Linux（centos7.9）搭建TACACS+服务器

一、TACACS+是什么

• TACACS+(Terminal Access Controller Access Control System)，终端访问控制器控制系统协议，与Radius协议相近，为网络设备和访问服务器提供身份验证，授权和计费服务。

• TACACS+和RADIUS的比较

  

• 更多细节，自行查看 https://www.h3c.com/cn/d_201309/922099_30005_0.htm

二、linux搭建Radius服务器

以下服务器信息为该文档安装Radius服务环境

服务器信息：CentOS7 

内核版本：3.10.0-1160.el7.x86_64

注意：搭建该服务器单纯为了工作中测试此功能的认证

1.具体安装步骤

wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
sudo yum install rpm-build redhat-rpm-config gcc bison flex m4 pam-devel tcp_wrappers tcp_wrappers-devel
yum -y install perl-Digest-MD5
yum install perl-LDAP
cd PROJECTS
make
make install
mkdir /var/log/tac_plus
mkdir /var/log/tac_plus/access
mkdir /var/log/tac_plus/accounting
mkdir /var/log/tac_plus/authentication
mkdir /var/log/tac_plus/authorization
chmod 755 /var/log/tac_plus
cp tac_plus/extra/tac_plus.service  /etc/systemd/system/

2.创建配置文件

cd /usr/local/etc
touch tac_plus.cfg
chmod 755 tac_plus.cfg
sudo vim tac_plus.cfg

3.编辑配置文件内容

[root@localhost etc]# more tac_plus.cfg 
#!../../../sbin/tac_plus

id = spawnd {
                # tacacs+默认端口为49，wireshark可将目的端口为49的tcp解析为tacacs+报文
        listen = { port = 49 }
        spawn = {
                instances min = 1
                instances max = 100
        }
        background = no
}

id = tac_plus {
        #debug = PACKET AUTHEN AUTHOR

        access log = /var/log/tac_plus/access/access.log
        authorization log = /var/log/tac_plus/authorization/authorization.log
        authentication log = /var/log/tac_plus/authentication/authentication.l
og
        accounting log = /var/log/tac_plus/accounting/accounting.log

        host = world {
                address = ::/0
                prompt = "Welcome\n"
                key = "tacacs@123"
        }

        group = admin {
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        group = guest {
                default service = permit
                enable = deny
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 1
                }
        }

        user = tacacsuser {
                        #使用明文密码
                password = clear tacacs123
                member = admin
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        user = user1 {
                        #使用密文密码，密文可通过如下命令生成
                #openssl passwd -crypt user123
                password = crypt Ljk4p8tGXkuVw 
                member = admin
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        user = readonly {
                password = clear readonly
                member = guest
        }
}

4.启动服务

systemctl restart tac_plus
systemctl status tac_plus

 至此，一个简易的TACACS+服务器就部署完成了。