思科、华为、华三、锐捷的3A tacacs配置（华为 思科 华三）

思科、华为、华三、锐捷的3A tacacs配置（华为 思科 华三）

思科：

aaa new-modelaaa group server tacacs+ tacacs-group（指定3A服务器组） server name ise1 server name ise2aaa authentication login conlogin local（串口用本地密码验证）（下面设置3A模板，模板名用默认default，绑定tacacs-group组）aaa authentication login default group tacacs-group localaaa authentication enable default group tacacs-group enableaaa authorization config-commandsaaa authorization exec default group tacacs-group local aaa authorization commands 15 default group tacacs-group local aaa accounting exec default start-stop group tacacs-groupaaa accounting commands 15 default start-stop group tacacs-groupip tacacs source-interface Loopback 0（3A认证源接口）tacacs-server timeout 1（3A服务器连接超时时间）tacacs server ise1（设置3A服务器地址和密钥） address ipv4 192.168.11.122 key freetacacs server ise2 address ipv4 192.168.11.123 key freeline con 0 exec-timeout 15 0 privilege level 15 logging synchronous login authentication conlogin（串口用本地认证）line vty 0 4 exec-timeout 15 0 logging synchronous transport preferred ssh transport input ssh （因为3A配置的是default group，所以vty不用指定认证模板）

华三：

domain default enable abc（3A配置在哪个domain下，就启用这个domain）hwtacacs scheme abc-aaa（hwtacacs模板） primary authentication 192.168.11.122 secondary authentication 192.168.11.123 primary authorization 192.168.11.122 secondary authorization 192.168.11.123 primary accounting 192.168.11.122 secondary accounting 192.168.11.123 nas-ip 1.1.1.1（3A源地址） key authentication free key authorization free key accounting free user-name-format without-domain（认证请求时不带域名）domain abc（domain绑定hwtacacs模板） authentication login hwtacacs-scheme abc-aaa local authorization login hwtacacs-scheme abc-aaa local accounting login hwtacacs-scheme abc-aaa local accounting optionaluser-interface con 0（串口配置本地密码认证） authentication-mode password set authentication password simple 123456user-interface vty 0 15 authentication-mode scheme command accounting command authorization （如果3A登录后不能进入sys模式，就删除此行）

华为：

hwtacacs enablehwtacacs-server template abc-aaa（hwtacacs模板） hwtacacs-server authentication 192.168.11.122 hwtacacs-server authentication 192.168.11.123 secondary hwtacacs-server authorizaiton 192.168.11.122 hwtacacs-server authorization 192.168.11.123 secondary  hwtacacs-server accounting 192.168.11.122 hwtacacs-server accounting 192.168.11.123 secondary hwtacacs-server source-ip 1.1.1.13（3A源地址） hwtacacs-server shared-key simple free undo hwtacacs-server user-name domain-included（认证请求时不带域名）aaa（3A模板绑定hwtacacs模板） authentication-scheme abc-aaa  authentication-mode hwtacacs local authorization-scheme abc-aaa  authorization-mode hwtacacs local  authorization-cmd 15 hwtacacs local accounting-scheme abc-aaa  accounting-mode hwtacacs domain abc（如果设备有domain default_admin，就配置在这下面）  service-type internetaccess ssl-\*\*\* l2tp ike administrator-access dot1x（USG系列需要配置）  authentication-scheme abc-aaa  authorization-scheme abc-aaa  accounting-scheme abc-aaa  hwtacacs-server abc-aaa recording-scheme abc-aaa  recording-mode hwtacacs abc-aaa cmd recording-scheme abc-aaauser-interface con 0（串口配置本地密码认证） authentication-mode password set authentication password simple 123456user-interface vty 0 14 authentication-mode aaa

锐捷：

aaa new-model（）（下面设置3A模板，绑定tacacs-group组）aaa accounting exec vtyacc start-stop group tacacs-groupaaa accounting commands 15 vtyacc start-stop group tacacs-groupaaa authorization exec vtyauthor group tacacs-group localaaa authorization commands 15 vtyauthor group tacacs-group localaaa authentication login vtyauth group tacacs-group localaaa group server tacacs+ tacacs-group（3A服务器组地址） server 192.168.11.122 server 192.168.11.123ip tacacs source-interface Loopback 0（3A认证源接口）tacacs-server host 192.168.11.122tacacs-server host 192.168.11.123tacacs-server key 0 freeline con 0（串口用本地密码认证） password 0 123456line vty 0 15（vty调用3A模板） accounting exec vtyacc accounting commands 15 vtyacc authorization exec vtyauthor authorization commands 15 vtyauthor login authentication vtyauth

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。