====== Projekt Rechnernetze ======
===== Automatische Konfiguration eines Labor-Routers mit Ansible und TACACS sowie automtische Überprüfung der Konfiguration mit PyATS =====
==== Organisation ====
=== Gruppenarbeit ===
* [[https://www.spiegel.de/start/studium-wie-man-gruppenarbeit-uebersteht-ohne-verrueckt-zu-werden-a-658585e5-9ab9-4b2f-bd7d-080cba72aec9|Wie man eine Gruppenarbeit übersteht, ohne verrückt zu werden (Spiegel.de)]]
=== Tools ===
* https://retrotool.io/ - **Feedback einholen**
----
==== Inhalt ====
=== TACACS ===
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
line con 0
login authentication CONSOLE
Konfiguration: ''/etc/tacacs/tac_plus.conf''
# The TACASC shared-secret
key = labtacacskey
# A full admin user called 'tacacs'
user = tacacs {
# allows everything that is not forbidden
default service = permit
# Create a DES encrypted password with the `tac_pwd` command
login = des Oy6FGC2LNE6ao
# Set priv 15 for user
service = exec {
priv-lvl = 15
}
cmd = show {
# deny show running-config, allow everything else (just a test)
deny running-config
}
cmd = interface {
deny "GigabitEthernet 0/1/0"
permit "GigabitEthernet 0/0/1"
permit "GigabitEthernet 0/0/0"
}
}
== TACACS Server ==
* https://shrubbery.net/tac_plus/
* https://github.com/facebook/tac_plus
* https://freebsd.pkgs.org/13/freebsd-aarch64/tac_plus-F4.0.4.28.pkg.html
== Links ==
* [[https://github.com/hpreston/rpi-networklab/blob/main/tacacs-server.md|Using a Raspberry Pi as a TACACS Server]]
* [[https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-unix/4104-8.html|Command Authorization and Privilege Levels for Cisco]]
* [[https://community.cisco.com/t5/network-access-control/tacacs-restrict-enable-mode/td-p/2910253|TACACs+ Restrict enable mode]]