Está en la página 1de 16

TACACS

TACACS + l giao thc cung cp iu khin truy cp cho cc b nh tuyn, mng truy cp vo my ch v cc thit b my tnh khc ni mng thng qua mt hoc tp trung nhiu my ch. TACACS + cung cp ring bit chng thc, u quyn v cc dch v k ton. TACACS cho php mt khch hng chp nhn mt tn ngi dng v mt khu v gi mt truy vn n mt my ch xc thc TACACS, i khi c gi l mt TACACS daemon hoc n gin ch TACACSD. My ch ,c dng chy chng trnh trn host. Cc my ch s xc nh xem liu chp nhn hoc t chi yu cu v gi mt phn ng tr li. Cc TIP sau s cho php truy cp hay khng, da trn phn ng . Trong ny cch, qu trnh ra quyt nh l "m ca" v cc thut ton v d liu s dng a ra quyt nh l di s kim sot hon ton ca bt c ai chy TACACS daemon. Cc phn m rng cho giao thc cung cp cho nhiu loi yu cu chng thc v cc loi m nhiu phn ng hn l trong bn gc c im k thut. C ba phin bn ca TACACS v phin bn th ba c gi l TACACS +, m khng tng thch vi cc phin bn trc. TACACS + l mt phng php trao i thng tin gia mt thit b cung cp truy cp mng ngi s dng (cc "TACACS + client") v mt thit b c cha thng tin xc thc cho nhng ngi ngi s dng (cc "TACACS + server"). TACACS + c da trn m hnh AAA: xc thc, u quyn v k ton. Cc TACACS da trn mi trng truy cp t xa c ba thnh phn chnh: Client Access, Network Access Server, v TACACS Server +. Cc Client Access c th l mt ngi quay s vo mt mng li cung cp dch v kt ni vi cc trang web khc nhau trn internet (traditional User role). Ngoi ra, cc Client Access c th l mt thit b; n c th l mt b nh tuyn router ISDN hoc quay s theo yu cu c th kt ni nhiu ngi dng ti mt vn phng nh / home office.

Network Access Server (NAS) l mt thit b c th nhn ra v x l cc yu cu kt ni t bn ngoi ra "mng". Khi NAS nhn c yu cu kt ni ca ngi dng, n c th thc hin mt thng lng truy cp ban u vi ngi s dng (PPP hoc SLIP). m phn ny s thnh lp mt s d liu (tn ngi dng, mt khu, s port NAS, vv). Cc sau NAS s chuyn thng tin ny d liu n my ch xc thc TACACS + v yu cu chng thc Cc TACACS + server s xc thc cc yu cu, v s cho php cc dch v trn kt ni. Cc TACACS + server thc hin iu ny bng cch kt hp d liu t yu cu ca NAS vi mc trong mt s well-known, c s d liu tin cy. Cc m hnh bo mt AAA, khi m giao thc TACACS + l c bn , mt tnh trng phn bit chnh xc gia ba giai on ring bit ca mt ngi dng truy cp mng: Authentication, Authorization v Accounting. Vic kch hot ca mi giai on c th c cu hnh c lp v NAS. Nhng g m NAS s gi n my ch TACACS + ph thuc vo cu hnh ca NAS chnh n. TACACS + server c th chp nhn xc thc ca ngi dng hoc y quyn hoc t chi ngi dng. Da trn phn hi t cc my ch TACACS +, NAS s quyt nh thnh lp kt ni n ngi dng ("chp nhn ngi s dng" hoc "chp nhn cc gi tin"), hoc chm dt n lc kt ni ca ngi dng ("t chi ngi dng " hoc "t chi cc gi tin"). Cui cng, NAS a d liu accounting n my ch TACACS + vo document the transaction.Nhng hnh vi ny cng vi cc thnh phn c bn m t trn cng tng t nh khi nim RADIUS TACACS + Cc gi tin Mt TACACS + client v TACACS + server giao tip bng TACACS packets + gi qua TCP / IP mng. TACACS + packets c nh dng bng cch s dng cc cng c nu trong The TACACS + Phin bn giao thc 1,78. cu hnh Clear Box Server, cc thng tin cn thit cn thit v gi TACACS + l : Mang thng ip gia TACACS+ client v TACACS + server

