs+ local
- aaa authorization commands default group tacacs+
- aaa authentication login default group tacacs+ local
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement