?????? : 思科 500 系列内容引擎

如何在 Cache Engine 中配置 TACACS+ 支持

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

本文描述如何配置终端访问控制器访问控制系统加上(TACACS+)支持为了访问Cisco缓存引擎。当您远程登录到Cache Engine时,在本文的说明允许您验证远程TACACS+服务器/数据库。如果服务器不包括您的用户ID的一个条目,检查本地有效访问信息。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 在实验室环境中的已清除配置的Cisco Cache Engine 505

  • Cisco缓存引擎软件版本2.3.1

  • UNIX的CiscoSecure

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

关于文件规则的信息,请参见Cisco技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/12571/tacacs_ce500-01.gif

配置支持TACACS+的Cache Engine

完成这些步骤为了配置支持TACACS+的Cache Engine :

  1. 配置WEB缓存通信协议(WCCP)各自版本的Cache Engine。

  2. 请使用这些命令默认配置:

    authentication login local enable
    authentication configuration local enable
    
  3. 配置TACACS+服务器IP地址。如果地址主要的多个服务器指定,则辅助服务器被留下作为空白的选项。

  4. 配置验证到TACACS+服务器如主要的。如果服务器不是可用的,则默认将是本地指定的验证。

  5. 配置验证对TACACS+关键信息在必要时。

注意: 您必须启用在Cisco缓存引擎的TACACS+,因为Cisco Cache引擎使用PPP为了用TACACS服务器验证,不同于不需要PPP的路由器。为了启用在Cisco Cache引擎的TACACS+,开放Cisco Secure ACS 2.6,点击GROUP SETUP选项,并且检查在TACACS+设置地区查找的PPP IP复选框。

您的命令行应该看起来与此输出相似:

cepro(config)#tacacs server 172.18.124.114
cepro(config)#authentication login tacacs ena primary
cepro(config)#authen configuration tacacs enab

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show version —显示在Cache Engine运行的软件,以及一些其他组件作为系统持续运行(例如代码以前启动的地方和日期,被编译了)。

    cepro#show version
    Cisco Cache Engine
    Copyright (c) 1986-2001 by Cisco Systems, Inc.
    Software Release: CE ver 2.31 (Build: FCS  02/16/01)
    Compiled: 11:20:14 Feb 22 2001 by bbalagot
    Image text-base 0x108000, data_base 0x437534
    
    System restarted by Reload
    The system has been up for 20 hours, 42 minutes, 59 seconds.
    System booted from "flash"
  • show hardware —显示信息和show version命令一样,以及Cache Engine的硬件组件。

    cepro#show hardware
    Cisco Cache Engine
    Copyright (c) 1986-2001 by Cisco Systems, Inc.
    Software Release: CE ver 2.31 (Build: FCS  02/16/01)
    Compiled: 11:20:14 Feb 22 2001 by bbalagot
    Image text-base 0x108000, data_base 0x437534
    
    System restarted by Reload
    The system has been up for 21 hours, 15 minutes, 16 seconds.
    System booted from "flash"
    
    Cisco Cache Engine CE505 with CPU AMD-K6 (model 8) (rev. 12) AuthenticAMD
    2 Ethernet/IEEE 802.3 interfaces
    1 Console interface.
    134213632 bytes of Physical Memory
    131072 bytes of ROM memory.
    8388608 bytes of flash memory.
    
    List of disk drives:
         /c0t0d0  (scsi bus 0, unit 0, lun 0)
  • show running-config —显示在Cache Engine的运行的配置。

    cepro#show running-config
    
    Building configuration...
    Current configuration:
    !
    !
    !
    user add admin uid 0  password 1 "eeSdy9dcy"  capability admin-access
    user add chbanks uid 5001  password 1 "eeSdy9dcy"  capability admin-access
    !
    !
    !
    hostname cepro
    !
    interface ethernet 0
     ip address 10.27.2.2 255.255.255.0
     ip broadcast-address 10.27.2.255
    exit
    !
    !
    interface ethernet 1
    exit
    !
    ip default-gateway 10.27.2.1
    ip route 0.0.0.0 0.0.0.0 10.27.2.1
    cron file /local/etc/crontab
    !
    wccp router-list 1 10.27.2.1
    wccp web-cache router-list-num 1
    !
    authentication login tacacs enable primary
    authentication login local enable !--- on by default ---!
    authentication configuration tacacs enable
    authentication configuration local enable  !---- on by default ---!
    tacacs server 172.18.124.114 primary
    rule no-cache url-regex .*cgi-bin.*
    rule no-cache url-regex .*aw-cgi.*
    !
    !
    end
    cepro#
    
