Aruba controller設定Tacacs認證(使用CPPM)
CPPM版本:6.7.7.109065
Controller版本:6.5.4.9
A.Aruba controller設定
1.新增Tacacs server,輸入IP與Key,Session Authorization打勾
2.Server Group套入
3.在Administration->Management Authentication Servers進行設定
Allow local Authentication視需求打勾(打勾時,Tcacs server存在時local帳號也可使用)
enable打勾,並套用剛剛設定的group
B.CPPM設定
1.新增local user帳號
arubawrite->分配Aruba TACACS root Admin
arubaread->分配Aruba TACACS read-only Admin
2.Network->Device
新增設備,設定Share key與指定Vendor Name
3.新增Enforcement profile
Aruba-write與Aruba-read
當帳號符合條件時,回傳相對應的數值給Aruba controller
4.新增Enforcement policy
當認證帳號的Role=Aruba TACACS root Admin時,使用Aruba-read的Enforcement proflie
回傳數值
回傳數值
當認證帳號的Role=Aruba TACACS read-only Admin時,使用Aruba-write的Enforcement
proflie回傳數值
proflie回傳數值
5.新增服務,設定週一到週日來認證的某特定IP設備命中
認證源使用local SQL DB
Enforcement policy選擇剛剛設定好的Aruba-controller
C.驗證
使用arubawrite帳號登入可以取得root權限
使用arubaread帳號登入可以取得readonly權限
Aruba controller開啟debug,檢視認證的過程
#logging level debugging security process authmgr subcat aaa
#logging level debugging security process aaa subcat aaa
#show log security all
Arubawrite
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:89] tac_authen_pap_send: user 'arubawrite'(mgmt user), tty 'tty0', rem_addr '192.168.170.169', encrypt: yes
Mar 14 23:49:22 :122026: <3786> <INFO> |authmgr| |aaa| tac_connect_try_once 278 source-interface 172.16.13.152 selected for outgoing requests to TACACS-server 172.16.13.13
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:200] tac_authen_pap_send: written message of size 59
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:832] TACACS server Tacacs-CPPM-172.16.13.13-49 response on port 84
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:529] tac_authen_pap_read: authentication ok
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:306] tac_author_pap_send: user 'arubawrite'(mgmt user), tty 'tty0', rem_addr '192.168.170.169', encrypt: yes
Mar 14 23:49:22 :122026: <3786> <INFO> |authmgr| |aaa| tac_connect_try_once 278 source-interface 172.16.13.152 selected for outgoing requests to TACACS-server 172.16.13.13
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:418] tac_author_pap_send: written message of size 79
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:832] TACACS server Tacacs-CPPM-172.16.13.13-49 response on port 84
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:651] Total 1 args in author response
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:674] tac_author_pap_read: authorization ok
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:681] tac_author_pap_read: Aruba-Admin-Role: root
Mar 14 23:49:22 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:694] tac_author_pap_read: Aruba-Admin-Role AVP created
Arubaread
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:89] tac_authen_pap_send: user 'arubaread'(mgmt user), tty 'tty0', rem_addr '192.168.170.169', encrypt: yes
Mar 14 23:50:21 :122026: <3786> <INFO> |authmgr| |aaa| tac_connect_try_once 278 source-interface 172.16.13.152 selected for outgoing requests to TACACS-server 172.16.13.13
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:200] tac_authen_pap_send: written message of size 57
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:832] TACACS server Tacacs-CPPM-172.16.13.13-49 response on port 84
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:529] tac_authen_pap_read: authentication ok
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:306] tac_author_pap_send: user 'arubaread'(mgmt user), tty 'tty0', rem_addr '192.168.170.169', encrypt: yes
Mar 14 23:50:21 :122026: <3786> <INFO> |authmgr| |aaa| tac_connect_try_once 278 source-interface 172.16.13.152 selected for outgoing requests to TACACS-server 172.16.13.13
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:418] tac_author_pap_send: written message of size 78
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:832] TACACS server Tacacs-CPPM-172.16.13.13-49 response on port 84
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:651] Total 1 args in author response
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:674] tac_author_pap_read: authorization ok
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:681] tac_author_pap_read: Aruba-Admin-Role: read-only
Mar 14 23:50:21 :122020: <3786> <DBUG> |authmgr| |aaa| [authen.c:694] tac_author_pap_read: Aruba-Admin-Role AVP created
Mar 14 23:50:22 :121031: <3786> <DBUG> |authmgr| |aaa| [rc_sequence.c:117] seq_num_timeout_handler: Freed 0 entries
在CPPM上檢視
沒有留言:
張貼留言