tac_plus and centos 8
mark...@gmail.com
Goutham U
Installing the Necessary Packages :
Packages required: epel-release, gcc, perl-LDAP, bind-utils, telnet.x86_64, atop nload iftop htop, perl-IO-Socket-SSL, Pam-devel, ID-linux.so.2.
|
root@blr-tac-1:~# yum -y install epel-release |
The perl-ldap distribution is a collection of perl modules which provide an object orientated interface to LDAP servers.
By using the perl object interface the perl-ldap modules provide programmers with an interface that allows complex searches of LDAP directories.
|
root@blr-tac-1:~# mkdir /root/tacacs root@blr-tac-1:~# cd /root/tacacs/ root@blr-tac-1:~# wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2 root@blr-tac-1:~# bzip2 -dc DEVEL.tar.bz2 | tar xvfp - root@blr-tac-1# ./configure root@blr-tac-1:~# make root@blr-tac-1:~# chmod 755 /var/log/tac_plus |
At this point you've installed all the necessary packages to run tac_plus and the mavis authentication backend. To make sure everything was installed correctly, run the following command and compare your output:
|
root@blr-tac-1:~# /usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'. LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 277, <DATA> line 755. root@blr-tac-1:~# |
If there's some error message saying "Can't locate Net/LDAP.pm in @INC", you'll need to double-check the commands at the beginning of the SOP else continue further.
Editing the Configuration File :
Create configuration file and modify the permissions.
|
root@blr-tac-1:~# cd /usr/local/etc |
Edit the Configuration and make the below changes.
you'll also need to create an Active Directory service account for tacacs to use to query Active Directory.
The following spawnd configuration stanza accepts connections on TCP ports 49 and forwards these to one of the tac_plus processes. The tac_plus configuration configures a couple of user groups, has one single user defined and relies on the MAVIS backend for additional users|
#!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes } #Mapping the access logs and accounting logs to a particular location id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/accounting/%Y%m%d.log
mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "Domain Controller IP's" setenv LDAP_SCOPE = sub setenv LDAP_BASE = setenv LDAP_USER = "domain Admin" setenv LDAP_PASSWD = "*PASSWORD*" setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1 setenv EXPAND_AD_GROUP_MEMBERSHIP = 1 setenv TACACS_GROUP_PREFIX = " setenv REQUIRE_TACACS_GROUP_PREFIX = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl }
login backend = mavis user backend = mavis pap backend = mavis
host = tacacstestrouter { address = ::/0 prompt =
failed authentication banner = "
_____________________
NOTICE
%M%D-%%c-%%C-%%u Failed authentication will be logged and reported _____________________ " enable 15 = clear Password key = *Key* }
group = admin { default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 } }
group = guest { default service = permit enable = deny service = shell { default command = permit default attribute = permit set priv-lvl = 1 } }
group = readonly { default service = permit enable = login service = shell { cmd = enable {permit ".*"} cmd = show { permit "running-config .*" permit "ip .*" permit "version .*" deny ".*" message deny = "
*************************************************************
*You do not have the privilege level to execute this command*
************************************************************* " } } }
user = readonly { password = clear readonly member = guest } } |
After saving the configuration file run the below test to confirm if its running with out any error.
You will get the below output with out any error or output if its error free.
|
root@blr-tac-1:~# /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg root@blr-tac-1:~# |
If tac_plus reports any errors, you'll need to edit the tac_plus.cfg file again and correct the errors.
You may also want to view the file /usr/local/lib/mavis/mavis_tacplus_ldap.pl for a detailed explanation of the LDAP variables.
Verifying the AD Authentication in Tacacs Server :
Run the below command to check the authentication
|
root@blr-tac-1:~# /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS username Password |
Expected Output :
|
Input attribute-value-pairs: TYPE TACPLUS TIMESTAMP mavistest-18364-1596020930-0 USER username PASSWORD ******** TACTYPE AUTH
Output attribute-value-pairs: TYPE TACPLUS TIMESTAMP mavistest-18364-1596020930-0 USER username RESULT ACK PASSWORD ******* SERIAL oAqqUj7jA1TqcFQDk8o82A= DBPASSWORD ******** TACMEMBER "admin" TACTYPE AUTH |
If you got ACK that means your Active Directory query was successful. If you got NACK, BFD, or ERR...that means something went wrong. You'll want to double-check your Active Directory environment variables in the tac_plus.cfg file.
