Cisco Cisco IOS Software Release 15.1(3)T 重要安全性说明

In order to create a local user on the switch with full privileges for fallback access, enter:

Switch(config)#username admin privilege 15 password 0 cisco123!

1. 

In order to enable AAA, enter:

switch(config)# aaa new−model

2. 

In order to provide the IP address of the RADIUS server as well as the key, enter:

switch# configure terminal

switch(config)#radius−server host 172.16.71.146 auth−port 1645 acct−port 1646

switch(config)#radius−server key hello123

Note: The key must match the shared secret configured on the RADIUS server for the switch.

3. 

In order to test RADIUS server availability, enter the test aaa command:

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

The test authentication fails with a Rejection from the server because it is not yet configured, but it
will confirm that the server itself is reachable.

4. 

In order to configure login authentications to fall back to local users if RADIUS is unreachable, enter:

switch(config)#aaa authentication login default group radius local

5. 

In order to configure authorization for a privilege level of 15, as long as a user is authenticated, enter:

switch(config)#aaa authorization exec default group radius if−authenticated

6. 

In order to navigate to the configuration directory, enter:

# cd /etc/freeradius

1. 

In order to edit the clients.conf file, enter:

# sudo nano clients.conf

2. 

In order to add each device (router/switch) identified by hostname and include the correct shared
secret, enter:

client 192.168.1.1 {

secret = secretkey

nastype = cisco

shortname = switch

}

3. 

In order to edit the users file, enter:

# sudo nano users

4. 

Add each user allowed to access the device. This example demonstrates how to set a Cisco IOS
privilege level of 15 for the user "cisco."

cisco Cleartext−Password := "password"

       Service−Type = NAS−Prompt−User,

5.