一.测试拓扑
二.基本配置
R1:
interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
no shut
三.R1创建cli-view
A.启用AAA
aaa new-model
--不能用如下的线下保护,不能有none
aaa authentication login noacs line none
line con 0
login authentication noacs
line vty 0 4
login authentication noacs
B.设定enable密码
enable secret cisco
C.进入root view,创建view,并设定view可以执行的命令
R1#enable view
Password:
R1#
*Mar 1 00:28:11.447: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
parser view secop-view
secret cisco
commands exec include show access-lists
commands exec include configure terminal
commands configure include ip access-list extended
commands ipenacl include all deny
commands ipenacl include all permit
不需要ACS就可以进行测试:
R1#enable view secop-view
Password:
R1#sh
*Mar 1 00:39:19.611: %PARSER-6-VIEW_SWITCH: successfully set to view 'secop-view'.
R1#?
Exec commands:
configure Enter configuration mode
credential load the credential info from file system
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#
四.R1配置认证授权方式
A.设定radius或者tacacs服务器:
radius-server host 100.1.1.100 key cisco
或者
tacacs-server host 100.1.1.100 key cisco
B.设置认证授权方式:
aaa authentication login acsradius group radius
aaa authorization exec acsradius group radius
或者:
aaa authentication login acstacas group tacacs+
aaa authorization exec acstacas group tacacs+
C.在vty线路调用认证和授权方式:
line vty 0 4
login authentication acsradius
authorization exec acsradius
或者:
line vty 0 4
login authentication acstacas
authorization exec acstacas
五.ACS配置
A.添加认证客户端:
当添加radius client端的时候,Authenticate Using需要选择RADIUS(Cisco IOS/PIX 6.0)才会在user 或者group选项里看到关于av-pair的设置。
谢谢ozeds的博文:http://ozeds666.blog.51cto.com/2221129/941278
B.添加用户并进行授权关联
如果为radius认证和授权,需要设定用户的[009\001] cisco-av-pair属性
shell:cli-view-name=secop-view
如果为tacacs+认证和授权,需要勾选为tacacs+ settings的shell(exec)和custom attiributes,内容为cli-view-name=secop-view
---custom attiributes如果没有需要到interface configure->TACACS+ (Cisco)->Advanced Configuration Options勾上:
Display a window for each service selected in which you can enter customized TACACS+ attributes
C.通过acs服务器telnet进行认证测试
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/1054426,如需转载请自行联系原作者