Mavis Environmental Variable :
mavis_tacplus_ldap.pl is an authentication/authorization backend for the external module. It interfaces to various kinds of LDAP servers, e.g. OpenLDAP, Fedora DS and Active Directory. Its behaviour is controlled by a list of environmental variables:
|
LDAP_SERVER_TYPE |
Initiating tac_plus service :
We need to set the tac_plus daemon to start on boot, and to start the tac_plus service by itself during the boot. Run the following commands:
|
root@blr-tac-1:~# cd /etc/init.d/ root@blr-tac-1:/etc/init.d# cp /root/tacacs/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus root@blr-tac-1:/etc/init.d# chmod 755 /etc/init.d/tac_plus root@blr-tac-1:/etc/init.d# chmod 660 /usr/local/etc/tac_plus.cfg root@blr-tac-1:/etc/init.d# chown root:root /etc/init.d/tac_plus root@blr-tac-1:/etc/init.d# sudo service tac_plus start |
Turn off Selinux and reboot the machine
|
root@blr-tac-1:# vi /etc/selinux/config |
Selinux=Disabled
|
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted |
Add the Firewall rule to permit/allow port 49
|
root@blr-tac-1:# firewall-cmd --zone=public --permanent --add-port=49/tcp root@blr-tac-1:# firewall-cmd --reload |
To Verify the service check if port 49 is listening
|
root@blr-tac-1:# netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 127.0.0.1:43917 0.0.0.0:* LISTEN 0 32270 2481/clientidentifi tcp 0 0 127.0.0.1:40561 0.0.0.0:* LISTEN 0 31395 2433/konea tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 19104 1002/systemd-resolv tcp 0 0 127.0.0.1:49558 0.0.0.0:* LISTEN 0 32267 2481/clientidentifi tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 26414 1796/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 275667 30987/cupsd tcp 0 0 127.0.0.1:49565 0.0.0.0:* LISTEN 0 32256 2481/clientidentifi tcp6 0 0 :::49 :::* LISTEN 0 395514 15518/tac_plus: 0 c tcp6 0 0 :::22 :::* LISTEN 0 26416 1796/sshd tcp6 0 0 ::1:631 :::* LISTEN 0 275666 30987/cupsd udp 0 0 0.0.0.0:5353 0.0.0.0:* 116 22040 1285/avahi-daemon: udp 0 0 127.0.0.53:53 0.0.0.0:* 101 19103 1002/systemd-resolv udp 0 0 0.0.0.0:39074 0.0.0.0:* 116 22042 1285/avahi-daemon: udp 0 0 0.0.0.0:631 0.0.0.0:* 0 275704 30992/cups-browsed udp6 0 0 :::5353 :::* 116 22041 1285/avahi-daemon: udp6 0 0 :::35157 :::* 116 22043 1285/avahi-daemon: |
Add tacacs service
|
root@blr-tac-1:# chkconfig –add tac_plus root@blr-tac-1:# chkconfig –level 2345 tac_plus on |
Centos Tacas Installation
Is there a build that will compile on centos/rhel 8, or is centos/rhel 7 still the version of centos to build on?
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/533c914f-2ca8-4225-b841-2d012c2bc5aan%40googlegroups.com.
Marc Huber
On 05.10.20 16:49, mark...@gmail.com wrote:
> Is there a build that will compile on centos/rhel 8, or is centos/rhel
> 7 still the version of centos to build on?
ago, so yes, recent snapshots should compile just fine on CentOS 8.
Cheers,
Marc
Mark Van Leeuwen
--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/f1ITE1m3j24/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/2d90902d-7064-85c9-bd8d-1b91ef064d55%40googlemail.com.