  • show tacacs —显示TACACS+服务器的设置。

    cepro#show tacacs
        Login Authentication for Console/Telnet Session: enabled (primary)
        Configuration Authentication for Console/Telnet Session: enabled
    
        TACACS Configuration:
        ---------------------
        Key        =
        Timeout    = 5 seconds
        Retransmit = 2 times
    
        Server                         Status
        ----------------------------   ------
        172.18.124.114                 primary
    
  • show statistics tacacs —显示TACACS+统计信息。

    cepro#show statistics tacacs
        TACACS+ Statistics
        -----------------
        Number of access requests: 13
        Number of access deny responses: 7
        Number of access allow responses: 0
    
  • show authentication —显示当前TACACS+当前认证和授权配置。

    cepro#show authentication
    Login Authentication:         Console/Telnet Session
    ----------------------------- -----------------------
    local                         enabled
    tacacs                        enabled (primary)
    
    Configuration Authentication: Console/Telnet Session
    ----------------------------- -----------------------
    local                         enabled
    tacacs                        enabled
    
    cepro#

故障排除命令

本部分提供的信息可用于对配置进行故障排除。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • show debug —显示启用的调试指令。

    cepro#show debug
    Authentication debugging is on
    Tacacs debugging is on
    
  • 终端监视器—显示调试输出对屏幕。此输出显示debug authenticationdebug tacacs命令的结果。

    cepro#terminal monitor
    cepro#authenticateUser(): Begin
    setRemoteIPAddress(): pRemoteAddress 172.18.124.193
    bAuthentication(): Begin
    bAuthenticationIntersection(): Begin
    bAuthenticationIntersection(): telnet_access 1
    setAuthenticatedService(): nServiceToAuthenticate 6
    getAuthenticatedService(): Begin
    getAuthenticatedService(): nServiceToAuthenticate = 6
    bAuthenticationIntersection() getAuthenticatedService 6
    setErrorDisplayed(): Begin bStatus 0
    getLocalLoginAuthEnable(): Begin
    getLocalLoginAuthEnable(): uiState = 1
    getTacacsLoginAuthEnable(): Begin
    getTacacsLoginAuthEnable(): uiState = 1
    getTacacsLoginAuthPrimary(): Begin
    getTacacsLoginAuthPrimary(): uiState = 1
    IncrementTacacsStatRequest(): Begin
    tacacs_plus_login() Begin
    isConsole() Begin
    getAuthenticatedService(): Begin
    getAuthenticatedService(): nServiceToAuthenticate = 6
    isConsole() nReturn 0 telnet
    tacacs_plus_login() sWhatService() tty = telnet
    getRemoteIPAddress(): Begin
    getRemoteIPAddress(): pRemoteAddress = 172.18.124.193
    tacacs_plus_login() getRemoteIPAddress sHostIp 172.18.124.193
    tacacs_malloc() Begin 164
    tacacs_malloc() PSkmalloc ptr
    getUserStruct() malloc_named ustr
    tacacs_plus_login() allocated memory for ustruct
    aaa_update_user() Begin
    debug_authen_svc() Begin
    
    aaa_update_user(): user='admin' ruser='system' port='telnet' 
        rem_addr='172.18.124.193' authen_type=1
    tacacs_plus_login() updated user
    getNumTacacsLoginAttempts(): Begin
    getNumTacacsLoginAttempts(): ulRetransmit = 2
    ####### tacacs_plus_login() num_tries 1
    aaa_start_login() Begin
    debug_start_login() Begin
    
