Tacacs+各厂商交换机配置


其他文章:


以下为整理的常见厂商的交换机tacacs+认证配置。

交换机配置Tacacs+认证思路

  1. 交换机全局开启Tacacs+认证
  2. 配置tacacs+认证模板,主要配置tacacs+认证的服务器地址,端口,密钥。
  3. 配置tacacs+的认证,授权,计费列表
  4. 全局内调用tacacs+认证方式
  5. vty,console下调用tacacs+认证方式

华为交换机tacacs+认证配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
[Huawei]
# 开启tacacs认证
hwtacacs enable
# 配置tacacs认证模版
hwtacacs server template acs
hwtacacs server authentication 192.168.147.135 49 shared-key tacacs@123
hwtacacs server authorization 192.168.147.135 49 shared-key tacacs@123
hwtacacs server accounting 192.168.147.135 49 shared-key tacacs@123
hwtacacs server user-name domain-excluded
hwtacacs server source-ip 192.168.147.136
hwtacacs server timer response-timeout 3
# 配置本地用户
aaa
domain system #配置system域
quit
# 创建本地用户
local-user admin password
local-user admin service-type terminal telnet ssh
local-user admin level 3
#
authentication-scheme acs
authentication-mode hwtacacs local
#
authorization-scheme acs
authorization-mode hwtacacs local
authorization-cmd 0 hwtacacs local
authorization-cmd 1 hwtacacs local
authorization-cmd 2 hwtacacs local
authorization-cmd 3 hwtacacs local
authorization-cmd 4 hwtacacs local
authorization-cmd 5 hwtacacs local
authorization-cmd 6 hwtacacs local
authorization-cmd 7 hwtacacs local
authorization-cmd 8 hwtacacs local
authorization-cmd 9 hwtacacs local
authorization-cmd 10 hwtacacs local
authorization-cmd 11 hwtacacs local
authorization-cmd 12 hwtacacs local
authorization-cmd 13 hwtacacs local
authorization-cmd 14 hwtacacs local
authorization-cmd 15 hwtacacs local
#
accounting-scheme acs
accounting-mode hwtacacs
#
domain acs
authentication-scheme acs
authorization-scheme acs
accounting-scheme acs
hwtacacs server acs
#
recording-scheme acs
#
system recording-scheme acs
#
outbound recording-scheme acs
#
cmd recording-scheme acs
default-domain admin acs
#
# console接口下调用aaa认证
user-interface con 0
authentication-mode aaa
idle-timeout 10 0
# vty接口下调用tacacs认证
user-interface vty 0 4
acl 3900 inbound
authentication-mode aaa
user privilege level 3

华三交换机tacacs+认证配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[H3C]
#开启ssh服务
ssh server enable
#配置tacacs认证模板
hwtacacs scheme acs
primary authentication 192.168.147.135 49 single-connection key simple tacacs@123
primary authorization 192.168.147.135 49 single-connection key simple tacacs@123
primary accounting 192.168.147.135 49 single-connection key csimple tacacs@123
user-name-format without-domain
timer response-timeout 3
nas-ip 192.168.147.134
#
domain acs
authentication default hwtacacs-scheme acs local
authorization default hwtacacs-scheme acs local
accounting default hwtacacs-scheme acs local
#
domain system
#全局下默认调用tacacs认证
domain default enable acs
# 配置本地用户
local-user admin class manage
password simple Admin@123
service-type ssh terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
# vty线路下调用tacacs认证
line vty 0 63
authentication-mode scheme
user-role network-admin
protocol inbound ssh
command authorization
command accounting

