思科ISE 使用 TACACS+ 进行设备管理

Step1:在ISE上增加设备,导航到 Administration->Network Resources->Network Devices下,增加设备,如下图:

输入TACACS认证密钥,如上图

step2:创建测试用户,本例使用内置用户导航到Administration->Identity Management->Identities下创建用户test1,如下图:

step3:创建ttacas+策略

导航到Work Centers->Device Administration->Policy Elements->TACACS Command Sets,创建命令集PermitALLCommand,如下图:

Work Centers->Device Administration->Policy Elements->TACACS Profiles下创建level15的tacacs配置文件,如下图:

创建设备授权策略,如下图:

 

step3:设备侧配置

!
aaa new-model
!
!
aaa group server tacacs+ ISE-GROUP
 server name ISE
!
aaa authentication login NOISE line none
aaa authentication login ISE group ISE-GROUP group tacacs+ local-case
aaa authentication enable default enable none
aaa authorization config-commands
aaa authorization exec ISE group ISE-GROUP local 
aaa authorization commands 0 ISE group ISE-GROUP local 
aaa authorization commands 1 ISE group ISE-GROUP local 
aaa authorization commands 15 ISE group ISE-GROUP local 
!
tacacs server ISE
 address ipv4 x.x.x.x
 key 7 044B1C022F701E1D
!
line con 0
 login authentication NOISE
 stopbits 1
line vty 0 4
 authorization commands 0 ISE
 authorization commands 1 ISE
 authorization commands 15 ISE
 authorization exec ISE
 login authentication ISE
 transport input all
!

  注意:配置tacas+前一定要确认device Admin服务开启,否则设备无法纳管

 

posted on 2023-10-20 15:24  CyberSecurityBook  阅读(327)  评论(0编辑  收藏  举报

导航