1:client登入server 用AAA服务器进行认证
2:client登入server 用AAA服务器进行授权和命令授权
3:client登入server 用AAA服务器进行审计和命令审计
SERVER本地配置策略:
SERVER(config)#line vty 0 15
SERVER(config-line)#password cisco
SERVER(config-line)#exit
SERVER(config)#enable password cisco
SERVER(config)#line console 0
SERVER(config-line)#password cisco
SERVER(config-line)#exit
SERVER(config)#aaa new-model
SERVER(config)#aaa authentication login zt line none
SERVER(config)#line console
SERVER(config-line)#login authentication zt
SERVER(config)#line aux 0
SERVER(config-line)#login authentication zt
SERVER(config-line)#exit
SERVER(config)#tacacs-server host 200.200.200.207 key zhangteng123
AAA服务器--认证授权
SERVER(config)#aaa authentication login ztccie group tacacs+ line none
SERVER(config)#line vty 0 15
SERVER(config-line)#login authentication ztccie
SERVER(config-line)#end
在AAA服务器上创建新用户(cisco)和密码(cisco)进行服务器测试验证
SERVER#test aaa group tacacs+ cisco cisco new-code
Trying to authenticate with Servergroup tacacs+
Sending password
User successfully authenticated
client#telnet 200.200.200.2
Trying 200.200.200.2 ... Open
Username: cisco
Password:
Password:
SERVER#
SERVER#sho priv
Current privilege level is 15
AAA服务器--权限
SERVER(config)#aaa authorization exec ztccie group tacacs+
SERVER(config)#line vty 0 15
SERVER(config-line)#authorization exec ztccie
SERVER(config-line)#end
client#telnet 200.200.200.2
Trying 200.200.200.2 ... Open
Username: cisco5
Password:
SERVER#sho priv
Current privilege level is 5
在AAA服务器上的授权:
授权--命了授权
本地命令授权:
SERVER(config)#privilege exec level 5 conf t
SERVER(config)#privilege configure level 5 int
注意:AAA命令授权:如果要在AAA上授权命令,首先要在路由器server本地上授权privlige 命令才可以到AAA服务器上授权;
SERVER(config)#aaa authorization commands 5 ztccie group tacacs+
SERVER(config)#line vty 0 15
SERVER(config-line)#authorization commands 5 ztccie
AAA 授权只是授权exec的,configure里面的interface之类的就没有授权了,如果需要严格授权
需要这样一条命令:
SERVER(config)#aaa authorization config-commands
AAA服务器设置:
Username: cisco5
Password:
SERVER#conf te
SERVER#conf terminal
Enter configuration commands, one per line.
另一种在AAA服务器上的方法:
在shared profile components-->shell command authorization sets
SERVER(config)#aaa accounting exec ztccie start-stop group tacacs+
SERVER(config)#line vty 0 15
SERVER(config-line)#accounting exec ztccie
用户登录的记录:reports and activity-->tacacs+ accounting
做审计需要定义命令级别为0、1、5
SERVER(config)#aaa accounting commands 0 ztccie start-stop group tacacs+
SERVER(config)#aaa accounting commands 1 ztccie start-stop group tacacs+
SERVER(config)#aaa
SERVER(config)#line vty 0 15
SERVER(config-line)#accounting commands 0 ztccie
SERVER(config-line)#accounting commands 1 ztccie
SERVER(config-line)#accounting commands 5 ztccie
AAA服务器上的命令审计:reports and activity-->tacacs+ administration