1. Download freetacacs +
wget http://li.nux.ro/download/nux/misc/el7/x86_64/tac_plus-4.0.4.26-1.el7.nux.x86_64.rpm
wget http://li.nux.ro/download/nux/misc/el7/x86_64/tac_plus-debuginfo-4.0.4.26-1.el7.nux.x86_64.rpm
wget http://li.nux.ro/download/nux/misc/el7/x86_64/tac_plus-devel-4.0.4.26-1.el7.nux.x86_64.rpm
2. Install tacacs on linux
[root@radius-teguht tacacs]# ls
tac_plus-4.0.4.26-1.el7.nux.x86_64.rpm tac_plus-debuginfo-4.0.4.26-1.el7.nux.x86_64.rpm tac_plus-devel-4.0.4.26-1.el7.nux.x86_64.rpm
[root@radius-teguht tacacs]# rpm -ivh tac_plus-*
warning: tac_plus-4.0.4.26-1.el7.nux.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 85c6cd8a: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:tac_plus-4.0.4.26-1.el7.nux ################################# [ 33%]
2:tac_plus-devel-4.0.4.26-1.el7.nux################################# [ 67%]
3:tac_plus-debuginfo-4.0.4.26-1.el7################################# [100%]
[root@radius-teguht tacacs]#
3. Create user and password on linux
[root@radius-teguht tacacs]# useradd teguht
[root@radius-teguht tacacs]# useradd tom
[root@radius-teguht tacacs]# useradd jerry
[root@radius-teguht tacacs]# useradd noc
[root@radius-teguht tacacs]# passwd teguht
[root@radius-teguht tacacs]# passwd tom
[root@radius-teguht tacacs]# passwd jerry
[root@radius-teguht tacacs]# passwd noc
4. Configuring Tacacs Plus
[root@radius-teguht tacacs]# more /etc/tac_plus.conf
key = "TGH@123"
accounting file = /var/log/tac.acct
# authentication users not appearing elsewhere via
.........
## Groups Definition ##
group = netadmins {
default service = permit
login = PAM
service = exec {
priv-lvl = 15
}
}
group = guestusers {
default service = deny
login = PAM
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = quit {
permit .*
}
cmd = end {
permit .*
}
}
## Users Definition ##
user = teguht {
member = netadmins
}
user = tom {
member = netadmins
}
user = jerry {
member = netadmins
}
user = noc {
member = guestusers
}
.......
[root@radius-teguht tacacs]#
5. Restart and enable tac_plus
[root@radius-teguht tacacs]# /etc/init.d/tac_plus start
[root@radius-teguht tacacs]# systemctl status tac_plus
[root@radius-teguht tacacs]# systemctl enable tac_plus
6. Testing login
Using Tacac client
1. Install
pip install tacacs-plus
[root@teguhth-all ~]# pip install tacacs-plus
Collecting tacacs-plus
Downloading tacacs_plus-2.6-py2.py3-none-any.whl (17 kB)
Requirement already satisfied: six in /usr/lib/python3.9/site-packages (from tacacs-plus) (1.15.0)
Installing collected packages: tacacs-plus
Successfully installed tacacs-plus-2.6
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
[root@teguhth-all ~]#
Collecting tacacs-plus
Downloading tacacs_plus-2.6-py2.py3-none-any.whl (17 kB)
Requirement already satisfied: six in /usr/lib/python3.9/site-packages (from tacacs-plus) (1.15.0)
Installing collected packages: tacacs-plus
Successfully installed tacacs-plus-2.6
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
[root@teguhth-all ~]#
2. create script test
[root@teguhth-all tacacs]# cat test_tacacs.sh
#!/bin/bash
# test_tacacs.sh
# Shell script untuk test login TACACS+
SERVER="10.10.10.8"
SECRET="TGH@123"
USER="teguht"
PASS="teguht"
python3 <<EOF
from tacacs_plus.client import TACACSClient
client = TACACSClient('$SERVER', 49, '$SECRET')
reply = client.authenticate('$USER', '$PASS')
if reply.valid:
print("Authentication OK")
else:
print("Authentication FAILED")
EOF
[root@teguhth-all tacacs]#
#!/bin/bash
# test_tacacs.sh
# Shell script untuk test login TACACS+
SERVER="10.10.10.8"
SECRET="TGH@123"
USER="teguht"
PASS="teguht"
python3 <<EOF
from tacacs_plus.client import TACACSClient
client = TACACSClient('$SERVER', 49, '$SECRET')
reply = client.authenticate('$USER', '$PASS')
if reply.valid:
print("Authentication OK")
else:
print("Authentication FAILED")
EOF
[root@teguhth-all tacacs]#
3. test
[root@teguhth-all tacacs]# sh test_tacacs.sh
Authentication OK
[root@teguhth-all tacacs]#
Authentication OK
[root@teguhth-all tacacs]#
4. Other script
[root@teguhth-all tacacs]# cat tacacs_linux.sh
#!/bin/bash
# test_tacacs.sh
# Shell script untuk test login TACACS+ dengan format mirip tacacstest
echo "sh tacacs_linux.sh -h 10.10.10.8 -k TGH@123 -u teguht -p teguht"
# Default values (bisa diubah lewat argumen)
SERVER=""
SECRET=""
USER=""
PASS=""
# Parsing command line arguments
while getopts "h:k:u:p:" opt; do
case $opt in
h) SERVER="$OPTARG" ;;
k) SECRET="$OPTARG" ;;
u) USER="$OPTARG" ;;
p) PASS="$OPTARG" ;;
*) echo "Usage: $0 -h <server> -k <secret> -u <user> -p <password>"
exit 1 ;;
esac
done
# Validasi input
if [[ -z "$SERVER" || -z "$SECRET" || -z "$USER" || -z "$PASS" ]]; then
echo "Usage: $0 -h <server> -k <secret> -u <user> -p <password>"
exit 1
fi
# Jalankan Python inline untuk autentikasi
python3 <<EOF
from tacacs_plus.client import TACACSClient
client = TACACSClient('$SERVER', 49, '$SECRET')
reply = client.authenticate('$USER', '$PASS')
if reply.valid:
print("Authentication OK")
else:
print("Authentication FAILED")
EOF
[root@teguhth-all tacacs]#
5. run
sh tacacs_linux.sh -h 10.10.10.8 -k TGH@123 -u teguht -p teguht
[root@teguhth-all tacacs]# sh tacacs_linux.sh -h 10.10.10.8 -k TGH@123 -u teguht -p teguht
sh tacacs_linux.sh -h 10.10.10.8 -k TGH@123 -u teguht -p teguht
Authentication OK
[root@teguhth-all tacacs]#
sh tacacs_linux.sh -h 10.10.10.8 -k TGH@123 -u teguht -p teguht
Authentication OK
[root@teguhth-all tacacs]#
No comments:
Post a Comment