AAA基本配置
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
ACS配置的几个要点:
1、在接口配置拦目中选择相应的项目,否则不会在其他拦目中显示出来
2、在设备端的示例
ACS认证(authentication):路由器方式和PIX不同
Step1>在设备端定义tacacs+服务器地址以及key
tacacs-server host 202.101.110.110
tacacs-server directed-request
tacacs-server key test
Step2>在ACS端定义设备的IP地址
Step3>在ACS上面建立用户名和用户组
Step4>在设备端配置AAA认证
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
line vty 0 4
login authentication default
授权、记帐:
aaa new-model
aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local line vty 0 4
authorization commands 1 default
authorization commands 15 default
aaa accounting exec default start-stop group tacacs+
lin vty 0 4
accounting exec default
如果要记录用户所用的命令,设备端配置为:
aaa new-model
aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ line vty 0 4
accounting commands 0 default
accounting commands 1 default
accounting commands 15 default
一、AAA服务器配置:PIX/ASA方式
Chicago(config)# username admin password cisco
Chicago(config)# aaa-server mygroup protocol radius
Chicago(config-aaa-server)# max-failed-attempts 4
Chicago(config-aaa-server)# reactivation-mode depletion deadtime 5
Chicago(config-aaa-server)# exit
Chicago(config)# aaa-server mygroup host 172.18.124.11
Chicago(config-aaa-server)# retry-interval 3
Chicago(config-aaa-server)# timeout 30
Chicago(config-aaa-server)# key cisco123
Chicago(config-aaa-server)# exit
show running-config aaa-server (显示配置的命令)
show aaa-server(显示包括本地数据库在内的AAA服务器详细情况)
clear aaa-server statistics [tag [host hostname]]
clear aaa-server statistics protocol server-protocol
clear configure aaa-server [server-tag]
二、配置管理会话的认证:
Chicago(config)# aaa authentication telnet console mygroup LOCAL
Chicago(config)# aaa authentication ssh console mygroup
Chicago(config)# aaa authentication serial console mygroup(物理CONSOLE口)
aaa authentication http console mygroup
If this command is not configured, Cisco ASDM users can gain access to the A SA by entering only the enable password, and no username, at the authentica tion prompt
三、配置访问AAA:
access-list 150 extended permit ip any any
access-list 150 extended deny ip host 172.18.124.20 any
aaa authentication match 150 inside mygroup
timeout uauth hh:mm:ss [absolute | inactivity]
It is recommended to configure the absolute timeout command value for at le ast 2 minutes. Never configure the timeout uauth duration to 0
auth-prompt [prompt | accept | reject] prompt text
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255. 255.255.0
aaa authorization match 100 inside mygroup
aaa authorization command {LOCAL | tacacs_server_tag [LOCAL]}
access-group 100 in interface inside per-user-override