思科ISE 使用 TACACS+ 进行设备管理

Step1:在ISE上增加设备，导航到 Administration->Network Resources->Network Devices下，增加设备，如下图：

输入TACACS认证密钥，如上图

step2:创建测试用户，本例使用内置用户导航到Administration->Identity Management->Identities下创建用户test1，如下图：

step3:创建ttacas+策略

导航到Work Centers->Device Administration->Policy Elements->TACACS Command Sets，创建命令集PermitALLCommand，如下图：

Work Centers->Device Administration->Policy Elements->TACACS Profiles下创建level15的tacacs配置文件，如下图：

创建设备授权策略，如下图：

 

step3:设备侧配置

!
aaa new-model
!
!
aaa group server tacacs+ ISE-GROUP
 server name ISE
!
aaa authentication login NOISE line none
aaa authentication login ISE group ISE-GROUP group tacacs+ local-case
aaa authentication enable default enable none
aaa authorization config-commands
aaa authorization exec ISE group ISE-GROUP local 
aaa authorization commands 0 ISE group ISE-GROUP local 
aaa authorization commands 1 ISE group ISE-GROUP local 
aaa authorization commands 15 ISE group ISE-GROUP local 
!
tacacs server ISE
 address ipv4 x.x.x.x
 key 7 044B1C022F701E1D
!
line con 0
 login authentication NOISE
 stopbits 1
line vty 0 4
 authorization commands 0 ISE
 authorization commands 1 ISE
 authorization commands 15 ISE
 authorization exec ISE
 login authentication ISE
 transport input all
!