    debug_start_login()/AUTHEN/START (0): port='telnet' list='(null)' 
        action=LOGIN service=LOGIN
    aaa_randomize_id() Begin
    tacacs_plus_start_login() Begin
    tacacs_parse_server() Begin user_str admin
    getTacacsDirectRequestEnable(): Begin
    getTacacsDirectRequestEnable(): cDirectRequestEnable = 0
    printIpAddr() Begin
    printIpAddr() 0.0.0.0
    tacacs_plus_start_login() server.ip_addr 0.0.0.0          server.type 
        0 server.length 0
    choose_version() Begin
    create_authen_start() Begin
    create_authen_start() len 45
    tacacs_malloc() Begin 45
    tacacs_malloc() PSkmalloc ptr
    create_authen_start() malloc_named tac_pak
    fill_tacacs_plus_hdr() Begin encrypt 1
    fill_tacacs_plus_hdr() len 33, tac_pak->length 33
    #### fill_tacacs_plus_hdr() tac_pak->encrypted 1
    #### fill_tacacs_plus_hdr() TEST nTestLen 33
    create_authen_start() len 33, tac_pak->length 33
    create_authen_start() u->priv_lvl  15 start->priv_lvl 15
    create_authen_start() start->action 1
    create_authen_start() start->authen_type 1
    create_authen_start() start->service 1
    create_authen_start() user_len 5
    create_authen_start() port_len 6
    create_authen_start() addr_len 14
    create_authen_start() out_len 33
    tacacs_plus_start_login() TACACS+: send AUTHEN/START packet ver=192 
        id=1541646967
    tacacs_plus_start_login() login to TACACS+ server:
    printIpAddr() Begin
    printIpAddr() 0.0.0.0
    tacacs_plus_get_conn() Begin server(0)
    printIpAddr() Begin
    printIpAddr() 0.0.0.0
    tacacs_plus_get_conn() **pSocketHandleIndex 89434348
    tacacs_plus_get_conn() Look at server in the TACACS+ server list
    tacacs_plus_get_conn() TACACS+: This is a loop through server list
    tacacs_plus_openconn() Begin
    printIpAddr() Begin
    printIpAddr() 172.18.124.114
    open_handle() Begin
    tacacs_plus_socket() Begin
    tacacs_plus_socket Socket: return nSocket 784 nSockFdTbl[28] = 784
    printIpAddr() Begin
    printIpAddr() 172.18.124.114
    open_handle() TACACS+: Opening TCP/IP connection to 172.18.124.114
    open_handle() nSockFdTbl[28]= 784
    setCurrentServer() Begin SaveCurrentServer->ip_addr 172.18.124.114
    IncrementTacacsStatPerServerRequest(): Begin
    ##### IncrementTacacsStatPerServerRequest  Server->ip_addr 1920733868 
        tacacs_root.ulTacacsServerAddr
    open_handle() socket(28) 784
    tacacs_plus_connect() Begin
    tacacs_plus_connect() socket(28) 784
    tacacs_plus_connect() End
    open_handle() is connected
    open_handle() *connection_handle 28
    open_handle() **pSocketHandleIndex 28
    tacacs_plus_openconn() **pSocketHandleIndex 28
    get_server() Begin
    tacacs_plus_openconn() server->opens++
    tacacs_plus_get_conn() **pSocketHandleIndex 28
    tacacs_plus_get_conn() oldServerCount: 0, count:0
     tacacs_plus_start_login() **pHandleIndex 28
    tacacs_plus_send_receive() Begin
    tacacs_plus_proc_send_receive() Begin
    tacacs_plus_proc_send_receive() length 33
    copy_tac_plus_packet() Begin
    tacacs_malloc() Begin 45
    tacacs_malloc() PSkmalloc ptr
    copy_tac_plus_packet() malloc_named copy
    tacacs_plus_encrypt() Begin
    getTacacsKey(): Begin
    getTacacsKey(): sKey =
    tacacs_plus_encrypt() key
    tacacs_plus_encrypt() sizeof(tacacs_plus_pkt_hdr) 12
    tacacs_plus_encrypt() sizeof(uchar) 1
    tacacs_plus_encrypt() tac_pak->encrypted 1
    tacacs_plus_encrypt() tac_pak->encrypted = TAC_PLUS_CLEAR && key is empty
    tacacs_plus_proc_send_receive() out_pak->encrypted 1
    tacacs_plus_proc_send_receive() out_pak->encrypted 1
    tacacs_plus_proc_send_receive() PSkfree dump_pak
    tacacs_plus_proc_send_receive() ntohl(out_pak->length) 33
    dump_start_session() Begin ntohl(out_pak->length) 33
    getTacacsKey(): Begin
    getTacacsKey(): sKey =
    0xc0 0x1 0x1 0x1 0x77 0xaa 0xe3 0x5b 0x0 0x0 0x0 0x21 0x1 0xf 0x1 0x1 0x5 
         0x6 0xe 0x0 0x61 0x64 0x6d
    encrypt_md5_xor() Begin
    encrypt_md5_xor() no key
    dump_summarise_incoming_packet_type() Begin
    Read AUTHEN/START size=45
    dump_nas_pak() Begin
    dump_header() Begin
    PACKET: key=
    version 192 (0xc0), type 1, seq no 1, encrypted 1
    session_id 2007688027 (0x77aae35b), Data length 33 (0x21)
    End header
    type=AUTHEN/START, priv_lvl = 15action=login
    authen_type=ascii
    service=login
    user_len=5 port_len=6 (0x6), rem_addr_len=14 (0xe)
    data_len=0
    User: port: rem_addr: data:
    End packet
    dump_start_session() PSkfree test
    getTacacsTimeout(): Begin
    getTacacsTimeout(): ulTimeout = 5
    tacacs_plus_sockwrite() Begin
    tacacs_plus_proc_send_receive() PSkfree out_pak
    getTacacsTimeout(): Begin
    getTacacsTimeout(): ulTimeout = 5
    sockread() Begin
    tacacs_plus_proc_send_receive() read
    tacacs_malloc() Begin 18
    tacacs_malloc() PSkmalloc ptr
    tacacs_plus_proc_send_receive() malloc_named *in
    tacacs_plus_proc_send_receive() allocated memory
    getTacacsTimeout(): Begin
    getTacacsTimeout(): ulTimeout = 5
    sockread() Begin
    tacacs_plus_proc_send_receive() OK
    tacacs_plus_decrypt() Begin
    getTacacsKey(): Begin
    getTacacsKey(): sKey =
    tacacs_plus_decrypt() key
    tacacs_plus_decrypt() tac_pak->encrypted = TAC_PLUS_CLEAR && key is empty
    authen_resp_sanity_check() Begin
    tacacs_plus_hdr_sanity_check() Begin
    authen_debug_response() Begin
    authen_debug_response() TACACS+: ver=192 id=1541646967 received AUTHEN 
        status = FAIL
    tacacs_plus_start_login() PSkfree out_tac_pak
    unload_authen_resp() Begin
    tacacs_plus_start_login() PSkfree in_tac_pak
    debug_authen_status() Begin
    
