本文档介绍如何配置终端访问控制器访问控制系统Plus(TACACS+)支持以访问思科缓存引擎。本文档中的说明允许您在telnet至缓存引擎时根据远程TACACS+服务器/数据库进行验证。如果服务器不包含您的用户ID的条目,它会在本地检查是否有效的访问信息。
本文档没有任何特定的要求。
本文档中的信息基于以下软件和硬件版本:
在实验室环境中的已清除配置的Cisco Cache Engine 505
思科缓存引擎软件版本2.3.1
适用于UNIX的CiscoSecure
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
关于文件规则的信息,请参见Cisco技术提示规则。
本部分提供有关如何配置本文档所述功能的信息。
注意:使用命令查找工具(仅限注册客户)可获取有关本节中使用的命令的详细信息。
本文档使用以下网络设置:
要为TACACS+支持配置缓存引擎,请完成以下步骤:
为Web缓存通信协议(WCCP)的相应版本配置缓存引擎。
对默认配置使用以下命令:
authentication login local enable authentication configuration local enable
配置TACACS+服务器IP地址。如果多台服务器指定哪个地址是主地址,则辅助服务器将留空选项。
将TACACS+服务器的身份验证配置为主服务器。如果服务器不可用,则默认为本地指定的身份验证。
根据需要配置对TACACS+密钥信息的身份验证。
注意:您必须在思科缓存引擎上启用TACACS+,因为思科缓存引擎使用PPP来向TACACS服务器进行身份验证,而不是不需要PPP的路由器。要在Cisco缓存引擎上启用TACACS+,请打开Cisco Secure ACS 2.6,单击Group Setup选项卡,然后选中TACACS+ Settings区域中的PPP IP 复选框。
您的命令行应类似于以下输出:
cepro(config)#tacacs server 172.18.124.114 cepro(config)#authentication login tacacs ena primary cepro(config)#authen configuration tacacs enab
使用本部分可确认配置能否正常运行。
命令输出解释程序(仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。
show version — 显示在缓存引擎上运行的软件以及一些其他组件作为系统正常运行时间(例如之前引导代码的位置和编译代码的日期)。
cepro#show version Cisco Cache Engine Copyright (c) 1986-2001 by Cisco Systems, Inc. Software Release: CE ver 2.31 (Build: FCS 02/16/01) Compiled: 11:20:14 Feb 22 2001 by bbalagot Image text-base 0x108000, data_base 0x437534 System restarted by Reload The system has been up for 20 hours, 42 minutes, 59 seconds. System booted from "flash"
show hardware — 显示与show version命令以及缓存引擎的硬件组件相同的信息。
cepro#show hardware Cisco Cache Engine Copyright (c) 1986-2001 by Cisco Systems, Inc. Software Release: CE ver 2.31 (Build: FCS 02/16/01) Compiled: 11:20:14 Feb 22 2001 by bbalagot Image text-base 0x108000, data_base 0x437534 System restarted by Reload The system has been up for 21 hours, 15 minutes, 16 seconds. System booted from "flash" Cisco Cache Engine CE505 with CPU AMD-K6 (model 8) (rev. 12) AuthenticAMD 2 Ethernet/IEEE 802.3 interfaces 1 Console interface. 134213632 bytes of Physical Memory 131072 bytes of ROM memory. 8388608 bytes of flash memory. List of disk drives: /c0t0d0 (scsi bus 0, unit 0, lun 0)
show running-config — 显示缓存引擎上的运行配置。
cepro#show running-config Building configuration... Current configuration: ! ! ! user add admin uid 0 password 1 "eeSdy9dcy" capability admin-access user add chbanks uid 5001 password 1 "eeSdy9dcy" capability admin-access ! ! ! hostname cepro ! interface ethernet 0 ip address 10.27.2.2 255.255.255.0 ip broadcast-address 10.27.2.255 exit ! ! interface ethernet 1 exit ! ip default-gateway 10.27.2.1 ip route 0.0.0.0 0.0.0.0 10.27.2.1 cron file /local/etc/crontab ! wccp router-list 1 10.27.2.1 wccp web-cache router-list-num 1 ! authentication login tacacs enable primary authentication login local enable !--- on by default ---! authentication configuration tacacs enable authentication configuration local enable !---- on by default ---! tacacs server 172.18.124.114 primary rule no-cache url-regex .*cgi-bin.* rule no-cache url-regex .*aw-cgi.* ! ! end cepro#
show tacacs — 显示TACACS+服务器的设置。
