思科:
aaa new-model
aaa group server tacacs+ tacacs-group(指定3A服务器组)
server name ise1
server name ise2
aaa authentication login conlogin local(串口用本地密码验证)
(下面设置3A模板,模板名用默认default,绑定tacacs-group组)
aaa authentication login default group tacacs-group local
aaa authentication enable default group tacacs-group enable
aaa authorization config-commands
aaa authorization exec default group tacacs-group local
aaa authorization commands 15 default group tacacs-group local
aaa accounting exec default start-stop group tacacs-group
aaa accounting commands 15 default start-stop group tacacs-group
ip tacacs source-interface Loopback 0(3A认证源接口)
tacacs-server timeout 1(3A服务器连接超时时间)
tacacs server ise1(设置3A服务器地址和密钥)
address ipv4 192.168.11.122
key free
tacacs server ise2
address ipv4 192.168.11.123
key free
line con 0
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication conlogin(串口用本地认证)
line vty 0 4
exec-timeout 15 0
logging synchronous
transport preferred ssh
transport input ssh
(因为3A配置的是default group,所以vty不用指定认证模板)
华三:
domain default enable abc(3A配置在哪个domain下,就启用这个domain)
hwtacacs scheme abc-aaa(hwtacacs模板)
primary authentication 192.168.11.122
secondary authentication 192.168.11.123
primary authorization 192.168.11.122
secondary authorization 192.168.11.123
primary accounting 192.168.11.122
secondary accounting 192.168.11.123
nas-ip 1.1.1.1(3A源地址)
key authentication free
key authorization free
key accounting free
user-name-format without-domain(认证请求时不带域名)
domain abc(domain绑定hwtacacs模板)
authentication login hwtacacs-scheme abc-aaa local
authorization login hwtacacs-scheme abc-aaa local
accounting login hwtacacs-scheme abc-aaa local
accounting optional
user-interface con 0(串口配置本地密码认证)
authentication-mode password
set authentication password simple 123456
user-interface vty 0 15
authentication-mode scheme
command accounting
command authorization (如果3A登录后不能进入sys模式,就删除此行)
华为:
hwtacacs enable
hwtacacs-server template abc-aaa(hwtacacs模板)
hwtacacs-server authentication 192.168.11.122
hwtacacs-server authentication 192.168.11.123 secondary
hwtacacs-server authorizaiton 192.168.11.122
hwtacacs-server authorization 192.168.11.123 secondary
hwtacacs-server accounting 192.168.11.122
hwtacacs-server accounting 192.168.11.123 secondary
hwtacacs-server source-ip 1.1.1.13(3A源地址)
hwtacacs-server shared-key simple free
undo hwtacacs-server user-name domain-included(认证请求时不带域名)
aaa(3A模板绑定hwtacacs模板)
authentication-scheme abc-aaa
authentication-mode hwtacacs local
authorization-scheme abc-aaa
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme abc-aaa
accounting-mode hwtacacs
domain abc(如果设备有domain default_admin,就配置在这下面)
service-type internetaccess ssl-\*\*\* l2tp ike administrator-access dot1x(USG系列需要配置)
authentication-scheme abc-aaa
authorization-scheme abc-aaa
accounting-scheme abc-aaa
hwtacacs-server abc-aaa
recording-scheme abc-aaa
recording-mode hwtacacs abc-aaa
cmd recording-scheme abc-aaa
user-interface con 0(串口配置本地密码认证)
authentication-mode password
set authentication password simple 123456
user-interface vty 0 14
authentication-mode aaa
锐捷:
aaa new-model()
(下面设置3A模板,绑定tacacs-group组)
aaa accounting exec vtyacc start-stop group tacacs-group
aaa accounting commands 15 vtyacc start-stop group tacacs-group
aaa authorization exec vtyauthor group tacacs-group local
aaa authorization commands 15 vtyauthor group tacacs-group local
aaa authentication login vtyauth group tacacs-group local
aaa group server tacacs+ tacacs-group(3A服务器组地址)
server 192.168.11.122
server 192.168.11.123
ip tacacs source-interface Loopback 0(3A认证源接口)
tacacs-server host 192.168.11.122
tacacs-server host 192.168.11.123
tacacs-server key 0 free
line con 0(串口用本地密码认证)
password 0 123456
line vty 0 15(vty调用3A模板)
accounting exec vtyacc
accounting commands 15 vtyacc
authorization exec vtyauthor
authorization commands 15 vtyauthor
login authentication vtyauth