    TACACS+/AUTHEN (2007688027): status = FAIL
    
    tacacs_plus_login() Authentication failed.
    tacacs_plus_login() label1
    aaa_cleanup_login() Begin
    aaa_close_connection() Begin
    tacacs_plus_closeconn() Begin
    get_server() Begin
    close_handle() Begin
    close_handle() nHandleIndex 28 nSockFdTbl[**handle] 784
    aaa_set_password() Begin
    aaa_free_user() Begin
    debug_authen_svc() Begin
    aaa_close_connection() Begin
    
    TACACS+/AUTHEN: free user admin system telnet 172.18.124.193 
        authen_type=ASCII service=LOGIN priv_lv
    aaa_free_user() PSkfree ustr
    ####### tacacs_plus_login() num_tries 2
    aaa_start_login() Begin
    debug_start_login() Begin
    
    debug_start_login()/AUTHEN/START (0): port='unknown' list='(null)' 
        action=LOGIN service=LOGIN
    
    TACACS+/AUTHEN/START aaa_start_login() (0): ERROR (no ustruct)
        tacacs_plus_login() TACACS+: aaa_start
    aaa_free_user() Begin
    tacacs_plus_login() try_local_login AUTHENTICATION_INTERNAL_ERROR
    IncrementTacacsStatDenyAccess(): Begin
    localAuthentication(): Begin
    localAuthentication() usrName admin
    localAuthentication() passwd system
    localAuthentication() pUid 89435294
    localAuthentication() telnet_access
    localAuthentication() rc == TRUE
    AuthenticationIntersection(): bTacacsLogin 0
    IncrementLocalLoginStat(): Begin
    getLocalConfigAuthEnable(): Begin
    getLocalConfigAuthEnable(): uiState = 1
    getTacacsConfigAuthEnable(): Begin
    getTacacsConfigAuthEnable(): uiState = 1
    getTacacsConfigAuthPrimary(): Begin
    getTacacsConfigAuthPrimary(): uiState = 0
    localAuthentication(): Begin
    localAuthentication() usrName admin
    localAuthentication() passwd system
    localAuthentication() pUid 89435294
    localAuthentication() telnet_access
    localAuthentication() rc == TRUE
    AuthenticationIntersection(): bTacacsConfig 0
    AuthenticationIntersection():== Local Database Authentication ==
    IncrementLocalConfigStat(): Begin
    AuthenticationIntersection(): user has been found
    AuthenticationIntersection(): bTacacsLogin pUid 89435294
    AuthenticationIntersection(): GOT ACCESS capab 0 Admin 0 Ftp 0 Http 0 
        Telnet 0
    
    authenticateUser() AUTHENTICATION IS OK
    authenticateUser() AUTHENTICATION #2
    

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 12571