目录

1 介绍2 安装2.1 Ubuntu 安装1、安装2、配置文件解释

2.2 Docker 安装 - 通过自己构建镜像安装1、Dockerfile 文件2、提供 Dockerfile相关配置文件.google_authenticator文件获取tac_plus.conf 文件supervisord.conf 配置文件tac_plus.sqlnginx.conf文件

3、构建镜像4、运行5、查看

2.3 各文件说明1、Dockerfile文件说明2、supervisord.conf3、nginx.conf

2.4 扩展：Ubuntu18.4 上安装MySQL8.0

结论

1 介绍

AAA是认证（Authentication）、授权（Authorization）和计费（Accounting）的简称，是网络安全中进行访问控制的一种安全管理机制，提供认证、授权和计费三种安全服务。

TACACS & TACACS+：Terminal Access Controller Access Control，System终端访问控制器访问控制系统。通过一个或多个中心服务器为路由器、网络访问控制器以及其它网络处理设备提供了访问控制服务。TACACS支持独立的认证（Authentication）、授权（Authorization）和计费（Accounting）功能。

2 安装

2.1 Ubuntu 安装

Ubuntu 20.04 之后不再支持tacacs，最好是使用Ubuntu18.04

1、安装

<code># 下载并安装 TACACS+

### 不能使用apt来安装，Ubuntu 20.04 之后不再支持

### 可以在Ubuntu 18.04 或者同样版本的镜像上安装

apt-get update

apt-get install tacacs+

## 配置文件

vim tac_plus.conf

---------------------------------------------------

key = "tacacs123" #tacacs?key

accounting syslog;

accounting file = /var/log/tacacs_accounting.log #tail -f /var/log/tacacs_accounting.log

default authentication = file /etc/passwd

acl = network_admin {

# allow access from all sources

#permit = ^10\.

permit = ^115\.

permit = [0-9]{ 1,3}\.

# implicit deny (ie: anything else)

}

group = admin {

default service = permit

acl = network_admin

service = exec {

priv-lvl = 15

}

cmd = display {

permit .*

}

}

group = operator {

acl = network_admin

service = exec {

priv-lvl = 1

}

cmd = display {

permit .*

}

cmd = show {

permit .*

}

}

group = ro {

acl = network_admin

service = exec {

priv-lvl = 15

}

cmd = display {

permit .*

}

cmd = show {

permit .*

}

cmd = interface {

permit .*

}

cmd = undo {

permit shutdown

}

cmd = configure {

permit .*

}

cmd = no {

permit shutdown

}

cmd = exit {

permit .*

}

cmd = quit {

permit .*

}

cmd = screen-length {

permit .*

}

cmd = terminal {

permit .*

}

cmd = set {

permit cli.*

}

cmd = ping {

permit .*

}

cmd = tracert {

permit .*

}

cmd = admin {

permit show

}

cmd = shutdown {

permit .*

}

}

user = chen_admin { #chen_admin：账号

login = des aPzSgJMfBUGB2 #使用 tac_pwd，生成账号密码：7FLiiVJUDhin2

# expires = "Feb 20 2032"

member = admin #权限

}

user = chen_ro {

login = des temjCCsjBECmU

# expires = "Feb 20 2032"

member = ro #权限

}

####### 生成密码

tac_pwd

Password to be encrypted: admin@123

aPzSgJMfBUGB2

tac_pwd

Password to be encrypted: test123

temjCCsjBECmU

## 启动守护进程

/etc/init.d/tacacs_plus restart

* Restarting TACACS+ authentication daemon tacacs+ [ OK ]

2、配置文件解释

cat /etc/tacacs+/tac_plus.conf

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)

# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

### TACACS+ 账户的日志文件

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

## TACACS+ 密钥

key = testing123

# Use /etc/passwd file to do authentication

#default authentication = file /etc/passwd

# You can use feature like per host key with different enable passwords

#host = 127.0.0.1 {

# key = test

# type = cisco

# enable = <des|cleartext> enablepass

# prompt = "Welcome XXX ISP Access Router \n\nUsername:"

#}

# We also can define local users and specify a file where data is stored.

# That file may be filled using tac_pwd

#user = test1 {

# name = "Test User"

# member = staff

# login = file /etc/tacacs/tacacs_passwords

#}

# We can also specify rules valid per group of users.

#group = group1 {

# cmd = conf {

# deny

# }

#}

# Another example : forbid configure command for some hosts

# for a define range of clients

#group = group1 {

# login = PAM

# service = ppp

# protocol = ip {

# addr = 10.10.0.0/24

# }

# cmd = conf {

# deny .*

# }

#}

user = DEFAULT {

login = PAM

service = ppp protocol = ip { }

}

# Much more features are availables, like ACL, more service compatibilities,

# commands authorization, scripting authorization.

# See the man page for those features.

2.2 Docker 安装 - 通过自己构建镜像安装

这里提供了打包tacacs镜像所有需要的资料，可下载：tacacs资料包

可以把web展示打包进镜像中也可以打包，根据自己的需求进行修改。

1、Dockerfile 文件

mkdir /opt/tacacs

cd /opt/tacacs

# 1、Dockerfile 文件

vim Dockerfile

# Use Base Ubuntu image

FROM ubuntu:18.04

# Author of this Dockerfile

MAINTAINER Andrew Roderos

# Update & upgrades

RUN apt-get update && apt-get upgrade -y

# Install tacacs+ and Google Authenticator

RUN apt-get install tacacs+ libpam-google-authenticator -y

# Clear local repo

RUN apt-get clean

# Create a user with home directory

RUN useradd -m -d /home/andrew -s /bin/bash andrew

# Add password to andrew account

RUN echo "andrew:test" | chpasswd

# Copy Google secret key from host's volume to tacacs+ container

COPY .google_authenticator /home/andrew

# Change file owner

RUN chown andrew:andrew /home/andrew/.google_authenticator

# Copy tac_plus configuration file from host to the container

COPY tac_plus.conf /etc/tacacs+/tac_plus.conf

# Add tac_plus PAM

RUN touch /etc/pam.d/tac_plus

RUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plus

RUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus

# Run tac_plus as foreground process and use /etc/tacacas+/tac_plus.conf as the config file

#CMD ["tac_plus", "-G", "-C", "/etc/tacacs+/tac_plus.conf"]

# Install nginx, php-fpm

COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf

ENV TZ=Asia/Shanghai

#### 配置变量 DEBIAN_FRONTEND ，可以使以下安装不需要输入直接进行安装

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get -y install nginx php php-fpm net-tools supervisor curl php-mysql php-common php-gd php-cli

COPY nginx.conf /etc/nginx/nginx.conf

### webui是web页面的压缩包，需要环境：php、MySQL（默认是MySQL5.7）

ADD webui_v1.7b1.tar /usr/local/nginx

RUN mkdir /run/php ; chown www-data:www-data /run/php

# Install mysql

RUN apt-get update;apt-get install mysql-server -y

COPY tac_plus.sql /usr/local/nginx/tac_plus.sql

COPY start.sh /usr/local/nginx/start.sh

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

2、提供 Dockerfile相关配置文件

以下文件都在/opt/tacacs 目录下

.google_authenticator文件获取

# 安装

apt-get install libpam-google-authenticator -y

# 生成 Google Authenticator 密钥

google-authenticator

##### 以下是输出内容

Do you want authentication tokens to be time-based (y/n) y

Warning: pasting the following URL into your browser exposes the OTP secret to Google:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@template%3Fsecret%3DB4BFA57AJCLCZT2SIQLVBWJWFY%26issuer%3Dtemplate

# 下面是一个二维码的图片

Your new secret key is: B4BFA57AJCLCZT2SIQLVBWJWFY

Enter code from app (-1 to skip): -1

Code confirmation skipped

Your emergency scratch codes are:

22392718

78251317

47207995

37394412

76581106

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.

In order to compensate for possible time-skew between the client and the server,

we allow an extra token before and after the current time. This allows for a

time skew of up to 30 seconds between authentication server and client. If you

experience problems with poor time synchronization, you can increase the window

from its default size of 3 permitted codes (one previous code, the current

code, the next code) to 17 permitted codes (the 8 previous codes, the current

code, and the 8 next codes). This will permit for a time skew of up to 4 minutes

between client and server.

Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n) y

## 把生成的配置文件拿过来

mv /root/.google_authenticator .

tac_plus.conf 文件

cat tac_plus.conf

key = "tacacs123" #tacacs?key

accounting syslog;

accounting file = /var/log/tacacs_accounting.log #tail -f /var/log/tacacs_accounting.log

default authentication = file /etc/passwd

acl = network_admin {

# allow access from all sources

#permit = ^10\.

permit = ^115\.

permit = [0-9]{ 1,3}\.

