1. Authentication)
1.1 ACSAdd AAA Client
1. Enter ACS, click network configuration,
2. Click Add entry to add AAA Client
3. Enter the hostname, Client IP add, shared secret, and authenticate using, select TACACS + (Cisco IOS), and click Submit + apply.
1.2Switch configuration:
Switch (config) Aaa New-Model
Switch (config) tacacs-server host 192.168.2.1 key Cisco
Switch (config) Aaa authentication login default group TACACS + local
Switch (config) # Line vty 0 4
Switch (config-line) # login authentication default
We recommend that you configure a local user as an alternative:
Username XXXX privi 15 Secret xxxx
2. Authorization)
1. ACSSet User Permissions On
1. Select Interface Configuration à TACACS + (Cisco IOS) on ACS)
2. Check the user's shell (EXEC) menu, and add the shell option in the user configuration parameters.
3. Check that the following options are selected under Interface Configuration à advanced options.
4. Click User setup, select a user, and click Edit to edit parameters.
5. Select shell (EXEC) and set privilege level to 10. Then, you can only execute level 10 commands.
2.Switch configuration
2.1Define level 10 locally
Privilege interface level 10 Shutdown
Privilege interface level 10 No
Privilege interface level 10 SW
Privilege interface level 10 description
Privilege configure level 10 Interface
Privilege interface level 10 show run
Privilege interface level 10 show startup
Privilege Exec level 10 configure
Privilege Exec level 10 configure Terminal
Privilige Exec level 10 wirte
Privilige Exec level 10 wirte memory
2.2EnableAuthorization verification and application to teletLogin
Switch (config) Aaa authorization exec default group TACACS + local
Switch (config) # Line vty 0 4
Switch (config-line) # authorization exec default
Iii. Auditing
1.Switch configuration:
Switch (config) Aaa accounting exec default start-stop group TACACS +
Switch (config) Aaa accounting commands 0 default start-stop group TACACS +
Switch (config) Aaa accounting commands 1 default start-stop group TACACS +
Switch (config) Aaa accounting commands 10 default start-stop group TACACS +
Switch (config) Aaa accounting commands 15 default start-stop group TACACS +
Switch (config) # Line vty 0 4
Switch (config-line) # accounting exec default
Switch (config-line) # accounting commands 0 default
Switch (config-line) # accounting commands 1 default
Switch (config-line) # accounting commands 10 default
Switch (config-line) # accounting commands 15 default
View audit results on ACS
Select reports and activity à TACACS + adminià à TACACS + adminiactiveactive.csv to display the audit results of the current day;
Audit results include time, Login User, commands used by the user, and IP address of the device.
All configurations:
! Hostname Switch
!
Username XXX privilege 15 Secret 5 $1 $ 2a3r $ cnauxylgipgtibcqqh78h/
!
!
AAA authentication login default group TACACS + local
AAA authorization exec default group TACACS + local
AAA accounting exec default start-stop group TACACS +
AAA accounting commands 0 default start-stop group TACACS +
AAA accounting commands 1 default start-stop group TACACS +
AAA accounting commands 10 default start-stop group TACACS +
AAA accounting commands 15 default start-stop group TACACS +
! AAA New-Model
Tacacs-server host 192.168.2.1 key Cisco
Tacacs-server directed-Request
Privilege interface level 10 Shutdown
Privilege interface level 10 No
Privilege interface level 10 SW
Privilege interface level 10 description
Privilege configure level 10 Interface
Privilege Exec level 10 configure
Privilege Exec level 10 configure Terminal
Privilege Exec level 10 show run
Privilege Exec level 10 show startup
Privilege Exec level 10 write
Privilege Exec level 10 write memory
Line vty 0 4
Login authentication default
Authorization exec default
Accounting exec default
Accounting commands 0 default
Accounting commands 1 default
Accounting commands 10 default
Accounting commands 15 default