TACACS+Authorization_TACACS+安装Ubuntu资源-CSDN文库

TACACS+

Auth

需积分: 20 161 浏览量 2018-11-06 17:00:19 上传评论收藏 59KB PDF 举报

资源推荐

资源详情

资源评论

TACACS+ Authorization

Within TACACS+, command and login authorizations are dependent on the use of privilege level assignments. Privilege level assignments for

users and/or AXOS system interfaces (console, CLI, craft, ) the user is using, are used to determine what privilege level a user shell starts at.

Privilege level assignments for commands determine the privilege level a command is executable at, provided that the user has the authorization

credentials. That means, If a command is assigned to a privilege level higher then that of the user the command will not be accessible.

AXOS supports two kinds of TACACS+ authorization:

When the user is authenticated, TACACS+ determines a user’s role.

A user logs into the AXOS system

The user is authenticated.

The AXOS system consults the TACACS+ server to determine the role of the user.

The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the role of the user.

The user is granted the privileges associated with the role.

Command authorization consults a TACACS+ server to get authorization for configuration commands entered by the user.

A user previously authenticated by a TACACS+ server enters a command on the AXOS system.

The AXOS system looks at its configuration to see if the command is at a privilege level that requires TACACS+ command

authorization

If the command belongs to a privilege level that requires authorization, the AXOS system consults the TACACS+ server to see if

the user is authorized to use the command.

If the user is authorized to use the command, the command is executed.

The authorization REQUEST message contains a fixed set of fields that indicate how the user was authenticated or processed and a variable set

of arguments that describe the services and options for which authorization is requested. The authorization request has the following key

parameters

authen_method - indicates the authentication method used by the client. A subset of the values are:

TAC_PLUS_AUTHEN_METH_LINE - terminal line

TAC_PLUS_AUTHEN_METH_ENABLE- the enable command that authenticates to grant new privileges

TAC_PLUS_AUTHEN_METH_LOCAL - local user database

TAC_PLUS_AUTHEN_METH_TACACSPLUS - TACACS+ itself

priv_lvl - same usage as in authentication request. the privilege level

authen_type - same usage as in authentication request. the type of authentication that was performed

authen_service - same usage as in authentication request

AVPs: Some of the common AVPs are - see TACACS+ spec for a full set

service - the primary service "slip", "ppp", "shell", "tty-server", "connection", "system" and "firewall". This attribute MUST always be

included.

protocol - the protocol - "lcp", "ip", "ipx", "atalk", "vines", "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", "http", "deccp",

"osicp" and "unknown"

cmd - the command name if service is shell

cmd-arg - an argument to the command if they exist. Multiple can be specified. They are expected to be in order.

acl - a number representing a conneciton access list

inacl - idenifier for an input access list

outacl - identifier for an output access list

The RESPONSE contains a variable set of response arguments (attribute-value pairs) that can restrict or modify the clients actions. This involves

the passing of AttributeValue pairs (AV pairs) from the TACACS+ server to the AXOS system. These AV pairs are configured on a per-user or

per-group basis on theTACACS+ server.

The arguments in both a REQUEST and a RESPONSE can be specified as either mandatory or optional. An optional argument is one that may

or may not be used, modified or even understood by the recipient. A mandatory argument MUST be both understood and used. This allows for

extending the attribute list while providing secure backwards compatibility.

The following illustrates the authorization process that occurs immediately following authentication.

本内容试读结束，登录后可阅读更多

下载后可阅读完整内容，剩余1页未读，立即下载

评论收藏

内容反馈

土豆娘

粉丝: 1
资源: 3

TACACS+ Authorization

TACACS+使用方法

tacacs 数据包

tacacs+协议分析

TAC-PLUS:用于网络设备的 TACACS+ 服务器-开源

Tacacs+服务器安装,tac plus服务器安装

TACACS_CLIENT:基于netty实现Tacacs+协议客户端

tacacs++ server daemon-开源

Authorization Authorization

javasnmp源码-TACACS:JavaTACACS+API（完整供客户端使用，以及用于开发服务器的框架）

Java Network Library:tacacs 在 Java 中的实现-开源

Authorization

Authorization授权

Authorization-server-application

OWIN OAuth 2.0 Authorization Server

tacacs+ client/server library-开源

tac_plus-rpm:TACACS +守护程序RPM

H3C配置AAA、RADIUS和TACACS

Authorization-Workshop

企业库06-Authorization

Authorization Objects - A simple Guide

Kerberos Authorization Directory-开源

MM Authorization MM Authorization

Outlook-Authorization

TACACS+ FUNCTIONAL Specification

AADv2-Authorization-in-Bot

SAP Authorization Concept

BASIS-Authorization maintanence

Managed Authorization

最新资源