Shulou(Shulou.com)06/01 Report--

First of all, TACACS+ is based on TCP 49 protocol. So this also explains the basic difference between tacacs+ and radius: radius is a UDP packet that is pushed to the terminal by all authorization results, while tacacs+ 's TCP can be authorized one by one based on one command per line.

Aaa command of the router

Aaa group server tacacs+ ISE

Server-private 192.168.133.11 key cisco123

Aaa new-model

Aaa authentication login default group ISE local

Aaa authentication enable default group ISE enable

Aaa authorization config-commands

Aaa authorization exec ISE group ISE local

Aaa authorization commands 0 default group ISE local none

Aaa authorization commands 1 default group ISE local none

Aaa authorization commands 7 default group ISE local none

Aaa authorization commands 15 default group ISE local none

Aaa accounting exec default start-stop group ISE

Aaa accouting commands 0 default start-stop group ISE

Aaa acounting commands 1 default start-stop group ISE

Aaa acounting commands 7 default start-stop group ISE

Aaa accouting commands 15 default start-stop group ISE

When talking about the keyword default, it was always difficult to understand it before.

Default method:A default method list is configured globally and is automatically applied to all the interfaces on a device (vty/http/console/AUX)

Personally, I felt that privilege 7 didn't make much sense at the time of the experiment, and there were fewer commands that could be called by myself.

Device admin policy sets is also divided into authentication and authorization, similar to radius's policy sets. The purpose of authentication policy is to use the correct identity store based on the correct protocol (usually tacacs+) and other restrictions (for example, you can use device type, etc.).

The authorization result of authoriztion policy is divided into two parts: command sets and shell profile know what they contain directly from the screenshot.

All commands are permit

The shell of Operator only allows show or access to the interface switch.

Shell profile. Since both shell profile are default 0 maximum 15, screenshots will not be taken repeatedly.

We can see that the acl or timeout time under line vty can be pushed through ISE.

Take a screenshot and look at policy sets.

Let's take a look at tacacs+ 's authorization based on each command.

Due to the existence of command sets, moving specific commands to privilege 1-14 is not actually a feasible approach in a production environment.

Add a comparison of using radius to do certification, although not very useful, but the exam unexpectedly. Stupid bastard.

The most important thing is to know how to configure that authorization profile: shell:priv-lvl=15

There is nothing to say about the strategy.

Mainly depends on the test results, post the commands of the router, and remember that because radius pushes the policy results together, you only need to configure these two sentences:

Aaa authentication login default group ISE local

Aaa authorization exec default group radius local

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.