cepro#show tacacs Login Authentication for Console/Telnet Session: enabled (primary) Configuration Authentication for Console/Telnet Session: enabled TACACS Configuration: --------------------- Key = Timeout = 5 seconds Retransmit = 2 times Server Status ---------------------------- ------ 172.18.124.114 primary
show statistics tacacs — 显示TACACS+统计信息。
cepro#show statistics tacacs TACACS+ Statistics ----------------- Number of access requests: 13 Number of access deny responses: 7 Number of access allow responses: 0
show authentication — 显示当前TACACS+当前身份验证和授权配置。
cepro#show authentication Login Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled (primary) Configuration Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled cepro#
本部分提供的信息可用于对配置进行故障排除。
命令输出解释程序(仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。
注意:在使用debug命令之前,请参阅有关Debug命令的重要信息。
show debug — 显示已启用的debug命令。
cepro#show debug Authentication debugging is on Tacacs debugging is on
terminal monitor — 将调试输出显示到屏幕。此输出显示debug authentication和debug tacacs命令的结果。
cepro#terminal monitor cepro#authenticateUser(): Begin setRemoteIPAddress(): pRemoteAddress 172.18.124.193 bAuthentication(): Begin bAuthenticationIntersection(): Begin bAuthenticationIntersection(): telnet_access 1 setAuthenticatedService(): nServiceToAuthenticate 6 getAuthenticatedService(): Begin getAuthenticatedService(): nServiceToAuthenticate = 6 bAuthenticationIntersection() getAuthenticatedService 6 setErrorDisplayed(): Begin bStatus 0 getLocalLoginAuthEnable(): Begin getLocalLoginAuthEnable(): uiState = 1 getTacacsLoginAuthEnable(): Begin getTacacsLoginAuthEnable(): uiState = 1 getTacacsLoginAuthPrimary(): Begin getTacacsLoginAuthPrimary(): uiState = 1 IncrementTacacsStatRequest(): Begin tacacs_plus_login() Begin isConsole() Begin getAuthenticatedService(): Begin getAuthenticatedService(): nServiceToAuthenticate = 6 isConsole() nReturn 0 telnet tacacs_plus_login() sWhatService() tty = telnet getRemoteIPAddress(): Begin getRemoteIPAddress(): pRemoteAddress = 172.18.124.193 tacacs_plus_login() getRemoteIPAddress sHostIp 172.18.124.193 tacacs_malloc() Begin 164 tacacs_malloc() PSkmalloc ptr getUserStruct() malloc_named ustr tacacs_plus_login() allocated memory for ustruct aaa_update_user() Begin debug_authen_svc() Begin aaa_update_user(): user='admin' ruser='system' port='telnet' rem_addr='172.18.124.193' authen_type=1 tacacs_plus_login() updated user getNumTacacsLoginAttempts(): Begin getNumTacacsLoginAttempts(): ulRetransmit = 2 ####### tacacs_plus_login() num_tries 1 aaa_start_login() Begin debug_start_login() Begin debug_start_login()/AUTHEN/START (0): port='telnet' list='(null)' action=LOGIN service=LOGIN aaa_randomize_id() Begin tacacs_plus_start_login() Begin tacacs_parse_server() Begin user_str admin getTacacsDirectRequestEnable(): Begin getTacacsDirectRequestEnable(): cDirectRequestEnable = 0 printIpAddr() Begin printIpAddr() 0.0.0.0 tacacs_plus_start_login() server.ip_addr 0.0.0.0 server.type 0 server.length 0 choose_version() Begin create_authen_start() Begin create_authen_start() len 45 tacacs_malloc() Begin 45 tacacs_malloc() PSkmalloc ptr create_authen_start() malloc_named tac_pak fill_tacacs_plus_hdr() Begin encrypt 1 fill_tacacs_plus_hdr() len 33, tac_pak->length 33 #### fill_tacacs_plus_hdr() tac_pak->encrypted 1 #### fill_tacacs_plus_hdr() TEST nTestLen 33 create_authen_start() len 33, tac_pak->length 33 create_authen_start() u->priv_lvl 15 start->priv_lvl 15 create_authen_start() start->action 1 create_authen_start() start->authen_type 1 create_authen_start() start->service 1 create_authen_start() user_len 5 create_authen_start() port_len 6 create_authen_start() addr_len 14 create_authen_start() out_len 33 tacacs_plus_start_login() TACACS+: send AUTHEN/START packet ver=192 id=1541646967 tacacs_plus_start_login() login to TACACS+ server: printIpAddr() Begin printIpAddr() 0.0.0.0 tacacs_plus_get_conn() Begin server(0) printIpAddr() Begin printIpAddr() 0.0.0.0 tacacs_plus_get_conn() **pSocketHandleIndex 89434348 tacacs_plus_get_conn() Look at server in the TACACS+ server list tacacs_plus_get_conn() TACACS+: This is a loop through server list tacacs_plus_openconn() Begin printIpAddr() Begin printIpAddr() 172.18.124.114 open_handle() Begin tacacs_plus_socket() Begin tacacs_plus_socket Socket: return nSocket 784 nSockFdTbl[28] = 784 printIpAddr() Begin printIpAddr() 172.18.124.114 open_handle() TACACS+: Opening TCP/IP connection to 172.18.124.114 open_handle() nSockFdTbl[28]= 784 setCurrentServer() Begin SaveCurrentServer->ip_addr 172.18.124.114 IncrementTacacsStatPerServerRequest(): Begin ##### IncrementTacacsStatPerServerRequest Server->ip_addr 1920733868 tacacs_root.ulTacacsServerAddr open_handle() socket(28) 784 tacacs_plus_connect() Begin tacacs_plus_connect() socket(28) 784 tacacs_plus_connect() End open_handle() is connected open_handle() *connection_handle 28 open_handle() **pSocketHandleIndex 28 tacacs_plus_openconn() **pSocketHandleIndex 28 get_server() Begin tacacs_plus_openconn() server->opens++ tacacs_plus_get_conn() **pSocketHandleIndex 28 tacacs_plus_get_conn() oldServerCount: 0, count:0 tacacs_plus_start_login() **pHandleIndex 28 tacacs_plus_send_receive() Begin tacacs_plus_proc_send_receive() Begin tacacs_plus_proc_send_receive() length 33 copy_tac_plus_packet() Begin tacacs_malloc() Begin 45 tacacs_malloc() PSkmalloc ptr copy_tac_plus_packet() malloc_named copy tacacs_plus_encrypt() Begin getTacacsKey(): Begin getTacacsKey(): sKey = tacacs_plus_encrypt() key tacacs_plus_encrypt() sizeof(tacacs_plus_pkt_hdr) 12 tacacs_plus_encrypt() sizeof(uchar) 1 tacacs_plus_encrypt() tac_pak->encrypted 1 tacacs_plus_encrypt() tac_pak->encrypted = TAC_PLUS_CLEAR && key is empty tacacs_plus_proc_send_receive() out_pak->encrypted 1 tacacs_plus_proc_send_receive() out_pak->encrypted 1 tacacs_plus_proc_send_receive() PSkfree dump_pak tacacs_plus_proc_send_receive() ntohl(out_pak->length) 33 dump_start_session() Begin ntohl(out_pak->length) 33 getTacacsKey(): Begin getTacacsKey(): sKey = 0xc0 0x1 0x1 0x1 0x77 0xaa 0xe3 0x5b 0x0 0x0 0x0 0x21 0x1 0xf 0x1 0x1 0x5 0x6 0xe 0x0 0x61 0x64 0x6d encrypt_md5_xor() Begin encrypt_md5_xor() no key dump_summarise_incoming_packet_type() Begin Read AUTHEN/START size=45 dump_nas_pak() Begin dump_header() Begin PACKET: key= version 192 (0xc0), type 1, seq no 1, encrypted 1 session_id 2007688027 (0x77aae35b), Data length 33 (0x21) End header type=AUTHEN/START, priv_lvl = 15action=login authen_type=ascii service=login user_len=5 port_len=6 (0x6), rem_addr_len=14 (0xe) data_len=0 User: port: rem_addr: data: End packet dump_start_session() PSkfree test getTacacsTimeout(): Begin getTacacsTimeout(): ulTimeout = 5 tacacs_plus_sockwrite() Begin tacacs_plus_proc_send_receive() PSkfree out_pak getTacacsTimeout(): Begin getTacacsTimeout(): ulTimeout = 5 sockread() Begin tacacs_plus_proc_send_receive() read tacacs_malloc() Begin 18 tacacs_malloc() PSkmalloc ptr tacacs_plus_proc_send_receive() malloc_named *in tacacs_plus_proc_send_receive() allocated memory getTacacsTimeout(): Begin getTacacsTimeout(): ulTimeout = 5 sockread() Begin tacacs_plus_proc_send_receive() OK tacacs_plus_decrypt() Begin getTacacsKey(): Begin getTacacsKey(): sKey = tacacs_plus_decrypt() key tacacs_plus_decrypt() tac_pak->encrypted = TAC_PLUS_CLEAR && key is empty authen_resp_sanity_check() Begin tacacs_plus_hdr_sanity_check() Begin authen_debug_response() Begin authen_debug_response() TACACS+: ver=192 id=1541646967 received AUTHEN status = FAIL tacacs_plus_start_login() PSkfree out_tac_pak unload_authen_resp() Begin tacacs_plus_start_login() PSkfree in_tac_pak debug_authen_status() Begin TACACS+/AUTHEN (2007688027): status = FAIL tacacs_plus_login() Authentication failed. tacacs_plus_login() label1 aaa_cleanup_login() Begin aaa_close_connection() Begin tacacs_plus_closeconn() Begin get_server() Begin close_handle() Begin close_handle() nHandleIndex 28 nSockFdTbl[**handle] 784 aaa_set_password() Begin aaa_free_user() Begin debug_authen_svc() Begin aaa_close_connection() Begin TACACS+/AUTHEN: free user admin system telnet 172.18.124.193 authen_type=ASCII service=LOGIN priv_lv aaa_free_user() PSkfree ustr ####### tacacs_plus_login() num_tries 2 aaa_start_login() Begin debug_start_login() Begin debug_start_login()/AUTHEN/START (0): port='unknown' list='(null)' action=LOGIN service=LOGIN TACACS+/AUTHEN/START aaa_start_login() (0): ERROR (no ustruct) tacacs_plus_login() TACACS+: aaa_start aaa_free_user() Begin tacacs_plus_login() try_local_login AUTHENTICATION_INTERNAL_ERROR IncrementTacacsStatDenyAccess(): Begin localAuthentication(): Begin localAuthentication() usrName admin localAuthentication() passwd system localAuthentication() pUid 89435294 localAuthentication() telnet_access localAuthentication() rc == TRUE AuthenticationIntersection(): bTacacsLogin 0 IncrementLocalLoginStat(): Begin getLocalConfigAuthEnable(): Begin getLocalConfigAuthEnable(): uiState = 1 getTacacsConfigAuthEnable(): Begin getTacacsConfigAuthEnable(): uiState = 1 getTacacsConfigAuthPrimary(): Begin getTacacsConfigAuthPrimary(): uiState = 0 localAuthentication(): Begin localAuthentication() usrName admin localAuthentication() passwd system localAuthentication() pUid 89435294 localAuthentication() telnet_access localAuthentication() rc == TRUE AuthenticationIntersection(): bTacacsConfig 0 AuthenticationIntersection():== Local Database Authentication == IncrementLocalConfigStat(): Begin AuthenticationIntersection(): user has been found AuthenticationIntersection(): bTacacsLogin pUid 89435294 AuthenticationIntersection(): GOT ACCESS capab 0 Admin 0 Ftp 0 Http 0 Telnet 0 authenticateUser() AUTHENTICATION IS OK authenticateUser() AUTHENTICATION #2