使用域帐号登陆cisco路由和交换机(实现单点登陆功能)[转]

fateame

ACS服务器配置:
配置AAA Client:选择“Network Configuration→Add Entry”,在“AAA Client”处输入交换机的主机名，“AAA Client IP Address”处输入C2950的管理IP地址,在“Key”处输入TACACS+,认证密钥CiSCO,“Authenticate Using”处选择“TACACS+(cisco ios)”,再Submit+Restart.

配置外部用户数据库:选择“External User Databases→Database Configuration→Windows Database→Create New Configuration”,建一个Database的名称ACS.COM,Submit.

再选择“External User Databases→Database Configuration→Windows Database→Configure”,在Configure Domain List处将ACS Server所在的域名称移动到“Domain List”中.要注意一点ACS Server应加入到域中.

同时“Windows EAP Settings”的“Machine Authentication”下勾选“Enable PEAP machine authentication”和“Enable EAP-TLS machine authentication.EAP-TLS and PEAP machine anthentication name prefix.” 选项,其中默认的“host/”不用改动

再选择“External User Databases→Unknown User Policy→Check the following external user databases”,将“External Databases”移动到右边的Selected Databases窗口中,完成后再重启服务

用户权限赋予:
首先在"Interface configuration"-->"Advanced option"里面将"Per-user TACACS+/RADIUS Attributes"打钩,然后在"User setup"中选择要赋予权限的用户,点击选择的用户,在"user setup"中的tacacs+选项中钩选"Shell (exec)","Privilege level 15".


2950交换机配置:
Conf  t
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+
tacacs-server host XXX.XXX.30.220
tacacs-server key ******
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
line vty 0 4
login authentication default
authorization exec default
accounting connection default
accounting commands 15 default
accounting exec default
end
wr