Cisco Cisco Identity Services Engine 1.2 产品宣传页

보안

액세스 방법 가이드

부록

A: 샘플 컨피그레이션

디바이스

센서가 있는 전역 컨피그레이션

ip domain-name EXAMPLE.COM

username RADIUS-TEST password 0 PASSWORD

crypto key generate rsa general-keys mod 2048

aaa new-model

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa accounting update newinfo periodic 2880

aaa server radius dynamic-author

client 10.1.200.11 server-key RADIUS_KEY

aaa session-id common

dot1x system-auth-control

dot1x critical eapol

ip device tracking

vlan 10

name USER

vlan 11

name VOICE

vlan 100

name MGMT

interface 10

ip address 10.1.10.1 255.255.255.0

ip helper-address 10.1.200.10

interface 11

ip address 10.1.11.1 255.255.255.0

ip helper-address 10.1.200.10

interface 100

ip address 10.1.100.1 255.255.255.0

ip http server

ip access-list extended ACL_WEBAUTH_REDIRECT

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended BLACKHOLE

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended ACL-DEFAULT

permit udp any any eq domain

permit udp any eq bootpc any eq bootps

deny ip any any

radius-server vsa send authentication

radius-server vsa send accounting

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius server ISE01

address ipv4 10.1.200.11

automate-tester username RADIUS-TEST probe-on
# For IOS & IOS-XE without ‘probe-on’ feature use following command instead

! automate-tester username RADIUS-TEST idle-time 10

key RADIUS_KEY

radius server ISE02

address ipv4 10.1.200.11

automate-tester username RADIUS-TEST probe-on
# For IOS & IOS-XE without ‘probe-on’ feature use following command instead

! automate-tester username RADIUS-TEST idle-time 10

key RADIUS_KEY

aaa group server radius ISE

server name ISE01

24 페이지