2006年4月24日 (月)

ACSとTacacs+

ACSを使って、Tacacsでユーザレベルにどのように認証して権限を与えるのか、ちょっと検証してみた結果である。動作はとても複雑で、この検証結果はある一面に過ぎないので、あれやこれやと試してみてください。

<ACSの設定のサマライズ>
アドレスは10.1.1.1を使用
ユーザは「aaa」を作成
TacacsSettingで
Shellにチェック
Privilege Level => 15
ACSに"Shell Command Authorization Set => none
       command にも何も記述しない

<Routerのconfigのサマライズ>
アドレスは192.168.1.1を使用
!
aaa new-model
aaa authentication login CON none
aaa authentication login VTY group tacacs+
aaa authorization exec CON none
aaa authorization exec VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
!
line con 0
authorization exec CON
login authentication CON
line vty 0 4
authorization commands 15 VTY
authorization exec VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY

1.ログインする

Router#192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: aaa
Password:

Router#
Router#sh privilege
Current privilege level is 15  => User level が15になっていることが確認できる

======================ログイン時のdebug tacacs===================

Router#
19:04:01: TAC+: send AUTHEN/START packet ver=192 id=1566429115
19:04:01: TAC+: Using default tacacs server-group "tacacs+" list.
19:04:01: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:04:01: TAC+: Opened TCP/IP handle 0x7AA79C to 10.1.1.1/49
19:04:01: TAC+: 10.1.1.1 (1566429115) AUTHEN/START/LOGIN/ASCII queued
19:04:01: TAC+: (1566429115) AUTHEN/START/LOGIN/ASCII processed
19:04:01: TAC+: ver=192 id=1566429115 received AUTHEN status = GETUSER
19:04:03: TAC+: send AUTHEN/CONT packet id=1566429115
19:04:03: TAC+: 10.1.1.1 (1566429115) AUTHEN/CONT queued
19:04:03: TAC+: (1566429115) AUTHEN/CONT processed
19:04:03: TAC+: ver=192 id=1566429115 received AUTHEN status = GETPASS
19:04:06: TAC+: send AUTHEN/CONT packet id=1566429115
19:04:06: TAC+: 10.1.1.1 (1566429115) AUTHEN/CONT queued
19:04:06: TAC+: (1566429115) AUTHEN/CONT processed
19:04:06: TAC+: ver=192 id=1566429115 received AUTHEN status = PASS
19:04:06: TAC+: Closing TCP/IP 0x7AA79C connection to 10.1.1.1/49
19:04:06: TAC+: using previously set server 10.1.1.1 from group tacacs+
19:04:06: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:04:06: TAC+: Opened TCP/IP handle 0x7A6BEC to 10.1.1.1/49
19:04:06: TAC+: Opened 10.1.1.1 index=1
19:04:06: TAC+: 10.1.1.1 (1009671158) AUTHOR/START queued
19:04:06: TAC+: (1009671158) AUTHOR/START processed
19:04:06: TAC+: (1009671158): received author response status = PASS_ADD
19:04:06: TAC+: Closing TCP/IP 0x7A6BEC connection to 10.1.1.1/49
19:04:06: TAC+: Received Attribute "priv-lvl=15"
19:04:06: TAC+: using previously set server 10.1.1.1 from group tacacs+
19:04:06: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:04:06: TAC+: Opened TCP/IP handle 0x7AB074 to 10.1.1.1/49
19:04:06: TAC+: Opened 10.1.1.1 index=1
19:04:06: TAC+: 10.1.1.1 (1387140194) ACCT/REQUEST/START queued
19:04:06: TAC+: (1387140194) ACCT/REQUEST/START processed
19:04:06: TAC+: (1387140194): received acct response status = SUCCESS
19:04:06: TAC+: Closing TCP/IP 0x7AB074 connection to 10.1.1.1/49
Router#
======================ログイン時のdebug tacacs===================

2.conf t する

Router#conf t
Command authorization failed.