# implicit deny (ie: anything else)

}

group = admin {

default service = permit

acl = network_admin

service = exec {

priv-lvl = 15

}

cmd = display {

permit .*

}

}

group = operator {

acl = network_admin

service = exec {

priv-lvl = 1

}

cmd = display {

permit .*

}

cmd = show {

permit .*

}

}

group = ro {

acl = network_admin

service = exec {

priv-lvl = 15

}

cmd = display {

permit .*

}

cmd = show {

permit .*

}

cmd = interface {

permit .*

}

cmd = undo {

permit shutdown

}

cmd = configure {

permit .*

}

cmd = no {

permit shutdown

}

cmd = exit {

permit .*

}

cmd = quit {

permit .*

}

cmd = screen-length {

permit .*

}

cmd = terminal {

permit .*

}

cmd = set {

permit cli.*

}

cmd = ping {

permit .*

}

cmd = tracert {

permit .*

}

cmd = admin {

permit show

}

cmd = shutdown {

permit .*

}

}

user = chen_admin { #chen_admin：账号

login = des aPzSgJMfBUGB2 #使用 tac_pwd，生成账号密码：7FLiiVJUDhin2

# expires = "Feb 20 2032"

member = admin #权限

}

user = chen_ro {

login = des temjCCsjBECmU

# expires = "Feb 20 2032"

member = ro #权限

}

supervisord.conf 配置文件

cat > supervisord.conf << EOF

[supervisord]

nodaemon=true

[program:nginx]

command=nginx

autostart=true

autorestart=true

[program:php-fpm]

command=/usr/sbin/php-fpm7.2 --nodaemonize --fpm-config /etc/php/7.2/fpm/php-fpm.conf

autostart=true

autorestart=true

[program:tac_plus]

command=tac_plus -G -C /etc/tacacs+/tac_plus.conf

autostart=true

autorestart=true

[program:mysql]

command=service mysql start

autostart=true

autorestart=true

[program:mysql-import]

command=/bin/bash /usr/local/nginx/start.sh

autostart=true

autorestart=true

EOF

#### 在webui解压之后需要把其中的 tac_plus.sql 导入到数据库中

#### 执行的前提是：MySQL服务已经启动

cat start.sh

#!/bin/bash

echo "Waiting for MySQL to be ready..."

while ! mysqladmin ping -h localhost -u root --silent; do

sleep 1

done

echo "MySQL is ready, importing data..."

mysql -uroot < /usr/local/nginx/tac_plus.sql

tac_plus.sql

这里需要注意：webui压缩包中提供的tac_plus.sql需要修改，下面是已经修改好的内容

上传到 /opt/tacacs 即可

nginx.conf文件

cat nginx.conf

user www-data;

worker_processes auto;

pid /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

events {

worker_connections 768;

}

http {

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 65;

types_hash_max_size 2048;

include /etc/nginx/mime.types;

default_type application/octet-stream;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

gzip on;

server {

listen 81;

server_name localhost;

location / {

root /usr/local/nginx;

index index.php index.html index.htm;

}

location ~ \.php$ {

root /usr/local/nginx;

fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root html;

}

}

include /etc/nginx/conf.d/*.conf;

#include /etc/nginx/sites-enabled/*;

}

3、构建镜像

docker build -t tacacs:v1 .

docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

tacacs v1 9d57b17b34a1 19 seconds ago 572MB

4、运行

docker run -td --name tacplus -p 30080:81 -v /opt/tacacs/tac_plus.conf:/etc/tacacs+/tac_plus.conf -v /opt/tacacs/nginx.conf:/etc/nginx/nginx.conf tacacs:v1

5、查看

默认用户名密码：admin/system 这个是由 tac_plus.sql 中语句指定的，可以自己修改

Client ACL：用于设置ip访问tac_plus server的权限

NAS ACL: 用于设置用户和组的权限

Attributes：用于设置不同厂商交换机的权限级别的属性

Commands: 用于设置命令分类

Nas：添加交换机路由器的管理ip

Nas Group：添加交换机分组（类似nas）

Users：添加用户

User Group：添加用户组(类似user)

Vendor：交换机厂商管理

Reports:可以查看aaa登录审计等日志信息

2.3 各文件说明

1、Dockerfile文件说明

<code># 基础镜像

FROM ubuntu:18.04

# 作者

MAINTAINER Alyssa

# 更新

RUN apt-get update && apt-get upgrade -y

# 安装 tacacs+ and Google Authenticator

RUN apt-get install tacacs+ libpam-google-authenticator -y

# 清除本地repo

RUN apt-get clean

# 创建一个user

RUN useradd -m -d /home/andrew -s /bin/bash andrew

# 修改密码

RUN echo "andrew:test" | chpasswd

# 把密钥文件复制到镜像的指定目录下

COPY .google_authenticator /home/andrew

# Change file owner

RUN chown andrew:andrew /home/andrew/.google_authenticator

# Copy tac_plus configuration file from host to the container

COPY tac_plus.conf /etc/tacacs+/tac_plus.conf

# Add tac_plus PAM

RUN touch /etc/pam.d/tac_plus

RUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plus

RUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus

#### 在Dockerfile中，想要实现启动多个服务，可以使用 Supervisor，直接使用apt安装即可

COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf

ENV TZ=Asia/Shanghai

#### 配置变量 DEBIAN_FRONTEND ，可以使以下安装不需要输入直接进行安装

ENV DEBIAN_FRONTEND=noninteractive

### 想要webui启动服务，需要安装nginx, php-fpm，MySQL

RUN apt-get -y install nginx php php-fpm net-tools supervisor curl php-mysql php-common php-gd php-cli

