HPE switch設定Tacacs認證(使用CPPM)
CPPM版本:6.7.7.109065
HPE switch版本:7.1.045 3113P05
A.HPE switch設定
1.HPE switch啟用ssh登入
2.HPE 設定Tacacs server認證
B.CPPM設定
1.local user新增write帳號與read帳號
新增帳號read,給予TACACS Read-only Admin的role
新增write帳號,給予TACACS Network Admin的role
2.Network->Device
新增設備,設定Share key與指定Vendor Name
3.新增Enforcement profile
HPE-write與HPE-read
當帳號符合條件時,回傳相對應的數值給switch
4.新增Enforcement policy
當認證帳號的Role=Read-only Admin時,使用HPE-read的Enforcement proflie回傳數值
當認證帳號的Role=Network Admin時,使用HPE-write的Enforcement proflie回傳數值
5.新增服務,此處命中條件寬鬆,設定只要符合週一到週日來認證就命中,可以修改為特定IP來認證或是特定牌子設備來認證
認證源使用local SQL DB
Enforcement policy選擇剛剛設定好的HPE
C.驗證
1.使用SSH連線switch,並開啟Tacacs相關的Debug
2.在switch上可以透過Debug log看到驗證成功的過程
<HPE>*Jan 3 00:31:26:008 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
*Jan 3 00:31:26:009 2013 HPE TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
*Jan 3 00:31:26:009 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jan 3 00:31:26:016 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jan 3 00:31:26:016 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=172.16.13.13, server-port=49, VPN instance=--(public).
*Jan 3 00:31:26:017 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jan 3 00:31:26:019 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jan 3 00:31:26:019 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=172.16.13.13, port=49, VPN instance=--(public).
*Jan 3 00:31:26:019 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
*Jan 3 00:31:26:019 2013 HPE TACACS/7/send_packet:
version: 0xc0 type: AUTHEN_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xc72e2ad5
length of payload: 49
action: LOGIN priv_lvl: 0 authen_type: ASCII service: LOGIN
user_len: 5 port_len: 16 rem_len: 15 data_len: 5
user: write
port: Vlan-interface13
rem_addr: 192.168.170.169
data: ******
*Jan 3 00:31:26:036 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 3 00:31:26:037 2013 HPE TACACS/7/recv_packet:
version: 0xc0 type: AUTHEN_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xc72e2ad5
length of payload: 16
status: STATUS_GETPASS flags: NOECHO
server_msg len: 10 data len: 0
server_msg: Password:
data:
*Jan 3 00:31:26:037 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jan 3 00:31:26:038 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 3 00:31:26:038 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 2.
*Jan 3 00:31:26:040 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: CONTINUE
*Jan 3 00:31:26:040 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication continue request packet.
*Jan 3 00:31:26:041 2013 HPE TACACS/7/EVENT: PAM_TACACS: Sending authentication continue request packet.
*Jan 3 00:31:26:041 2013 HPE TACACS/7/send_packet:
version: 0xc0 type: AUTHEN_CONTINUE seq_no: 3 flag: ENCRYPTED_FLAG
session-id: 0xc72e2ad5
length of payload: 10
user_msg len: ****** data_len: 0 flags: CONTINUE AUTHEN
user_msg: ******
data:
*Jan 3 00:31:26:096 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 3 00:31:26:097 2013 HPE TACACS/7/recv_packet:
version: 0xc0 type: AUTHEN_REPLY seq_no: 4 flag: ENCRYPTED_FLAG
session-id: 0xc72e2ad5
length of payload: 6
status: STATUS_PASS flags: ECHO
server_msg len: 0 data len: 0
server_msg:
data:
*Jan 3 00:31:26:097 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jan 3 00:31:26:097 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 3 00:31:26:098 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
*Jan 3 00:31:26:099 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.認證成功
*Jan 3 00:31:26:109 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
*Jan 3 00:31:26:109 2013 HPE TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
*Jan 3 00:31:26:109 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jan 3 00:31:26:110 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jan 3 00:31:26:110 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=172.16.13.13, server-port=49, VPN instance=--(public).
*Jan 3 00:31:26:113 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jan 3 00:31:26:114 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jan 3 00:31:26:115 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=172.16.13.13, port=49, VPN instance=--(public).
*Jan 3 00:31:26:115 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
*Jan 3 00:31:26:116 2013 HPE TACACS/7/send_packet:
version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xd714f859
length of payload: 63
authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
user_len: 5 port_len: 16 rem_len: 15 arg_cnt: 2
arg0_len: 13 arg1_len: 4
user: write
port: Vlan-interface13
rem_addr: 192.168.170.169
arg0: service=shell arg1: cmd*
*Jan 3 00:31:26:120 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 3 00:31:26:120 2013 HPE TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xd714f859
length of payload: 18
Status: STATUS_PASS_ADD arg_cnt: 1 server_msg len: 0 data len: 0
arg0_len: 11
server_msg:
data:
arg0: priv-lvl=15 看到回傳值15
*Jan 3 00:31:26:127 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
*Jan 3 00:31:26:127 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Jan 3 00:31:26:129 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.授權成功
*Jan 3 00:31:26:132 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
%Jan 3 00:31:26:150 2013 HPE SSHS/6/SSHS_LOG: Accepted password for write from 192.168.170.169 port 52002 ssh2.
%Jan 3 00:31:26:257 2013 HPE SSHS/6/SSHS_CONNECT: SSH user write (IP: 192.168.170.169) connected to the server successfully.
*Jan 3 00:31:26:622 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS start-accounting.
*Jan 3 00:31:26:623 2013 HPE TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: accounting-start.
*Jan 3 00:31:26:623 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jan 3 00:31:26:624 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jan 3 00:31:26:624 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=172.16.13.13, server-port=49, VPN instance=--(public).
*Jan 3 00:31:26:625 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jan 3 00:31:26:635 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jan 3 00:31:26:635 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=172.16.13.13, port=49, VPN instance=--(public).
*Jan 3 00:31:26:636 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
*Jan 3 00:31:26:636 2013 HPE TACACS/7/send_packet:
version: 0xc0 type: ACCOUNT_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xffd71dbe
length of payload: 68
flags: START
authen_method: NONE authen_service: LOGIN
user_len: 5 port_len: 4 rem_len: 15 arg_cnt: 3
arg0_len: 9 arg1_len: 10 arg2_len: 13
user: write
port: vty0
rem_addr: 192.168.170.169
arg0: task_id=0 arg1: timezone=0
arg2: service=shell
*Jan 3 00:31:26:641 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 3 00:31:26:641 2013 HPE TACACS/7/recv_packet:
version: 0xc0 type: ACCOUNT_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xffd71dbe
length of payload: 5
server_msg len: 0 data len: 0 status: STATUS_SUCCESS
server_msg:
data:
*Jan 3 00:31:26:642 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
*Jan 3 00:31:26:642 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 3 00:31:26:643 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 0.
*Jan 3 00:31:26:644 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS start-accounting succeeded.計費成功
%Jan 3 00:31:28:046 2013 HPE SHELL/5/SHELL_LOGIN: write logged in from 192.168.170.169.
2.display users觀看user狀態
3.在CPPM上的Access Tracker檢視成功訊息
沒有留言:
張貼留言