Tải bản đầy đủ - 0 (trang)
Chapter 13. Exploring TACACS+ Attribute Values

Chapter 13. Exploring TACACS+ Attribute Values

Tải bản đầy đủ - 0trang

TACACS+AVPairsOverview

AllTACACS+valuesarestrings.Forthemostpart,itisvery

simpletounderstand.AVpairsareacombinationofvalues.IfI

saidthatmynameisBrandonCarroll,inthisstringoftextthe

attributeisnameandthevalueisBrandonCarroll.Ifyouwere

towritethisintheformofaTACACS+AVpair,itwouldlooklike

thefollowing:

name=BrandonCarroll



The"="indicatesthatthevalueofthisattributeismandatory.

Youcouldalsousethesamemethodinthefollowingformat:

name*BrandonCarroll



Inthisexample,the"*"indicatesthatthevalueisoptional.

EachimplementationofAVpairs,whichareacombinationofan

attributeandthesubsequentvalueoftheattribute,is

dependentontheversionofIOSthatyouareusinginyour

network.Soit'sactuallyacombinationoftheIOSthatyouare

runningandthesupportintheACSthatisimportant.



NOTE

Inthenextsection,youcanseetheAVpairsthataresupported

byACSversion3.1.



Incombinationwiththenetworkoperatingsystems(NOSes),

youcandeployaveryfunctionalAAAconfiguration.Inthe

forthcomingsection,youexploretheconceptofTACACS+AV

pairs.AnexplanationofeachsupportedAVpairisalsogiven.







AttributesofTACACS+AVPairs

TherearemanyTACACS+AVpairs.SomeTACACS+AVpairs

arenotsupportedbytheNOSthatyouhaveimplemented.Your

bestbetistoverifysupportedAVpairscorrespondingtothe

IOSorPIXOSthatyouintendtouseasanAAAclient.Foralist

ofAVpairsthatspecificCiscodevicessupport,see

www.cisco.com.

Thefollowingsectionsareattributesthataresupportedbythe

ACSversion3.1.Eachoftheseattributesisdiscussedinsome

detail.NotethatalloftheseattributesareTACACS+

authenticationandauthorizationvendor-specificattributes

(VSA).



acl=

ThisattributeisusedinEXECorAppleRemoteAccessProtocol

(ARAP)authorizationtoindicateanaccessclassnumberoran

accesslistnumber.Asampleofthiswouldbe

acl=101



WiththisAVpair,wearereferencingaccesscontrollist(ACL)

101.Accesslist101wouldthenbeanextendedIPaccesslist

configuredontherouter.



addr=

Thisattributeisusedtoassignanaddresstoauserthat

connectsviaaservicesuchasPPP/IP(Point-to-Point



Protocol/InternetProtocol),orSLIP(SerialLineInternet

Protocol).ThisattributeisavailableinCiscoIOSRelease11.0

andup.addr=isusedwithaservice,forexample:

service=pppandprotocol=ip.Althoughthisattributeis

supportedinACS,ithasbeensupercededbyIPPoolsonthe

groupsetuppageinACS.



addr-pool=

Thisattributespecifiesapoolthatispredefined.Toconfigure

thisAVpair,enterthefollowingcommand:

addr-pool=bigpool



NOTE

UnderstandthatbigpoolisthenameofanIPpoolthathasbeen

defined.ThispoolcanbedefinedontheAAAclientortheACS.



ThisattributehasalsobeensupercededbyIPPoolsinthegroup

setuppage.



autocmd=

Thisattributeisusedtosendanautocommandtobeissued

uponauthentication.ThisisanEXECserviceandisusedwith

service=shell.



callback-dialstring=,callback-line=,and

callback-rotary=

Thecallback-dialstringsetsthephonenumberforacallback.

Forexample,Icouldcallintomynetworkaccessserver(NAS),

andwhenIauthenticate,thecallbackfunctionisdetermined

andtheNASusesthephonenumberdefinedheretocallme

back.Thishelpsmecutdownonphonecharges.

