《ACS实验笔记.doc》由会员分享,可在线阅读,更多相关《ACS实验笔记.doc(10页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、如有侵权,请联系网站删除,仅供学习与交流ACS实验笔记【精品文档】第 10 页一 、认证 1、拓扑图为:2、SW配置命令:aaa new-modeltacacs-server host 192.200.103.10tacacs-server key cisco (可选)aaa authentication login loginlist group tacacs+line vty 0 4 login authentication loginlist3、SW show running-config配置sw#sh running-configBuilding configuration.Curre
2、nt configuration : 1006 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname sw!boot-start-markerboot-end-marker!aaa new-model!aaa authentication login loginlist group tacacs+!aaa session-id commonmemory-size iomem 5no ip
3、 routing! no ip cefno ip domain lookup!interface FastEthernet0/0 ip address 192.200.103.1 255.255.255.0 no ip route-cache duplex auto speed auto!interface FastEthernet2/0 ip address 192.200.103.2 255.255.255.0 no ip route-cache duplex auto speed auto!interface FastEthernet3/0 ip address 192.200.103.
4、3 255.255.255.0 no ip route-cache duplex auto speed auto!ip http serverno ip http secure-server! tacacs-server host 192.200.103.10tacacs-server directed-requesttacacs-server key cisco!control-plane!line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4 login authentication loginlist!e
5、nd4、radius配置选中 右边 Add Entry选项5、在192.200.103.10 PC上测试 telnet 192.200.103.2 成功。使用test aaa group tacacs+ wolf wolf new-code 测试不成功原因:中默认server选项要修改命令中的wolf是在user group中建立。二、授权1、sw中命令配置:aaa authorization exec shouquan group tacacs+ localline vty 0 4 authorization exec shouquan2、ACS中的配置:user setup中建立两个用户c
6、isco1和cisco2,分别属于group1和group2.group setup中的shell值分别设置为15 和 1测试连接正常:sw# test aaa group tacacs+ cisco2 cisco2 new-codeUser successfully authenticated在客户机上分别用cisco1和cisco2账号telnet 192.200.103.1结论:当权限为1的用户登录需要输入enable密码,用密码登录特权模式后提升为15级如cisco2;cisco1的权限为15,不用输入enable直接进入特权模式。设置15级别group1用户cisco1不能用show
7、 running-config命令:aaa authorization commands 15 commands15 group tacacs+line vty 0 4 authorization commands 15 commands15测试结果:cisco1用户:审计:基于时间的审计,会记录所用用户的进出时间。aaa accounting exec shenji start-stop group tacacs+基于命令的审计,会记录所有1级和15级命令的操作。aaa accounting commands 1 command1 start-stop group tacacs+aaa ac
8、counting commands 15 shenji15 start-stop group tacacs+sw(config)#line vty 0 4sw(config-line)#accounting exec shenjiline vty 0 4 accounting commands 1 command1 accounting commands 15 shenji15 accounting exec shenji结果:sw#sh running-configBuilding configuration.Current configuration : 1525 bytes!versio
9、n 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname sw!boot-start-markerboot-end-marker!enable password enpass!aaa new-model!aaa authentication login loginlist group tacacs+aaa authorization exec shouquan group tacacs+ localaaa auth
10、orization commands 15 commands15 group tacacs+aaa accounting exec shenji start-stop group tacacs+aaa accounting commands 1 command1 start-stop group tacacs+aaa accounting commands 15 shenji15 start-stop group tacacs+!aaa session-id commonmemory-size iomem 5no ip routing!no ip cefno ip domain lookup!
11、interface Loopback0 ip address 1.1.1.1 255.255.255.255!interface FastEthernet0/0 ip address 192.200.103.1 255.255.255.0 no ip route-cache duplex auto speed auto!interface FastEthernet2/0 ip address 192.200.103.2 255.255.255.0 no ip route-cache duplex auto speed auto! interface FastEthernet3/0 ip add
12、ress 192.200.103.3 255.255.255.0 no ip route-cache duplex auto speed auto!ip http serverno ip http secure-server!tacacs-server host 192.200.103.10tacacs-server directed-requesttacacs-server key cisco!control-plane!line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4 authorization commands 15 commands15 authorization exec shouquan accounting commands 1 command1 accounting commands 15 shenji15 accounting exec shenji login authentication loginlist!end