Security

TACACS+ 配置:如何接收 priv-lvl 值?

  • June 27, 2016

我需要配置 TACACS+ 伺服器以了解給定使用者是否經過身份驗證* 以及他的 priv-lvl 是什麼。作為客戶端,我使用 tactest (tacacs.net) 和 TACACS+ 客戶端 Java 庫 (AXL)。

我試過這個:

user = admin {
   name = “Admin User”
   login = cleartext admin
   service = exec {
     priv-lvl = 10
 }
}

並且可以以管理員身份進行身份驗證,但無法獲得他的 priv-lvl。

以下是 tactest 的輸出:

C:\Program Files (x86)\TACACS.net>tactest -s x.x.x.x -k testing123 -u admin -p admin -author -service exec
Trying to open connection to x.x.x.x:49

Sending:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=1
IsEncrypted=True
IsSingleConnect=True
SessionID=494431516
DataLength=37
Authorization Method=Debug
Priv lvl=1
Auth Type=Ascii
Service=None
User=admin
Port=
Rem Addr=
Args: service=exec


Received Header:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=494431516
DataLength=6

Received Body:
Authorization Status=PassAdd
User=
Port=
Args:

Command Pass status = True, Message=,

------------------

SUMMARY STATISTICS

------------------

Total Commands  .....................  1
Successes  ..........................  1
Failures  ...........................  0
No Results  .........................  0
Time Taken for commands  ............  0,066 secs
Avg Possible Transactions/Second  ...  15
Network Time per command  ...........  0,017 secs
Total Network time  .................  0,017 secs
Sent Transactions/Second  ...........  11,1

有沒有辦法獲得該屬性值?

*我知道這不僅是身份驗證,也是一種授權

我終於找到了解決方案。我只需要將服務名稱更改為任何其他名稱:

user = admin {
   name = “Admin User”
   login = cleartext admin
   service = myservice {
     priv-lvl = 10
 }
}

然後我能夠在客戶端獲得 AV 對:

Received Header:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=952769599
DataLength=18

Received Body:
Authorization Status=PassAdd
User=
Port=
Args: priv-lvl=10

引用自:https://serverfault.com/questions/722972