Tip theo tho hip yu cu / p ng : Khch hng gi mt yu cu v mong i mt phn hi t my ch. Trong mt s trng hp, mt " TACACS session" c th bao gm mt s yu cu v tr li khi xng bi mt ngi dng duy nht. Mi gi h tr mt mc ch c th: authentication, authorization or accounting. 1 gi accounting cng vi s phn quyn c th cha cc gi tr, c gi l "thuc tnh gi tr cp ". Cc thuc tnh c th c tm thy trong mi gi tin ph thuc vo loi gi (authorization or accounting). TACACS + nh ngha 7 loi gi d liu (hoc "thng ip"): Authentication START (N m t cc loi chng thc c thc hin, v c th c cc tn ngi dng v d liu chng thc s. Cc gi START l duy nht gi di dng tin nhn u tin trong mt phin xc thc TACACS +.). Authentication REPLY (N ch ra cho d xc thc kt thc, hoc cho d n nn tip tc. Nu REPLY cho bit l xc thc nn tip tc, sau n s cng ch ra nhng thng tin mi c yu cu.). Authentication CONTINUE(N c gi t NAS n my ch sau khi nhn mt gi REPLY v c th cha thng tin yu cu.). Authorization REQUEST (N cha mt tp c nh ca cc lnh vc m t tnh xc thc ca ngi s dng hoc process, v bin mt tp hp cc i s m t cc dch v v cc ty chn m s y quyn c yu cu.). Authorization RESPONSE (N cha mt bin thit lp cc lun c phn ng (thuc tnh- cp gi tr) m c th hn ch hoc sa i cc hnh ng ca khch hng.). Accounting REQUEST (N chuyn ti thng tin c s dng cung cp dch v Accounting cho ngi s dng.).

Accounting REPLY (N c s dng cho bit rng chc nng Accounting trn my ch c bo mt hay khng.) TACACS + Secrets Cc TACACS + " shared secret" c s dng m ha / gii m gi TACACS + trong truyn thng gia hai thit b. B mt c chia s c th l bt k chui ch v s. Mi shared secret phi c cu hnh trn c my khch v my ch. Clear Box Server c th c cu hnh s dng mt trong nhng mc nh shared secret c s dng khi khng c b mt c bit l cc mt hng cho mt my ch c th (thit lp setting Default client secret key and thay i Require client secret key ).
II. M hnh demo

My pc 2 chy cas 4.2 giao din khi ng nh sau:

b.Cu hnh trn TACACS+ Server: Bc 1:To group y chng ta s to ra 2 nhm. Nhm mt l Administrator c quyn privilege level 15v nhm guestc quyn privilege level 0. Vo menu Group Setup

Trong ca s Group Setuptip theo ta lm ln lt nh sau;

Chn TACACS+trong mc Jump to Check vo Shell (exec) Check vo Privilege Levelv nhp vo thng s 15 Chn Submit + Restart

Nh vy, nhng user no thuc group Adminstrator khi kt ni vo router thng qua TACACS+ server s c b quyn mc 15. Vic cu hnh cho nhm Guest Privlege Level 0 tng t nh vy. Bc 2: To user v add user vo group Chng ta s to user mang tn balcony thuc group Aministrator v user mang tn Guest thuc nhm Guest Vo menu User, nhp vo tn cisco, chn Add/Edit

Trong mn hnh User Setup tip theo ta cn nhp cc thng s sau:


Password authentication: ACS internet Database Password cho user cisco Chn nhm cho user ny l Administrator.

Vic to v cu hnh cho user Guest v group Guest ta lm tng t. Bc 3: Cu hnh AAA server v Client: Vo menu Network Configuration. Trc tin ta cu hnh AAA client.Click vo Add Entry trong phn AAA Client

Trong ca s tip theo ta cn nhp cc thng s sau:


AAA Client hostname: hostname ca router (router) AAA IP address: a ch ca router 192.168.1.2 Key: kho thng lng gia router v server ( ta chn tu v cn phi khp vi gi tr s nhp khi cu hnh router) Authentication Using: Tt nhin l chn TACACS+ Sau ta chn Submit + Apply

tip theo s cu hnh cho AAA Server: Chn Add Entrytrong phn AAA server: Nhp vo cc gi tr sau:

AAA server name: t ty AAA server IP: a ch IP ca my ci TACACS+ Key: kho giao trc ( trng vi kho lc ny l 123456) AAA server type: Chn TACACS+ Chn vo Submit + Apply

2.Cu hnh trn router:


Sau y l nhng lnh cu hnh chnh : Ch l nhng lnh ny dng cho Cisco IOS 12.05 tr v sau router(config)#aaa new-model router(config)#aaa authentication login default group tacacs+ router(config)#aaa authorization exec default group tacacs+router(config)#tacacsserver host 20.0.0.2//IP ca TACACS+ server router(config)#tacacs-server key 123456//key nhp trn 3.Kt qu show run ca cc router Trn router R0
r0#sho run Building configuration...

