TAC_PLUS AAA 平台及web展示

目录

1 介绍2 安装2.1 Ubuntu 安装1、安装2、配置文件解释 2.2 Docker 安装 - 通过自己构建镜像安装1、Dockerfile 文件2、提供 Dockerfile相关配置文件.google_authenticator文件获取tac_plus.conf 文件supervisord.conf 配置文件tac_plus.sqlnginx.conf文件 3、构建镜像4、运行5、查看 2.3 各文件说明1、Dockerfile文件说明2、supervisord.conf3、nginx.conf 2.4 扩展：Ubuntu18.4 上安装MySQL8.0 结论

1 介绍

AAA是认证（Authentication）、授权（Authorization）和计费（Accounting）的简称，是网络安全中进行访问控制的一种安全管理机制，提供认证、授权和计费三种安全服务。

TACACS & TACACS+：Terminal Access Controller Access Control，System终端访问控制器访问控制系统。通过一个或多个中心服务器为路由器、网络访问控制器以及其它网络处理设备提供了访问控制服务。TACACS支持独立的认证（Authentication）、授权（Authorization）和计费（Accounting）功能。

2 安装

2.1 Ubuntu 安装

Ubuntu 20.04 之后不再支持tacacs，最好是使用Ubuntu18.04

1、安装

# 下载并安装 TACACS+  ### 不能使用apt来安装，Ubuntu 20.04 之后不再支持### 可以在Ubuntu 18.04 或者同样版本的镜像上安装apt-get updateapt-get install tacacs+## 配置文件vim tac_plus.conf---------------------------------------------------key = "tacacs123" #tacacs?keyaccounting syslog;accounting file = /var/log/tacacs_accounting.log   #tail -f /var/log/tacacs_accounting.logdefault authentication = file /etc/passwdacl = network_admin {        # allow access from all sources        #permit = ^10\.        permit =  ^115\.        permit = [0-9]{1,3}\.        # implicit deny (ie: anything else)}group = admin {    default service = permit    acl = network_admin    service = exec {         priv-lvl = 15    }    cmd = display {        permit .*    }}group = operator {    acl = network_admin    service = exec {         priv-lvl = 1    }    cmd = display {        permit .*    }    cmd = show {        permit .*    }}group = ro {    acl = network_admin    service = exec {         priv-lvl = 15    }    cmd = display {        permit .*    }    cmd = show {        permit .*    }    cmd = interface {        permit .*    }    cmd = undo {        permit shutdown    }    cmd = configure {        permit .*    }    cmd = no {        permit shutdown    }    cmd = exit {        permit .*    }    cmd = quit {        permit .*    }    cmd = screen-length {        permit .*    }    cmd = terminal {        permit .*    }    cmd = set {        permit cli.*    }    cmd = ping {        permit .*    }    cmd = tracert {        permit .*    }    cmd = admin {        permit show    }    cmd = shutdown {        permit .*    }}user = chen_admin {                 #chen_admin：账号    login = des aPzSgJMfBUGB2  #使用 tac_pwd，生成账号密码：7FLiiVJUDhin2    # expires = "Feb 20 2032"    member = admin                 #权限}user = chen_ro {    login = des temjCCsjBECmU    # expires = "Feb 20 2032"    member = ro                      #权限}####### 生成密码tac_pwd Password to be encrypted: admin@123aPzSgJMfBUGB2tac_pwd Password to be encrypted: test123temjCCsjBECmU## 启动守护进程/etc/init.d/tacacs_plus restart * Restarting TACACS+ authentication daemon tacacs+                                                                                                                                                                      [ OK ] 

2、配置文件解释

cat /etc/tacacs+/tac_plus.conf # Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)# See man(5) tac_plus.conf for more details# Define where to log accounting data, this is the default.###  TACACS+ 账户的日志文件accounting file = /var/log/tac_plus.acct# This is the key that clients have to use to access Tacacs+## TACACS+ 密钥key = testing123# Use /etc/passwd file to do authentication    #default authentication = file /etc/passwd # You can use feature like per host key with different enable passwords#host = 127.0.0.1 {#        key = test #        type = cisco#        enable = <des|cleartext> enablepass#        prompt = "Welcome XXX ISP Access Router \n\nUsername:"#}# We also can define local users and specify a file where data is stored.# That file may be filled using tac_pwd#user = test1 {#    name = "Test User"#    member = staff#    login = file /etc/tacacs/tacacs_passwords#}# We can also specify rules valid per group of users.#group = group1 {#       cmd = conf {#               deny#       }#}# Another example : forbid configure command for some hosts# for a define range of clients#group = group1 {#       login = PAM#       service = ppp#       protocol = ip {#               addr = 10.10.0.0/24#       }#       cmd = conf {#               deny .*#       }#}user = DEFAULT {        login = PAM        service = ppp protocol = ip {}}# Much more features are availables, like ACL, more service compatibilities,# commands authorization, scripting authorization.# See the man page for those features.