COPY nginx.conf /etc/nginx/nginx.conf

### webui是web页面的压缩包，需要环境：php、MySQL（默认是MySQL5.7）

ADD webui_v1.7b1.tar /usr/local/nginx

RUN mkdir /run/php ; chown www-data:www-data /run/php

# 安装 mysql 5.7

RUN apt-get update;apt-get install mysql-server -y

COPY tac_plus.sql /usr/local/nginx/tac_plus.sql

COPY start.sh /usr/local/nginx/start.sh

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

2、supervisord.conf

Supervisor简单说明：

Supervisor 是一个客户端/服务器系统，允许其用户监视和控制类似UNIX的操作系统上的多个进程。Supervisor 是用 Python 开发的一套通用的进程管理程序，能将一个普通的命令行进程变为后台daemon，并监控进程状态，异常退出时能自动重启。它是通过fork/exec的方式把这些被管理的进程当作supervisor的子进程来启动，这样只要在supervisor的配置文件中，把要管理的进程的可执行文件的路径写进去即可。也实现当子进程挂掉的时候，父进程可以准确获取子进程挂掉的信息的，可以选择是否自己启动和报警。supervisor还提供了一个功能，可以为supervisord或者每个子进程，设置一个非root的user，这个user就可以管理它对应的进程

在这里要说明的是文件中的配置：

[program:mysql-import]

command=/bin/bash /usr/local/nginx/start.sh

autostart=true

autorestart=true

### 这部分的功能是在MySQL启动之后，把webui的sql导入到MySQL中，所以在shell脚本中，监控到服务启动执行再执行

3、nginx.conf

webui的环境是nginx、PHP、MySQL，所以在 nginx.conf中进行配置

include /etc/nginx/conf.d/*.conf;

#include /etc/nginx/sites-enabled/*;

# 在这里注意的是，需要注释下面这个 include，这个目录下定义了一个默认的server，端口是80，与我们安装的环境的Apache2冲突，导致报错。所以这里直接注销掉。

2.4 扩展：Ubuntu18.4 上安装MySQL8.0

# 1、安装必要的软件包

sudo apt install dirmngr ca-certificates software-properties-common apt-transport-https curl lsb-release -y

# 2、将 GPG 密钥和仓库导入到 Ubuntu 系统

curl -fsSL http://repo.mysql.com/RPM-GPG-KEY-mysql-2022 | sudo gpg --dearmor | sudo tee /usr/share/keyrings/mysql.gpg > /dev/null

# 3、导入 MySQL 8.0 仓库

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-8.0" | sudo tee -a /etc/apt/sources.list.d/mysql.list

# 4、（可选）如果您是开发人员或具有特定需求，可以选择导入 MySQL 源代码仓库

echo "deb-src [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-8.0" | sudo tee -a /etc/apt/sources.list.d/mysql.list

# 5、（可选）开发人员还可以使用以下命令导入 MySQL 工具仓库

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-tools" | sudo tee -a /etc/apt/sources.list.d/mysql.list

echo "deb-src [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mysql.gpg] http://repo.mysql.com/apt/ubuntu $(lsb_release -cs) mysql-tools" | sudo tee -a /etc/apt/sources.list.d/mysql.list

# 6、更新。如果提示需要导入key，可添加参数：--allow-insecure-repositories 认为仓库是安全的，不需要提供key凭证

sudo apt update

# 7、安装 MySQL 8.0

sudo apt install mysql-community-server

#### 其他的配置和正常的安装MySQL8就一样了

结论

tacacs++ 在Ubuntu20.04之后默认不支持，所以使用Ubuntu18.04进行安装，或者在Ubuntu22.04使用源码包安装（源码包暂时未找到，有知道地址的欢迎留言）在打包 tacacs++ 镜像时，可根据自己的需要进行修改webui的环境是LNMP，MySQL版本最好是5.7在把webui中的sql文件导入数据库时，有内容需要修改，注意不能在打包镜像时直接执行。