添加网络设备
登录ISE,找到Administrator-Network Resources-Network Device
选择add,将网络设备添加到ISE
添加认证策略
Policy-Policy Elements-Conditions 点击New新建策略
添加策略EZI_RADIUS_LOGIN认证方式选择RADIUS
添加认证设备类型策略 EZI_Radius_AUTHEN_ALL
添加用户登录认证策略RADIUS_LOGIN,允许Employee组的用户登录
添加用户和用户组
Administration-Identity Management-Identities 选择Add添加用户
设置用户名密码,用户组选择Employee
定义授权级别
Work Centers-Device Administration-Policy Elemets 添加Tacacs Profiles策略
应用策略
Work Centers-Device Administration-Device Admin Policy Sets,新建策略Radius_Login
将之前新建的策略拖动到右边,Use应用
点击策略旁边的>
配置授权策略,选择之前新建的EZI_RADIUS_AUTHEN_ALL和Radius_Login策略拖动到右边 Use
选择授权级别-SAVE
交换机配置
aaa new-model
!
!
aaa group server radius network-radius-group
server name radius_192.168.32.231
!
aaa group server tacacs+ network-tacacs-group
server name tacacs_192.168.32.231
!
aaa authentication login default local
aaa authentication login VTY_authen group network-radius-group local
aaa authorization exec default local
aaa authorization exec VTY_author group network-radius-group local if-authenticated
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group network-radius-group
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.32.231 server-key ******
!
aaa session-id common
!
ip radius source-interface GigabitEthernet1/0/24
!
tacacs server tacase_192.168.32.231
address ipv4 192.168.32.231
key P@ss1234
timeout 4
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
!
radius server radius_192.168.32.231
address ipv4 192.168.32.231 auth-port 1812 acct-port 1813
timeout 4
retransmit 3
pac key P@ss1234
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
authorization exec VTY_author
login authentication VTY_authen
transport input all
line vty 5 15
!
查看与ISE服务器之间的连接
登录验证
使用Employee组中的用户进行验证
在ISE上查看日志 Operations-Radius-Live Logs