ACS AAA Tacacs+
一、驗(yàn)證(Authentication)
1.1 ACS上添加 AAA Client
1. 進(jìn)入ACS,點(diǎn)擊 Network Configuration,
?
? 2. 點(diǎn)擊Add Entry,添加AAA client
??
?
3.填入HostName, Client IP Add、shared secret、Authenticate Using 選擇 TACACS+(Cisco IOS),確認(rèn)無誤,點(diǎn)擊submit+Apply.
?
?1.2交換機(jī)配置:
? ??Switch(config) aaa new-model
??? Switch(config)tacacs-server host 192.168.2.1 key cisco
??? Switch(config)aaa authentication login default group tacacs+ local
??? Switch(config)#line vty 0 4
Switch(config-line)#login authentication default
?
??? 建議配置本地用戶作為備用:
username xxxx privi 15 secret xxxx
?
二、授權(quán)(Authorization)
?
?
?
?
?
?1.ACS上設(shè)置用戶權(quán)限
1.在ACS上選擇Interface Configurationà Tacacs+(cisco IOS)
2.勾選user的shell(exec)菜單,在user配置參數(shù)中將增加有關(guān)shell的選項(xiàng)
?
??
?
3 .確認(rèn)Interface configurationà Advanced Options下,如下選擇已勾選。
?
4.點(diǎn)擊user setup ,選擇用戶,點(diǎn)擊edit,進(jìn)行參數(shù)編輯
5.勾選Shell(exec),選擇Privilege level為10級,則用戶只能執(zhí)行10級命令
2.交換機(jī)配置
2.1在本地定義level 10
privilege interface level 10 shutdown
privilege interface level 10 no
privilege interface level 10 sw
privilege interface level 10 description
privilege configure level 10 interface
privilege interface level 10 show run
privilege interface level 10 show startup
privilege exec level 10 configure
privilege exec level 10 configure terminal
privilige exec level 10 wirte
privilige exec level 10 wirte memory
?
?
2.2啟用授權(quán)驗(yàn)證并應(yīng)用到 telet 登陸
Switch(config)aaa authorization exec default group tacacs+ local
Switch(config)#line vty 0 4
Switch(config-line)#authorization exec default
?
三、審計(jì)
1.交換機(jī)配置:
Switch(config)aaa accounting exec default start-stop group tacacs+
Switch(config)aaa accounting commands 0 default start-stop group tacacs+
Switch(config)aaa accounting commands 1 default start-stop group tacacs+
Switch(config)aaa accounting commands 10 default start-stop group tacacs+
Switch(config)aaa accounting commands 15 default start-stop group tacacs+
?
Switch(config)#line vty 0 4
Switch(config-line)# accounting exec default
Switch(config-line)# accounting commands 0 default
Switch(config-line)# accounting commands 1 default
Switch(config-line)# accounting commands 10 default
Switch(config-line)# accounting commands 15 default
?
在ACS上查看審計(jì)結(jié)果
? 選擇菜單Reports and ActivityàTACACS+ Administrationà Tacacs+ Administration active.csv,顯示當(dāng)天審計(jì)結(jié)果;
?
?
?
?
審計(jì)結(jié)果包括時(shí)間、登陸的用戶、用戶使用過的命令、設(shè)備IP等
??
?
全部配置:
!hostname Switch
!
username xxx privilege 15 secret 5 $1$2a3R$cNAUXylGipgTIBcQQh78h/
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
?
! aaa new-model
????????
tacacs-server host 192.168.2.1 key cisco
tacacs-server directed-request
?
privilege interface level 10 shutdown
privilege interface level 10 no
privilege interface level 10 sw
privilege interface level 10 description
privilege configure level 10 interface
privilege exec level 10 configure
privilege exec level 10 configure terminal
privilege exec level 10 show run
privilege exec level 10 show startup
privilege exec level 10 write
privilege exec level 10 write memory
?
line vty 0 4
login authentication default
authorization exec default
accounting exec default
accounting commands 0 default
accounting commands 1 default
accounting commands 10 default
accounting commands 15 default
轉(zhuǎn)載于:https://blog.51cto.com/3379770/1436619
總結(jié)
以上是生活随笔為你收集整理的ACS AAA Tacacs+的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Android View的加载过程
- 下一篇: 10套免费的 Photoshop UI