Router#

======================「conf t」時 のdebug tacacs===================
19:09:05: TAC+: using previously set server 10.1.1.1 from group tacacs+
19:09:05: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:09:05: TAC+: Opened TCP/IP handle 0x7A6BEC to 10.1.1.1/49
19:09:05: TAC+: Opened 10.1.1.1 index=1
19:09:05: TAC+: 10.1.1.1 (2491982009) AUTHOR/START queued
19:09:05: TAC+: (2491982009) AUTHOR/START processed
19:09:05: TAC+: (2491982009): received author response status = FAIL =>注目!!!
19:09:05: TAC+: Closing TCP/IP 0x7A6BEC connection to 10.1.1.1/49
======================「conf t」時 のdebug tacacs===================

上記のようにcommandで失敗してしまう

そこで、configを変更する

aaa new-model
aaa authentication login CON none
aaa authentication login VTY group tacacs+
aaa authorization exec CON none
aaa authorization exec VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
!
line con 0
authorization exec CON
login authentication CON
line vty 0 4
(authorization commands 15 VTY)  => これを消す!
authorization exec VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY

3.ログインする

Router#192.168.1.1
Trying 192.168.1.1 ... Open

Username: aaa
Password:

Router#

======================ログイン時のdebug tacacs===================
Router#
19:14:35: TAC+: send AUTHEN/START packet ver=192 id=2077960542
19:14:35: TAC+: Using default tacacs server-group "tacacs+" list.
19:14:35: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:14:35: TAC+: Opened TCP/IP handle 0x7A659C to 10.1.1.1/49
19:14:35: TAC+: 10.1.1.1 (2077960542) AUTHEN/START/LOGIN/ASCII queued
19:14:35: TAC+: (2077960542) AUTHEN/START/LOGIN/ASCII processed
19:14:35: TAC+: ver=192 id=2077960542 received AUTHEN status = GETUSER
19:14:37: TAC+: send AUTHEN/CONT packet id=2077960542
19:14:37: TAC+: 10.1.1.1 (2077960542) AUTHEN/CONT queued
19:14:37: TAC+: (2077960542) AUTHEN/CONT processed
19:14:37: TAC+: ver=192 id=2077960542 received AUTHEN status = GETPASS
19:14:39: TAC+: send AUTHEN/CONT packet id=2077960542
19:14:39: TAC+: 10.1.1.1 (2077960542) AUTHEN/CONT queued
19:14:39: TAC+: (2077960542) AUTHEN/CONT processed
19:14:39: TAC+: ver=192 id=2077960542 received AUTHEN status = PASS
19:14:39: TAC+: Closing TCP/IP 0x7A659C connection to 10.1.1.1/49
19:14:39: TAC+: using previously set server 10.1.1.1 from group tacacs+
19:14:39: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:14:40: TAC+: Opened TCP/IP handle 0x7AB768 to 10.1.1.1/49
19:14:40: TAC+: Opened 10.1.1.1 index=1
19:14:40: TAC+: 10.1.1.1 (2444438463) AUTHOR/START queued
19:14:40: TAC+: (2444438463) AUTHOR/START processed
19:14:40: TAC+: (2444438463): received author response status = PASS_ADD
19:14:40: TAC+: Closing TCP/IP 0x7AB768 connection to 10.1.1.1/49
19:14:40: TAC+: Received Attribute "priv-lvl=15"
19:14:40: TAC+: using previously set server 10.1.1.1 from group tacacs+
19:14:40: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:14:40: TAC+: Opened TCP/IP handle 0x7AC040 to 10.1.1.1/49
19:14:40: TAC+: Opened 10.1.1.1 index=1
19:14:40: TAC+: 10.1.1.1 (3194209579) ACCT/REQUEST/START queued
19:14:40: TAC+: (3194209579) ACCT/REQUEST/START processed
19:14:40: TAC+: (3194209579): received acct response status = SUCCESS
19:14:40: TAC+: Closing TCP/IP 0x7AC040 connection to 10.1.1.1/49
Router#
======================ログイン時のdebug tacacs===================

4.conf t する

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#  =>conf tできる

======================「conf t」時 のdebug tacacs===================
Router#
19:14:48: TAC+: using previously set server 10.1.1.1 from group tacacs+
19:14:48: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
19:14:48: TAC+: Opened TCP/IP handle 0x7AC918 to 10.1.1.1/49
19:14:48: TAC+: Opened 10.1.1.1 index=1
19:14:48: TAC+: 10.1.1.1 (3849432849) ACCT/REQUEST/STOP queued
19:14:48: TAC+: (3849432849) ACCT/REQUEST/STOP processed
19:14:48: TAC+: (3849432849): received acct response status = SUCCESS =>FAILしない
19:14:48: TAC+: Closing TCP/IP 0x7AC918 connection to 10.1.1.1/49
======================「conf t」時 のdebug tacacs===================

| | コメント (0) | トラックバック (0)