锐捷交换机tacacs+认证配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Ruijie#
!创建本地用户
username admin privilege 15 password Admin@123
!启用aaa认证
aaa new-model
!配置tacacs认证模板
ip tacacs source-interface loopback 0
tacacs-server host 192.168.147.135 port 49 key tacacs@123
!配置认证,授权,计费列表
aaa authentication login vty group tacacs+ local
aaa authorization exec execauth group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 6 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 9 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 11 default group tacacs+ local
aaa authorization commands 12 default group tacacs+ local
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec execaccount start-stop group tacacs+
aaa accounting commands 0 commaccout start-stop group tacacs+
aaa accounting commands 1 commaccout start-stop group tacacs+
aaa accounting commands 2 commaccout start-stop group tacacs+
aaa accounting commands 3 commaccout start-stop group tacacs+
aaa accounting commands 4 commaccout start-stop group tacacs+
aaa accounting commands 5 commaccout start-stop group tacacs+
aaa accounting commands 6 commaccout start-stop group tacacs+
aaa accounting commands 7 commaccout start-stop group tacacs+
aaa accounting commands 8 commaccout start-stop group tacacs+
aaa accounting commands 9 commaccout start-stop group tacacs+
aaa accounting commands 10 commaccout start-stop group tacacs+
aaa accounting commands 11 commaccout start-stop group tacacs+
aaa accounting commands 12 commaccout start-stop group tacacs+
aaa accounting commands 13 commaccout start-stop group tacacs+
aaa accounting commands 14 commaccout start-stop group tacacs+
aaa accounting commands 15 commaccout start-stop group tacacs+
aaa authorization config-commands
!在vty线路下调用tacacs认证
line vty 0 15
exec-timeout 60 0
accounting exec execaccount
accounting commands 0 commaccout
accounting commands 1 commaccout
accounting commands 2 commaccout
accounting commands 3 commaccout
accounting commands 4 commaccout
accounting commands 5 commaccout
accounting commands 6 commaccout
accounting commands 7 commaccout
accounting commands 8 commaccout
accounting commands 9 commaccout
accounting commands 10 commaccout
accounting commands 11 commaccout
accounting commands 12 commaccout
accounting commands 13 commaccout
accounting commands 14 commaccout
accounting commands 15 commaccout
authorization exec execauth
login authentication vty

思科交换机tacacs+认证配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Cisco#
! 开启tacacs认证
feature tacacs+
!配置本地用户
username admin password 0 Admin@123 role network-admin

ip domain-lookup
ip tacacs source-interface loopback0
tacacs-server timeout 3
tacacs-server host 192.168.147.135 key 0 tacacs@123 port 49
aaa group server tacacs+ tacacs-server
server 192.168.147.135
! 全局调用tacacs认证
aaa authentication login default group tacacs-server local
aaa authentication login console local
aaa authorization config-commands default group tacacs-server local
aaa authorization commands default group tacacs-server local
aaa accounting default group tacacs-server

Arista交换机tacacs+认证配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Arista#
!配置tacacs认证模板
tacacs-server timeout 3
tacacs-server host 192.168.147.135 port 49 key tacacs@123
!配置使用tacacs+认证,授权,计费
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authentication login console local
aaa authorization commands all default group tacacs+ local
aaa accounting commands all default start-stop group tacacs+
!
no aaa root
!配置本地用户
username admin privilege 15 role network-admin secret 0 Admin@123
!
ip tacacs source-interface Loopback0

如何绕过Tacacs+认证,使用本地认证?

华三交换机:

华三交换机在系统下默认有system域,可以通过在登陆时使用交换机本地用户加指定域来进行本地认证。

例如:交换机本地用户名为admin

即:ssh admin@system@x.x.x.x,输入本地用户密码即可绕过tacacs+认证。

华为交换机:

华为交换机默认系统下没有system域,如果配置了tacacs+认证服务器,那么只能通过使用tacacs+服务器来认证。如果想绕过tacacs+认证,需要提前在交换机上配置一个域来进行本地认证。

例如:在华为交换机下创建system域,在需要使用本地认证时,可使用本地用户名admin+域名进行本地认证,从而绕过tacacs+认证。

1
2
domain system #创建system域
ssh admin@system@x.x.x.x #输入本地用户密码即可绕过tacacs+认证。

锐捷交换机:

锐捷交换机在认证时,需要指定认证源,一般交换机认证会使用带内或带外认证。如果某一认证源接口与tacacs+服务器无法通信时,可使用交换机本地账号进行认证。输入本地用户密码即可在tacacs+认证失效的情况下通过本地认证。

1
ssh admin@x.x.x.x #输入本地用户密码即可在tacacs+认证失效的情况下通过本地认证。

目前锐捷设备新版本一般支持AAA认证检测并自动带内/带外切换

no ip tacacs source-interface mgmt 0,需要删除认证源接口。

1
2
3
4
5
> tacacs-server host oob 192.168.147.135 port 49 key XXX//首先采用带外通信
> tacacs-server host 192.168.147.135 port 49 key XXX//带外不通达到超时后,切换带内
> tacacs-server timeout 3 //必配,配置AAA server超时时间3秒,超时后切换
> tacacs-server deadtime 5 //必配,配置dead的AAA server 恢复的时间为5分钟。
>

Arista交换机:

Arista的交换机的认证同Ruijie交换机。


其他文章:


参考资料:

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101225&lang=zh&idPath=24030814%7C21782165%7C21782236%7C22318638%7C7542409

http://www.h3c.com/cn/d_202004/1280734_30005_0.htm

https://www.arista.com/en/um-eos/eos-section-4-6-tacacs-configuration-examples

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16/sec-usr-tacacs-xe-16-book/sec-cfg-tacacs.html


坚持原创技术分享,您的支持将鼓励我继续创作!