首页 > 代码库 > ACS AAA Tacacs+

ACS AAA Tacacs+

一、验证(Authentication

1.1 ACS上添加 AAA Client

1. 进入ACS,点击 Network Configuration,

 

  2. 点击Add Entry,添加AAA client

  

 

3.填入HostName, Client IP Addshared secretAuthenticate Using 选择 TACACS+(Cisco IOS),确认无误,点击submit+Apply.

 

 1.2交换机配置:

    Switch(config) aaa new-model

    Switch(config)tacacs-server host 192.168.2.1 key cisco

    Switch(config)aaa authentication login default group tacacs+ local

    Switch(config)#line vty 0 4

Switch(config-line)#login authentication default

 

    建议配置本地用户作为备用:

username xxxx privi 15 secret xxxx

 

二、授权(Authorization)

 

 

 

 

 

 1.ACS上设置用户权限

1.ACS上选择Interface Configurationà Tacacs+(cisco IOS)

2.勾选usershell(exec)菜单,在user配置参数中将增加有关shell的选项

 

  

 

3 .确认Interface configurationà Advanced Options下,如下选择已勾选。

 

4.点击user setup ,选择用户,点击edit,进行参数编辑

5.勾选Shell(exec),选择Privilege level10级,则用户只能执行10级命令

2.交换机配置

2.1在本地定义level 10

privilege interface level 10 shutdown

privilege interface level 10 no

privilege interface level 10 sw

privilege interface level 10 description

privilege configure level 10 interface

privilege interface level 10 show run

privilege interface level 10 show startup

privilege exec level 10 configure

privilege exec level 10 configure terminal

privilige exec level 10 wirte

privilige exec level 10 wirte memory

 

 

2.2启用授权验证并应用到 telet 登陆

Switch(config)aaa authorization exec default group tacacs+ local

Switch(config)#line vty 0 4

Switch(config-line)#authorization exec default

 

三、审计

1.交换机配置:

Switch(config)aaa accounting exec default start-stop group tacacs+

Switch(config)aaa accounting commands 0 default start-stop group tacacs+

Switch(config)aaa accounting commands 1 default start-stop group tacacs+

Switch(config)aaa accounting commands 10 default start-stop group tacacs+

Switch(config)aaa accounting commands 15 default start-stop group tacacs+

 

Switch(config)#line vty 0 4

Switch(config-line)# accounting exec default

Switch(config-line)# accounting commands 0 default

Switch(config-line)# accounting commands 1 default

Switch(config-line)# accounting commands 10 default

Switch(config-line)# accounting commands 15 default

 

ACS上查看审计结果

  选择菜单Reports and ActivityàTACACS+ Administrationà Tacacs+ Administration active.csv,显示当天审计结果;

 

 

 

 

审计结果包括时间、登陆的用户、用户使用过的命令、设备IP

  

 

全部配置:

!hostname Switch

!

username xxx privilege 15 secret 5 $1$2a3R$cNAUXylGipgTIBcQQh78h/

!

!

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 10 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

 

! aaa new-model

        

tacacs-server host 192.168.2.1 key cisco

tacacs-server directed-request

 

privilege interface level 10 shutdown

privilege interface level 10 no

privilege interface level 10 sw

privilege interface level 10 description

privilege configure level 10 interface

privilege exec level 10 configure

privilege exec level 10 configure terminal

privilege exec level 10 show run

privilege exec level 10 show startup

privilege exec level 10 write

privilege exec level 10 write memory

 

line vty 0 4

login authentication default

authorization exec default

accounting exec default

accounting commands 0 default

accounting commands 1 default

accounting commands 10 default

accounting commands 15 default