2.2 Docker 安装 - 通过自己构建镜像安装

这里提供了打包tacacs镜像所有需要的资料，可下载：tacacs资料包

可以把web展示打包进镜像中也可以打包，根据自己的需求进行修改。

1、Dockerfile 文件

mkdir /opt/tacacscd /opt/tacacs# 1、Dockerfile 文件vim Dockerfile# Use Base Ubuntu imageFROM ubuntu:18.04# Author of this DockerfileMAINTAINER Andrew Roderos# Update & upgradesRUN apt-get update && apt-get upgrade -y# Install tacacs+ and Google AuthenticatorRUN apt-get install tacacs+ libpam-google-authenticator -y# Clear local repoRUN apt-get clean# Create a user with home directoryRUN useradd -m -d /home/andrew -s /bin/bash andrew# Add password to andrew accountRUN echo "andrew:test" | chpasswd# Copy Google secret key from host's volume to tacacs+ containerCOPY .google_authenticator /home/andrew# Change file ownerRUN chown andrew:andrew /home/andrew/.google_authenticator# Copy tac_plus configuration file from host to the containerCOPY tac_plus.conf /etc/tacacs+/tac_plus.conf# Add tac_plus PAMRUN touch /etc/pam.d/tac_plusRUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plusRUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus# Run tac_plus as foreground process and use /etc/tacacas+/tac_plus.conf as the config file#CMD ["tac_plus", "-G", "-C", "/etc/tacacs+/tac_plus.conf"]# Install nginx, php-fpmCOPY supervisord.conf /etc/supervisor/conf.d/supervisord.confENV TZ=Asia/Shanghai#### 配置变量 DEBIAN_FRONTEND ，可以使以下安装不需要输入直接进行安装ENV DEBIAN_FRONTEND=noninteractiveRUN apt-get -y install nginx php  php-fpm net-tools supervisor curl php-mysql php-common php-gd php-cliCOPY nginx.conf /etc/nginx/nginx.conf### webui是web页面的压缩包，需要环境：php、MySQL（默认是MySQL5.7） ADD webui_v1.7b1.tar /usr/local/nginxRUN mkdir /run/php ; chown www-data:www-data /run/php# Install mysqlRUN apt-get update;apt-get install mysql-server -yCOPY tac_plus.sql /usr/local/nginx/tac_plus.sqlCOPY start.sh /usr/local/nginx/start.shCMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

2、提供 Dockerfile相关配置文件

以下文件都在/opt/tacacs 目录下

.google_authenticator文件获取

#  安装apt-get install libpam-google-authenticator -y# 生成 Google Authenticator 密钥google-authenticator##### 以下是输出内容Do you want authentication tokens to be time-based (y/n) yWarning: pasting the following URL into your browser exposes the OTP secret to Google:  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@template%3Fsecret%3DB4BFA57AJCLCZT2SIQLVBWJWFY%26issuer%3Dtemplate# 下面是一个二维码的图片                                                   Your new secret key is: B4BFA57AJCLCZT2SIQLVBWJWFYEnter code from app (-1 to skip): -1Code confirmation skippedYour emergency scratch codes are:  22392718  78251317  47207995  37394412  76581106Do you want me to update your "/root/.google_authenticator" file? (y/n) yDo you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) yBy default, a new token is generated every 30 seconds by the mobile app.In order to compensate for possible time-skew between the client and the server,we allow an extra token before and after the current time. This allows for atime skew of up to 30 seconds between authentication server and client. If youexperience problems with poor time synchronization, you can increase the windowfrom its default size of 3 permitted codes (one previous code, the currentcode, the next code) to 17 permitted codes (the 8 previous codes, the currentcode, and the 8 next codes). This will permit for a time skew of up to 4 minutesbetween client and server.Do you want to do so? (y/n) yIf the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting? (y/n) y## 把生成的配置文件拿过来mv /root/.google_authenticator .

