Cisco configuration steps
Cisco Tacacs+ test
1. Configure Tacacs+ service and authentication and authorization methods
(config)#aaa new-model
(config)#aaa authentication login tac-h0101 group tacacs+ //Authentication
(config)#aaa authorization exec tac-h0101 group tacacs+ //Authorization
(config)#tacacs-server host 10.3.3.3 key Aa123456 //tacacs service
Router(config)#
Router(config)#line vty 1 4
Router(config-line)#login authentication tac-h0101 //To the AAA user on the server
Router(config-line)#authorization exec tac-h0101
2. Use the user and password on the ISE service on the device to test (this device is added on ISE)
3. Enable remote service on the device; use the user and password in ISE to remotely access the device
Router(config)#line vty 1 4
Router(config-line)#transport input all Cisco Radius test
1. Configure Radius service and authentication and authorization methods
(config)#aaa new-model
(config)#aaa authentication login h0101-radius group radius //认证
(config)#aaa authorization exec h0101-radius group radius //授权
(config)#radius-server host 10.3.3.3 key Aa123456 //radius服务地址
(config)#line vty 1 4
(config-line)#login
(config-line)#login authentication h0101-radius
(config-line)#authorization exec h0101-radius
Ruijie configuration steps
enable secret 5 $1$jtHM$yjZU1GByi6Ytgsun2iNF40
username admin privilege 15 secret 5 $1$kXdh$Xdy9UpNdiFP96clB7yz9I1
username ise-test password 7 000B1D0A1D0F1F031C35
aaa new-model //Enable aaa authentication
aaa authentication login Auth-login group tacacs+ local //配置认证列表名:Auth-login
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
radius-server dead-criteria time 5 tries 3
radius-server host 10.11.9.13 key 0 gkfsadfda //Configure the server address and key
radius-server host 10.12.1.25 key 0 gkfsadfda
tacacs-server host 10.10.3.133 key 0 gkfsadfda
tacacs-server host 10.11.1.25 key 0 gkfsadfda
dot1x authentication default //dot1x authentication uses the default list
dot1x accounting default //dot1x audit uses the default list
enable service ssh-server //Enable ssh service
ip ssh version 2
line vty 0 4
exec-timeout 5 0
login authentication Auth-login //调用认证列表名:Auth-login
transport input ssh
exit
line vty 5 15
exec-timeout 5 0
login authentication Auth-login
transport input ssh
exit
lldp enable
errdisable recovery interval 120
ip route 0.0.0.0 0.0.0.0 10.1.16.1
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark PING
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop rest
deny ip any any
ex
ip access-list extended ACL-WEB-REDIRECT
deny udp any any eq domain
deny ip any host 10.10.3.21
deny ip any host 10.12.0.20
deny ip any host 10.12.1.20
deny ip any host 10.10.3.13
permit ip any any
ex
snmp-server community ruijie RO
ntp server 10.1.90.8
H3C configuration steps
hwtacacs scheme device-tacacs //配置radius scheme
primary authentication xxx.xxx.xxx.xxx //Authentication server address
primary authorization xxx.xxx.xxx.xxx //Authorization server address
key authentication cipher ************ //Authentication configuration key
key authorization cipher ************ //Authorization configuration key
key accounting cipher ************ //Authorization configuration key
user-name-format without-domain //Configuration does not carry domain name format
nas-ip 172.xxx.xxx.xxx //Sending source address (SW-MGMT-IP)
domain device-login //Configure device login hwtacacs
authentication login hwtacacs-scheme device-tacacs local //Authentication sequence is tacacs, local
authorization login hwtacacs-scheme device-tacacs local //Authorization sequence is tacacs, local
accounting login hwtacacs-scheme device-tacacs none //The audit sequence is tacacs
authorization command hwtacacs-scheme device-tacacs //Command authorization is tacacs
super password role network-admin hash “xx” //Privileged password
command-privilege level 1 view shell display current-configuration
command-privilege level 1 view shell display device manuinfo
//Configure level 1 permissions
domain default enable device-login //Configure the default domain
Huawei configuration steps
Configure the HWTACACS authentication server
Hwtacacs enable //Enable the Hwtacacs function
hwtacacs-server template device-tacacs //Create service template
Configure HWTACACS authentication server
hwtacacs-server authentication xxx.xxx.xxx.xxx
hwtacacs-server authorization xxx.xxx.xxx.xxx
hwtacacs-server accounting xxx.xxx.xxx.xxx
hwtacacs-server source-ip 172.xxx.xxx.xxx.xxx //Switch management address
hwtacacs-server timer response-timeout 2
Configure HWTACACS server key
hwtacacs-server shared-key cipher ************
Configure the authentication scheme, configure the authentication scheme hwtacacs, and the authentication mode is HWTACACS authentication first, and then local authentication.
aaa
authentication-scheme hwtacacs
authentication-mode hwtacacs local
Configure the authorization scheme, configure the authorization scheme hwtacacs1, the authorization mode is HWTACACS authorization first, and then local authorization.
authorization-scheme hwtacacs1
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
Configure the accounting plan, configure the accounting plan hwtacacs1, and the accounting mode is HWTACACS first.
accounting-scheme hwtacacs1
accounting-mode hwtacacs
accounting start-fail online
accounting interim-fail online
Configure hwtacacs domain
domain hwtacacs
authentication-scheme hwtacacs
accounting-scheme hwtacacs1
authorization-scheme hwtacacs1
hwtacacs-server device-tacacs
Configure the global default management domain
domain hwtacacs admin
Remote login authorization
user-interface vty 0 4
authentication-mode aaa
Read-only account login authorization
command-privilege level 1 view system display current-configuration
command-privilege level 1 view shell display device manufacture-info
command-privilege level 1 view shell display logbuffer
---------------------------------
Replenish: