一、验证(Authentication)
1.1 ACS上添加 AAA Client
1. 进入ACS,点击 Network Configuration,
2. 点击Add Entry,添加AAA client
3.填入HostName, Client IP Add、shared secret、Authenticate Using 选择 TACACS+(Cisco IOS),确认无误,点击submit+Apply.
1.2交换机配置:
Switch(config) aaa new-model
Switch(config)tacacs-server host 192.168.2.1 key cisco
Switch(config)aaa authentication login default group tacacs+ local
Switch(config)#line vty 0 4
Switch(config-line)#login authentication default
建议配置本地用户作为备用:
username xxxx privi 15 secret xxxx
二、授权(Authorization)
1.ACS上设置用户权限
1.在ACS上选择Interface Configurationà Tacacs+(cisco IOS)
2.勾选user的shell(exec)菜单,在user配置参数中将增加有关shell的选项
3 .确认Interface configurationà Advanced Options下,如下选择已勾选。
4.点击user setup ,选择用户,点击edit,进行参数编辑
5.勾选Shell(exec),选择Privilege level为10级,则用户只能执行10级命令
2.交换机配置
2.1在本地定义level 10
privilege interface level 10 shutdown
privilege interface level 10 no
privilege interface level 10 sw
privilege interface level 10 description
privilege configure level 10 interface
privilege interface level 10 show run
privilege interface level 10 show startup
privilege exec level 10 configure
privilege exec level 10 configure terminal
privilige exec level 10 wirte
privilige exec level 10 wirte memory
2.2启用授权验证并应用到 telet 登陆
Switch(config)aaa authorization exec default group tacacs+ local
Switch(config)#line vty 0 4
Switch(config-line)#authorization exec default
三、审计
1.交换机配置:
Switch(config)aaa accounting exec default start-stop group tacacs+
Switch(config)aaa accounting commands 0 default start-stop group tacacs+
Switch(config)aaa accounting commands 1 default start-stop group tacacs+
Switch(config)aaa accounting commands 10 default start-stop group tacacs+
Switch(config)aaa accounting commands 15 default start-stop group tacacs+
Switch(config)#line vty 0 4
Switch(config-line)# accounting exec default
Switch(config-line)# accounting commands 0 default
Switch(config-line)# accounting commands 1 default
Switch(config-line)# accounting commands 10 default
Switch(config-line)# accounting commands 15 default
在ACS上查看审计结果
选择菜单Reports and ActivityàTACACS+ Administrationà Tacacs+ Administration active.csv,显示当天审计结果;
审计结果包括时间、登陆的用户、用户使用过的命令、设备IP等
全部配置:
!hostname Switch
!
username xxx privilege 15 secret 5 $1$2a3R$cNAUXylGipgTIBcQQh78h/
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
! aaa new-model
tacacs-server host 192.168.2.1 key cisco
tacacs-server directed-request
privilege interface level 10 shutdown
privilege interface level 10 no
privilege interface level 10 sw
privilege interface level 10 description
privilege configure level 10 interface
privilege exec level 10 configure
privilege exec level 10 configure terminal
privilege exec level 10 show run
privilege exec level 10 show startup
privilege exec level 10 write
privilege exec level 10 write memory
line vty 0 4
login authentication default
authorization exec default
accounting exec default
accounting commands 0 default
accounting commands 1 default
accounting commands 10 default
accounting commands 15 default