openswitch/tacacs_server

openswitch/tacacs_server镜像描述

镜像概述

本镜像提供TACACS+服务器功能，专注于测试TACACS+协议的认证、授权与审计（AAA）能力，通过不同版本标签提供多样化功能支持，满足各类测试场景需求。

标签信息

• 1.0 → 包含基础配置的TACACS+服务器
• 2.0 → TACACS服务器 + tcpdump网络调试工具
• 3.0 → TACACS服务器 + tcpdump + ethtool网络工具
• 4.0 → 基于1.0标签更新配置的TACACS+服务器
• 4.1 → 基于4.0标签，在默认路径创建审计文件
• 5.0 → 修复审计日志中客户端IPv6地址显示异常问题
• 6.0 → 更新内核并安装ntp服务
• latest → 与6.0标签内容一致

核心功能

• 支持TACACS+协议的认证、授权、审计全流程测试
• 提供多版本标签，覆盖基础测试、网络调试、日志修复等场景
• 配置包含多种认证方式（pap、chap、DES加密、系统密码文件）及用户组权限控制

使用场景

• 网络设备TACACS+认证策略验证
• 授权权限分配效果测试
• 审计日志生成与分析调试
• 网络通信数据包捕获（结合tcpdump）

配置说明

以下为服务器TACACS+配置快照：

# Encryption key
key = "tac_test"

# Set where to send accounting records
default authentication = file /etc/passwd
accounting syslog;
accounting file = /var/log/tac_plus/tac_plus.acct

# ACL for network_admin group
acl = network_admin {
	# allow access from all sources
	permit = .*
	# implicit deny (ie: anything else)
}

# ACL for sys_admin group
acl = sys_admin {
	# allow access from 10.10.10.250 only
	permit = .*
	# permit = ^10\.10\.10\.2$
	# implicit deny (ie: anything else)
}

# network_admin group, full access to network devices
group = network_admin {
        default service = permit
	acl = network_admin
        service = exec {
         priv-lvl = 14
        }
}

# sys_admin group, only has read access to the network devices and can change the access vlan on an interface
group = sys_admin {
        default service = deny
	expires = "Jan 1 2015"
	acl = sys_admin
        service = exec {
		priv-lvl = 0
	}
	cmd = enable {
		permit .*
	}
	cmd = show {
		permit .*
	}
	cmd = exit {
		permit .*
	}
	cmd = configure {
		permit .*
	}
	cmd = interface {
		permit Ethernet.*
		permit FastEthernet.*
		permit GigabitEthernet.*
	}
	cmd =  switchport  {
		permit "access vlan.*"
		permit "trunk encapsulation.*"
		permit "mode.*"
		permit "trunk allowed vlan.*"
	}
	cmd = description {
		permit .*
	}
	cmd = no {
		permit shutdown
	}
}

#user1
user = user1 {
	pap = cleartext user1
        service = exec {
         priv-lvl = 14
	 security-role = security-admin
        }
}

#user2
user = user2 {
	pap = cleartext user2
        service = exec {
         priv-lvl = 15
        }
}

#user3
user = user3 {
	chap = cleartext user3
        service = exec {
         priv-lvl = 14
        }
}

#user4
user = user4 {
	chap = cleartext user4
}

# User jonathanm using DES password and enable passwords
user = jonathanm {
	member = network_admin
	login = des 6/1aYAL9zcCe.
	enable = des dBFJQefS4S4Jw
}

# User bob authenticating from the system /etc/passwd and the default enable password
user = bob {
	login = file /etc/passwd
	member = sys_admin
        service = exec {
         priv-lvl = 11
        }
}

user = netop {
	login = file /etc/passwd
        member = network_admin
}

user = admin {
        pap = cleartext admin
        member = network_admin
}

部署示例

Docker Run命令

bash
docker run -d --name tacacs_server -p 49:49 openswitch/tacacs_server:latest

（TACACS+默认端口为49，需映射至主机端口以对外提供服务）

Docker Compose示例

yaml
version: '3'
services:
  tacacs_server:
    image: openswitch/tacacs_server:latest
    ports:
      - "49:49"
    container_name: tacacs_server
    restart: always