tac_plus.conf 文件

cat tac_plus.conf key = "tacacs123" #tacacs?keyaccounting syslog;accounting file = /var/log/tacacs_accounting.log   #tail -f /var/log/tacacs_accounting.logdefault authentication = file /etc/passwdacl = network_admin {        # allow access from all sources        #permit = ^10\.        permit =  ^115\.        permit = [0-9]{1,3}\.        # implicit deny (ie: anything else)}group = admin {    default service = permit    acl = network_admin    service = exec {         priv-lvl = 15    }    cmd = display {        permit .*    }}group = operator {    acl = network_admin    service = exec {         priv-lvl = 1    }    cmd = display {        permit .*    }    cmd = show {        permit .*    }}group = ro {    acl = network_admin    service = exec {         priv-lvl = 15    }    cmd = display {        permit .*    }    cmd = show {        permit .*    }    cmd = interface {        permit .*    }    cmd = undo {        permit shutdown    }    cmd = configure {        permit .*    }    cmd = no {        permit shutdown    }    cmd = exit {        permit .*    }    cmd = quit {        permit .*    }    cmd = screen-length {        permit .*    }    cmd = terminal {        permit .*    }    cmd = set {        permit cli.*    }    cmd = ping {        permit .*    }    cmd = tracert {        permit .*    }    cmd = admin {        permit show    }    cmd = shutdown {        permit .*    }}user = chen_admin {                 #chen_admin：账号    login = des aPzSgJMfBUGB2  #使用 tac_pwd，生成账号密码：7FLiiVJUDhin2    # expires = "Feb 20 2032"    member = admin                 #权限}user = chen_ro {    login = des temjCCsjBECmU    # expires = "Feb 20 2032"    member = ro                      #权限}

supervisord.conf 配置文件

cat > supervisord.conf << EOF[supervisord]nodaemon=true[program:nginx]command=nginxautostart=trueautorestart=true[program:php-fpm]command=/usr/sbin/php-fpm7.2 --nodaemonize --fpm-config /etc/php/7.2/fpm/php-fpm.confautostart=trueautorestart=true[program:tac_plus]command=tac_plus -G -C /etc/tacacs+/tac_plus.confautostart=trueautorestart=true[program:mysql]command=service mysql startautostart=trueautorestart=true[program:mysql-import]command=/bin/bash /usr/local/nginx/start.shautostart=trueautorestart=trueEOF#### 在webui解压之后需要把其中的 tac_plus.sql 导入到数据库中#### 执行的前提是：MySQL服务已经启动cat start.sh#!/bin/bashecho "Waiting for MySQL to be ready..."while ! mysqladmin ping -h localhost -u root --silent; do    sleep 1doneecho "MySQL is ready, importing data..."mysql -uroot < /usr/local/nginx/tac_plus.sql

tac_plus.sql

这里需要注意：webui压缩包中提供的tac_plus.sql需要修改，下面是已经修改好的内容
上传到 /opt/tacacs 即可

nginx.conf文件

cat nginx.confuser www-data;worker_processes auto;pid /run/nginx.pid;include /etc/nginx/modules-enabled/*.conf;events {        worker_connections 768;}http {        sendfile on;        tcp_nopush on;        tcp_nodelay on;        keepalive_timeout 65;        types_hash_max_size 2048;        include /etc/nginx/mime.types;        default_type application/octet-stream;        ssl_prefer_server_ciphers on;        access_log /var/log/nginx/access.log;        error_log /var/log/nginx/error.log;        gzip on;        server {                listen 81;                server_name  localhost;                        location / {                        root   /usr/local/nginx;                        index  index.php index.html index.htm;                }                        location ~ \.php$ {                        root           /usr/local/nginx;                        fastcgi_pass   unix:/var/run/php/php7.2-fpm.sock;                        fastcgi_index  index.php;                        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;                        include        fastcgi_params;                }                        error_page   500 502 503 504  /50x.html;                location = /50x.html {                        root   html;                }        }        include /etc/nginx/conf.d/*.conf;        #include /etc/nginx/sites-enabled/*;}

3、构建镜像

docker build -t tacacs:v1 .docker imagesREPOSITORY   TAG       IMAGE ID       CREATED          SIZEtacacs       v1        9d57b17b34a1   19 seconds ago   572MB

4、运行

docker run -td --name tacplus -p 30080:81 -v /opt/tacacs/tac_plus.conf:/etc/tacacs+/tac_plus.conf  -v /opt/tacacs/nginx.conf:/etc/nginx/nginx.conf  tacacs:v1

5、查看

默认用户名密码：admin/system 这个是由 tac_plus.sql 中语句指定的，可以自己修改
Client ACL：用于设置ip访问tac_plus server的权限

NAS ACL: 用于设置用户和组的权限
Attributes：用于设置不同厂商交换机的权限级别的属性

Commands: 用于设置命令分类

Nas：添加交换机路由器的管理ip
Nas Group：添加交换机分组（类似nas）
Users：添加用户
User Group：添加用户组(类似user)
Vendor：交换机厂商管理
Reports:可以查看aaa登录审计等日志信息

