TACACS管理员对融合接入无线局域网控制器的访问配置示例
简介
本文档提供Cisco融合接入无线局域网控制器(WLC)5760/3850/3650中终端访问控制器访问控制系统Plus(TACACS+)的配置示例,用于CLI和GUI。本文档还提供一些排除配置故障的基本提示。
TACACS+是一种客户端/服务器协议,为试图获得路由器或网络接入服务器管理访问权限的用户提供集中安全。TACACS+提供以下身份验证、授权和记帐(AAA)服务:
尝试登录网络设备的用户的身份验证
对确定用户应具有的访问级别进行授权
对记录用户进行的所有更改进行记帐
先决条件
要求
Cisco 建议您了解以下主题:
- 如何配置WLC和轻量接入点(LAP)以实现基本操作
- 轻量接入点协议 (LWAPP) 和无线安全方法
- RADIUS和TACACS+的基本知识
- Cisco ACS 配置的基本知识
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 运行Cisco IOS® XE版本3.3.3的WLC 5760
- 访问控制服务器(ACS)5.2
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
配置
网络图
配置
这是一个两步过程:
- WLC上的配置
- 在RADIUS/TACACS服务器上配置
WLC上的配置
- 在WLC上定义TACACS服务器。确保在TACACS上配置完全相同的共享密钥。
tacacs-server host 10.106.73.71 key Cisco123
tacacs server ACS
address ipv4 10.106.102.50
key Cisco123
timeout 10 - 配置服务器组并映射上一步中配置的服务器。
aaa group server tacacs+ ACS
server name ACS
! - 为管理员访问配置身份验证和授权策略。在此中,您允许TACACS组后跟本地,即回退。
aaa authentication login Admin_Access group ACS local
aaa authorization exec Admin_Access group ACS local - 将策略应用于线路vty和HTTP。
line vty 0 4
authorization exec Admin_Access
login authentication Admin_Access
line vty 5 15
exec-timeout 0 0
authorization exec Admin_Access
login authentication Admin_Access - 对HTTP应用相同。
ip http server
ip http authentication aaa login-authentication Admin_Access
ip http authentication aaa exec-authorization Admin_Access
ACS上的配置
- 选择Network Resources > Network Devices and AAA Clients以将WLC添加为ACS上TACACS的AAA客户端。确保此处配置的共享密钥与WLC上配置的密钥匹配。
- 选择用户和身份库> 内部身份库>用户以定义用于管理员访问的用户。
- 选择Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles以将权限级别设置为15。
- 选择Access Policies > Access Services > Default Device Admin,以允许所需的协议。
- 选择Access Policies > Access Services > Default Device Admin > Identity,以便为设备管理员创建允许内部用户使用身份验证选项的身份。
- 选择访问策略>访问服务>默认设备管理>授权以允许在步骤3中创建的Priv15授权配置文件。此处将具有已通过身份(内部用户)的客户端放置在Priv15配置文件中。
验证
使用本部分可确认配置能否正常运行。
打开浏览器并输入交换机IP地址。系统随即会显示Authentication Required提示。输入组用户凭据以登录设备。
要检查Telnet/SSH访问,请通过Telnet/SSH访问交换机IP地址并输入凭证。
这显示为ACS日志记录。
故障排除
本部分提供的信息可用于对配置进行故障排除。
输入debug tacacs命令以排除配置故障。
debug tacacs
*May 14 23:11:06.396: TPLUS: Queuing AAA Authentication request 4775 for processing
*May 14 23:11:06.396: TPLUS(000012A7) login timer started 1020 sec timeout
*May 14 23:11:06.396: TPLUS: processing authentication continue request id 4775
*May 14 23:11:06.396: TPLUS: Authentication continue packet generated for 4775
*May 14 23:11:06.396: TPLUS(000012A7)/0/WRITE/962571D4: Started 10 sec timeout
*May 14 23:11:06.396: TPLUS(000012A7)/0/WRITE: wrote entire 25 bytes request
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: read entire 12 header bytes (expect
16 bytes data)
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: read entire 28 bytes response
*May 14 23:11:06.398: TPLUS(000012A7)/0/962571D4: Processing the reply packet
*May 14 23:11:06.398: TPLUS: Received authen response status GET_PASSWORD (8)
*May 14 23:11:08.680: TPLUS: Queuing AAA Authentication request 4775 for processing
*May 14 23:11:08.680: TPLUS(000012A7) login timer started 1020 sec timeout
*May 14 23:11:08.680: TPLUS: processing authentication continue request id 4775
*May 14 23:11:08.680: TPLUS: Authentication continue packet generated for 4775
*May 14 23:11:08.680: TPLUS(000012A7)/0/WRITE/962571D4: Started 10 sec timeout
*May 14 23:11:08.680: TPLUS(000012A7)/0/WRITE: wrote entire 25 bytes request
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: read entire 12 header bytes (expect
6 bytes data)
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: read entire 18 bytes response
*May 14 23:11:08.687: TPLUS(000012A7)/0/962571D4: Processing the reply packet
*May 14 23:11:08.687: TPLUS: Received authen response status PASS (2)
*May 14 23:11:08.687: TPLUS: Queuing AAA Authorization request 4775 for processing
*May 14 23:11:08.687: TPLUS(000012A7) login timer started 1020 sec timeout
*May 14 23:11:08.687: TPLUS: processing authorization request id 4775
*May 14 23:11:08.687: TPLUS: Protocol set to None .....Skipping
*May 14 23:11:08.687: TPLUS: Sending AV service=shell
*May 14 23:11:08.687: TPLUS: Sending AV cmd*
*May 14 23:11:08.687: TPLUS: Authorization request created for 4775(surbg123)
*May 14 23:11:08.687: TPLUS: using previously set server 10.106.102.50 from
group SURBG_ACS
*May 14 23:11:08.688: TPLUS(000012A7)/0/NB_WAIT/93C63F04: Started 10 sec timeout
*May 14 23:11:08.690: TPLUS(000012A7)/0/NB_WAIT: socket event 2
*May 14 23:11:08.690: TPLUS(000012A7)/0/NB_WAIT: wrote entire 61 bytes request
*May 14 23:11:08.690: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.690: TPLUS(000012A7)/0/READ: Would block while reading
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: read entire 12 header bytes (expect
18 bytes data)
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: read entire 30 bytes response
*May 14 23:11:08.696: TPLUS(000012A7)/0/93C63F04: Processing the reply packet
*May 14 23:11:08.696: TPLUS: Processed AV priv-lvl=15
*May 14 23:11:08.696: TPLUS: received authorization response for 4775: PASS
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
20-May-2014 |
Initial Release |
反馈