思科ISE 使用 TACACS+ 进行设备管理
Step1:在ISE上增加设备,导航到 Administration->Network Resources->Network Devices下,增加设备,如下图:
输入TACACS认证密钥,如上图
step2:创建测试用户,本例使用内置用户导航到Administration->Identity Management->Identities下创建用户test1,如下图:
step3:创建ttacas+策略
导航到Work Centers->Device Administration->Policy Elements->TACACS Command Sets,创建命令集PermitALLCommand,如下图:
Work Centers->Device Administration->Policy Elements->TACACS Profiles下创建level15的tacacs配置文件,如下图:
创建设备授权策略,如下图:
step3:设备侧配置
! aaa new-model ! ! aaa group server tacacs+ ISE-GROUP server name ISE ! aaa authentication login NOISE line none aaa authentication login ISE group ISE-GROUP group tacacs+ local-case aaa authentication enable default enable none aaa authorization config-commands aaa authorization exec ISE group ISE-GROUP local aaa authorization commands 0 ISE group ISE-GROUP local aaa authorization commands 1 ISE group ISE-GROUP local aaa authorization commands 15 ISE group ISE-GROUP local ! tacacs server ISE address ipv4 x.x.x.x key 7 044B1C022F701E1D ! line con 0 login authentication NOISE stopbits 1 line vty 0 4 authorization commands 0 ISE authorization commands 1 ISE authorization commands 15 ISE authorization exec ISE login authentication ISE transport input all !
注意:配置tacas+前一定要确认device Admin服务开启,否则设备无法纳管
posted on 2023-10-20 15:24 CyberSecurityBook 阅读(327) 评论(0) 编辑 收藏 举报