2.3 各文件说明

1、Dockerfile文件说明

# 基础镜像FROM ubuntu:18.04# 作者MAINTAINER Alyssa# 更新RUN apt-get update && apt-get upgrade -y# 安装 tacacs+ and Google AuthenticatorRUN apt-get install tacacs+ libpam-google-authenticator -y# 清除本地repoRUN apt-get clean# 创建一个userRUN useradd -m -d /home/andrew -s /bin/bash andrew# 修改密码RUN echo "andrew:test" | chpasswd# 把密钥文件复制到镜像的指定目录下COPY .google_authenticator /home/andrew# Change file ownerRUN chown andrew:andrew /home/andrew/.google_authenticator# Copy tac_plus configuration file from host to the containerCOPY tac_plus.conf /etc/tacacs+/tac_plus.conf# Add tac_plus PAMRUN touch /etc/pam.d/tac_plusRUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plusRUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus#### 在Dockerfile中，想要实现启动多个服务，可以使用 Supervisor，直接使用apt安装即可COPY supervisord.conf /etc/supervisor/conf.d/supervisord.confENV TZ=Asia/Shanghai#### 配置变量 DEBIAN_FRONTEND ，可以使以下安装不需要输入直接进行安装ENV DEBIAN_FRONTEND=noninteractive### 想要webui启动服务，需要安装nginx, php-fpm，MySQLRUN apt-get -y install nginx php  php-fpm net-tools supervisor curl php-mysql php-common php-gd php-cliCOPY nginx.conf /etc/nginx/nginx.conf### webui是web页面的压缩包，需要环境：php、MySQL（默认是MySQL5.7） ADD webui_v1.7b1.tar /usr/local/nginxRUN mkdir /run/php ; chown www-data:www-data /run/php# 安装 mysql 5.7RUN apt-get update;apt-get install mysql-server -yCOPY tac_plus.sql /usr/local/nginx/tac_plus.sqlCOPY start.sh /usr/local/nginx/start.shCMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

2、supervisord.conf

Supervisor简单说明：

Supervisor 是一个客户端/服务器系统，允许其用户监视和控制类似UNIX的操作系统上的多个进程。Supervisor 是用 Python 开发的一套通用的进程管理程序，能将一个普通的命令行进程变为后台daemon，并监控进程状态，异常退出时能自动重启。它是通过fork/exec的方式把这些被管理的进程当作supervisor的子进程来启动，这样只要在supervisor的配置文件中，把要管理的进程的可执行文件的路径写进去即可。也实现当子进程挂掉的时候，父进程可以准确获取子进程挂掉的信息的，可以选择是否自己启动和报警。supervisor还提供了一个功能，可以为supervisord或者每个子进程，设置一个非root的user，这个user就可以管理它对应的进程

在这里要说明的是文件中的配置：

[program:mysql-import]command=/bin/bash /usr/local/nginx/start.shautostart=trueautorestart=true### 这部分的功能是在MySQL启动之后，把webui的sql导入到MySQL中，所以在shell脚本中，监控到服务启动执行再执行

3、nginx.conf

webui的环境是nginx、PHP、MySQL，所以在 nginx.conf中进行配置

        include /etc/nginx/conf.d/*.conf;        #include /etc/nginx/sites-enabled/*;# 在这里注意的是，需要注释下面这个 include，这个目录下定义了一个默认的server，端口是80，与我们安装的环境的Apache2冲突，导致报错。所以这里直接注销掉。

2.4 扩展：Ubuntu18.4 上安装MySQL8.0

# 1、安装必要的软件包sudo apt install dirmngr ca-certificates software-properties-common apt-transport-https curl lsb-release -y# 2、将 GPG 密钥和仓库导入到 Ubuntu 系统curl -fsSL http://repo.mysql.com/RPM-GPG-KEY-mysql-2022 | sudo gpg --dearmor | sudo tee /usr/share/keyrings/mysql.gpg > /dev/null# 3、导入 MySQL 8.0 仓库echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-8.0" | sudo tee -a /etc/apt/sources.list.d/mysql.list# 4、（可选）如果您是开发人员或具有特定需求，可以选择导入 MySQL 源代码仓库echo "deb-src [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-8.0" | sudo tee -a /etc/apt/sources.list.d/mysql.list# 5、（可选）开发人员还可以使用以下命令导入 MySQL 工具仓库echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-tools" | sudo tee -a /etc/apt/sources.list.d/mysql.listecho "deb-src [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-tools" | sudo tee -a /etc/apt/sources.list.d/mysql.list# 6、更新。如果提示需要导入key，可添加参数：--allow-insecure-repositories 认为仓库是安全的，不需要提供key凭证sudo apt update# 7、安装 MySQL 8.0sudo apt install mysql-community-server#### 其他的配置和正常的安装MySQL8就一样了

结论

tacacs++ 在Ubuntu20.04之后默认不支持，所以使用Ubuntu18.04进行安装，或者在Ubuntu22.04使用源码包安装（源码包暂时未找到，有知道地址的欢迎留言）在打包 tacacs++ 镜像时，可根据自己的需要进行修改webui的环境是LNMP，MySQL版本最好是5.7在把webui中的sql文件导入数据库时，有内容需要修改，注意不能在打包镜像时直接执行。