Thecallback-dialstringcanbeusedwiththecallback-line

command,whichdefinesthettylinethatisusedtocallme

back.Anexampleofthisiscallback-line=3.Youcouldalso

usethecallback-rotaryAVpairtodefinethenumberofa

rotarygroupbetween1and100thatisusedinthecallback.

callback-rotaryisnotvalidwhenusingIntegratedServices

DigitalNetwork(ISDN).Itisusedwithservice-arap,

service=ppp,service=slip,orservice=exec.

callback-dialstringhasbeenreplacedbythecallback

informationinthegroupsetuppage.



cmd=

Asseenintheattributeconfigurationintheprecedingsection,

thecmdattributespecifiesacommand.Youcancreatealistof

permittedcommandsforagroup,orauser.



cmd-arg=

ThisAVpairisusedtospecifyanycommandarguments.For

example,IhaveauserthatIwanttobeabletoeditaccesslist

121.InACS,Iwouldprovidethefollowingconfiguration:



service=shell

permitcmd=access-list

permitcmd-arg=121



Thiswouldallowtheusersthatauthenticatedwiththisintheir

profiletoeditaccesslist121.



dns-servers=

Thisattributeisusedfordial-inMicrosoftuserstoassignthe

DomainNameSystem(DNS)servers,primaryorsecondary.

ThisisnegotiatedduringIPControlProtocol(IPCP)negotiation.

BecausethisisusedduringaPPPnegotiation,itisusedwith

service=pppandprotocol=ip.Whenyouenterthese

addresses,enterthemindotteddecimal,suchasdnsservers=4.3.2.4.



gw-password=

Thisattribute,gw-password,isusedinVirtualPrivateDial-Up

Networking(VPDN)toassignthegatewaypasswordtoaVPDN

client.ThisoccursduringtheLayer2Forwarding(L2F)

authentication.Theservicethatgw-passwordisusedwithis

stillservice=ppp;however,theprotocolisVPDN,forexample,

protocol=vpdn.



idletime=

Thisattributeisprettystraightforward.idletimesetsatimeout

valueforanestablishedconnection.Theidletimeisavaluein



minutes.Forexample,idletime=15setsa15minutetimeout

oncethelinegoesidle.Additionally,idletime=0wouldenforce

notimeoutvalue.



inacl#n

Theinacl#nindicatesthenumberofanaccesslistthatshould

beappliedinboundtoaninterfaceforthedurationofaPPP

connection.ThisisanACSIIvalueanddoesn'tworkwithISDN

interfaces.Thisaccesslistisremovedwhenthesession

terminates.inaclisusedwithservice=pppandprotocol=ip

orprotocol=ipx.Theaccesslistassignedhereisaper-user

accesslist.



inacl=

inacl=hasthesamecharacteristicsasthepreviouslydiscussed

inacl#n.inacl=hasbeenavailableinCiscoIOSReleases11.0

andupandinacl#nhasbeenavailableonlysincerelease11.3

andup.



interface-config#

interface-configisanattributethatspecifiesaspecific

AAAconfigurationonaninterface,peruser,whenusedwiththe

service=pppandprotocol=lcp.Whathappenshereisthat

anyIOSinterfaceconfigurationcommandcanbespecified

withinavirtualprofile.Forexample,aninterface-config

couldbeiproutecache.Youcanusemultipleinstancesofthe

samecommands;however,theyaredistinguishedbyaunique

number.



ip-addresses=

Theip-addresses=attributeisagainusedinVPDN

configurationswheretheIPaddressesarealistofpossibleIP

addressdestinationsofatunnelendpoint.Thisisalsousedwith

service=pppandprotocol=vpdn,asseenintheattribute

gw-password.Thislistiscreatedusingspaces.



link-compression=

Thelink-compression=attributedeterminesif"stac"

compressionisusedforaPPPconnection.Itisanumericvalue

thatrangesfrom0to3.Avalueof0indicatesthatno

compressionisbeingturnedon.Avalueof1determinesthat

thecompressiontobeusedis"stac."Avalueof2determines

thatthecompressionis"stac-draft-9,"andavalueof3applies

MS-staccompression.ThisbecameavailableinCiscoIOS

Release11.3andlater.