Current configuration : 2647 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r0 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ! ! ! ! ! crypto pki trustpoint TP-self-signed-0 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-0 revocation-check none rsakeypair TP-self-signed-0 ! ! crypto pki certificate chain TP-self-signed-0 certificate self-signed 01 3082022D 30820196 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 28312630 24060355 0403131D 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 30301E17 0D303230 33303130 30323035 315A170D 32303031 30313030 30303030 5A302831 26302406 03550403 131D494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 9B73C6A4 1411E43C 99D317DB A81CBAC9 15AF4F87 79E63D84 10D278FF E981C889 27C7FFE1 8976E54F 92A6E263 9DA630DA 11308FA4 94357FE3 7A5A7EDD E8E133C8 6E2B7EFE 2D9086FF 6C0B34C3 25BB48D0 62E3DC8C 39A5E997 D3492978 DC953389 984D7617 56B7A2C8 F12F88AF B8824C9E 3BECB354 65D7CA4F A825B82B 538FC9FF 02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D 11040B30 09820752 6F757465 722E301F 0603551D 23041830 168014FE 02605F6F E7FCDCF6 F4846E26 1078110C A9893530 1D060355 1D0E0416 0414FE02 605F6FE7 FCDCF6F4 846E2610 78110CA9 8935300D 06092A86 4886F70D 01010405 00038181 0028F314 56D354C8 770A8806 B61FF97B 76D088BD 6DFACFB1 6C677F9B 5B8D4213 2E3225C2 71B8ABF9 3EE87B3B A4EB8FEF 2B0EB139 5167D3B3 5C8CE5B3 1E9BC13F CFA59E6C 6A2C6A42 84C9D681 BBB2C372 DD1A18BE 984CFBE7 E7936FD1 F434E490 534C031F D0B8EFE7 B92A8FC1 8A46C9D4 16387070 569E09D9 B5D1066E 478DC8D9 18 quit !

! ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 duplex auto speed auto ! interface Serial1/0 ip address 172.16.1.1 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/1 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! router rip network 10.0.0.0 network 172.16.0.0 ! ip http server ip http authentication local ip http secure-server ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh ! ! end r0#

Tren router r1 r1#sho run Building configuration... Current configuration : 2922 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login default group tacacs+ none aaa authentication login telnet_lines group tacacs+ aaa authorization exec default group tacacs+ ! aaa session-id common ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ! ! ! ! ! crypto pki trustpoint TP-self-signed-0 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-0 revocation-check none rsakeypair TP-self-signed-0 ! ! crypto pki certificate chain TP-self-signed-0 certificate self-signed 01 3082022D 30820196 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 28312630 24060355 0403131D 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 30301E17 0D303230 33303130 30323333 345A170D 32303031 30313030 30303030 5A302831 26302406 03550403 131D494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 BBF4F42A 21F79213 392052A3 3F1F9101 2669763D C5586A14 F67411DF 4FAE17BC C31EC017 6EABAE02 29E54888 2DEA8788 08556592 2252C2DE 0B149491 ABA7E5AB 97B54024 5EC7EB4B 90FABDB5 A4E65367 75CB3A88 075BDF60 6228F1A6 711E7F51 A209147E 89D44E04 335B17A7 4A5D5F99

DD55EF47 2E444812 27E2BFAD 385A653D 02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D 11040B30 09820752 6F757465 722E301F 0603551D 23041830 168014FD 0A7BBA83 55C45E3E 77563771 C595465B D4F66130 1D060355 1D0E0416 0414FD0A 7BBA8355 C45E3E77 563771C5 95465BD4 F661300D 06092A86 4886F70D 01010405 00038181 00B94FBA 42754584 67BDDE31 E87615D9 A8D58F30 D52DC630 6994C0B5 D8473E9A 37D6F232 E4624BD3 675191CE 438D3B62 4D860692 277BE8AB 4DF862CD B6E379A5 A14B65EF 26FFF925 82E1F8A0 E648B421 BBA4ACC0 B93005A6 F78BF0F2 351A06BD E4DF959A 3CB3FAD1 ABEB1E4D 7675C140 480D5FFC D91733C9 F40F582E 84A9EE86 D9 quit ! ! username aloblack privilege 15 secret 5 $1$i/fL$Ks8PRsh46nqc3ptqLFmfb0 username cisco privilege 15 password 0 cisco ! ! ! ! ! ! interface Serial0/0 ip address 172.16.1.2 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial0/1 ip address 192.168.1.2 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial0/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial0/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! router rip network 172.16.0.0 network 192.168.1.0 ! ip http server ip http authentication local ip http secure-server ! ! ! ! ! tacacs-server host 20.0.0.2 key cisco

tacacs-server directed-request ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh ! ! end r1# Trn router r3 Router#sho run Building configuration... Current configuration : 986 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef ! interface FastEthernet0/0 ip address 20.0.0.1 255.255.255.0 duplex auto speed auto ! interface Serial1/0 ip address 192.168.1.1 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/1

no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! router rip network 20.0.0.0 network 192.168.1.0 ! ip http server no ip http secure-server ! control-plane !! ! line con 0 line aux 0 line vty 0 4 ! ! end Router# Kim tra Sau khi cu hnh song ta kim tra bng cch telnet

Hnh chp bng wireshare bt gi tacacs+