load-threshold=n

Indialsituations,youcancreatemultilinkbundles.Astheload

onaconnectionreachesspecifiedlimits,asecondconnection

canbebroughtuptoalleviatesomeoftheloadfromtheinitial

link.Theload-threshold=nattributeisusedagainwiththe

service=pppandprotocol=multilinktocodeinthevalueat

whichanotherlinkinamultilinkbundleistobebroughtup.The

possiblevaluethatyoucanuseherecanbefrom1to255

where255wouldbe100percentloadonalink.



max-links=n



load-threshold=ncansometimesposeaproblemofoneuser

takingupallthelinksinamultilinkbundle.Themax-links=n

AVpaircanfixthisproblembyagainspecifyingavalue

between1and255todeterminethenumberoflinksthatcan

beusedinabundle.Thisisalsousedwiththeservice=ppp

andprotocol=multilink.



nas-password

AnotherVPDNconfiguration,nas-password,specifiesthe

passwordoftheNASthatisusedintunnelauthentication

duringtheL2Fportionoftheconnection.Thisisusedwith

service=pppandprotocol=vpn.



nocallback-verify

ThisAVpairdesignatesthatnocallbackverificationisrequired

andtheonlyvaluethatyoushouldeverseehereisa1.Thisis

usedwithservice=ppp,service=arap,service=slip,and

service=shell.



noescape=

Youcanusethenoescape=AVtoallowordisallowtheuserto

enteranescapecharacter.Thetwooptionsthatyouhavehere

aretrueorfalse.Thisisusedwiththeservice=shellAVpair.



nohangup=

Thenohangup=AVpairdetermineswhethertohangupthe

lineafteranEXECshellhasbeenterminated.Forexample,you



areauthenticatedtothecommandlineofaCiscorouter,and

youtypeexit.Ifthenohangup=valueissettotrue,theline

willnothangup,butratherreturnyoutoausernameprompt.

Theavailablevaluesaretrueorfalse.



old-prompts=

Oneofthedifficulttaskstoaccomplishistomigratetoanew

versionofTACACSwithoutitbeingapparenttousers.Theoldprompts=allowsyoutouseoldTACACSandXTACACS

prompts,thusmakingamigrationtransparenttotheuser.



outacl=

outacl=issimilartooutacl#n.Itappliesanaccesslisttoan

interfaceforthedurationofauser'sconnection.Theaccesslist

needstobepreconfiguredontherouterpriortousingthe

outacl=attribute.Thedifferencebetweenoutacl#and

outacl=isthatinthisformat,theACLnumbercanbefora

SLIPoutboundaccesslist.



outacl#n

outacl#isanASCIIaccesslistidentifierthatappliesan

accesslisttoaninterfaceforthedurationofauser's

connection.Thisattributeusestheservice=ppp,and

protocol=iporipx.Theper-useraccesslistdoesnotworkon

ISDNinterfaces.



pool-def#n



ThisAVpairdeterminesanIPaddresspoolthatisdefinedon

theNAS.Thisisusedwithservice=pppandprotocol=ip.



pool-timeout=

Thisisusedalongwiththepool-def#nAVpair.Itsetsa

timeoutvaluefortheaddressesservedbythepoolthatis

definedinthepool-def#nAVpair.Thisisusedwith

service=pppandprotocol=ip.



ppp-vj-slot-compression=

ThisAVpairdeterminestheuseofslotcompressionifsending

VJ-compressedpacketsacrossaPPPconnection.



priv-lvl=

ThisAVpairisprettystraightforward.InCiscorouters,you

haveprivilegelevelsfrom0to15,0beinguser-levelprivileges

and15beingEXEC-levelprivileges.Thenumericvaluesin

betweencanbecustomizedtoprovideforspecificcommand

setsavailabletocertainusers.Asauseraccessestheshell,

service=shell,acheckofprivilegelevelismade.ThisAVpair

setsthatvalue.



protocol=

Inthehierarchy,youhaveaservice,suchasPPP,SLIP,orshell.

Underneaththoseservices,youhaveasubset,whichmakesup

theprotocol.Forexample,ifIamaccessingthecommandline

ofaCiscorouter,theserviceisshell,andtheprotocolmightbe



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 13. Exploring TACACS+ Attribute Values

Tải bản đầy đủ ngay(0 tr)

×