Cisco Secure UNIX的命令授权和权限级别

下载选项

PDF (378.6 KB)
在各种设备上使用 Adobe Reader 查看
ePub (88.9 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
Mobi (Kindle) (95.4 KB)
在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看

已更新: 2009 年 5 月 14 日

文档 ID:4104

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中，非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言，文档中可能无法确保完全使用非歧视性语言。深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言，希望全球的用户都能通过各自的语言得到支持性的内容。请注意：即使是最好的机器翻译，其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任，并建议您总是参考英文原始文档（已提供链接）。

简介

本文档提供有关如何使用身份验证、授权和记帐(AAA)进行集中外壳和命令控制的信息。

先决条件

使用的组件

本文档中的信息基于以下软件和硬件版本：

思科IOS®软件版本12.0(5)T及更高版本
适用于UNIX的思科安全2.3(6)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

AAA流示例

	Cisco IOS（AAA客户端）	思科安全（AAA服务器）
	aaa authentication login default group tacacs+ local	user=fred { password=des }
	aaa authorization exec default group tacacs+ local	service-shell { set priv-level=x }
	`privilege exec level x`命令（请参阅下面的说明）。
	aaa authorization commands # default \ group tacacs none aaa authorization config-commands	service=shell { default cmd=(permit/deny) prohibit cmd=x cmd=y{ }}
	enable secretaaa authentication enable default \ group tacacs+ enable	权限= des "********" 15

权限级别

默认情况下，路由器上有三个命令级别：

权限级别0 -包括disable、enable、exit、help和logout命令
权限级别1 -包括router>提示符下的所有用户级命令
权限级别15 -包括router>提示符下的所有enable-level命令

您可以使用此命令在权限级别之间移动命令：

privilege exec level priv-lvl command

在实施Cisco Bug ID CSCdi82030(仅限于注册客户)之前，控制台端口授权未添加为功能。默认情况下，控制台端口授权处于关闭状态，以便降低意外锁定路由器的可能性。如果用户能够通过控制台对路由器进行物理访问，则控制台端口授权不会非常有效。不过，对于已实施Cisco Bug ID CSCdi82030的映像，您可以使用隐藏命令aaa authorization console在line con 0下打开控制台端口授权。

思科安全用户配置文件

此输出显示一个示例用户配置文件。

# ./ViewProfile -p 9900 -u fred
User Profile Information
user = fred{
profile_id = 189 
profile_cycle = 1 
password = clear "********" 
privilege = clear "********" 15 
service=shell {
cmd=show {
permit "users"
} 
} 
 
}

路由器配置

Partial router configuration:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
tacacs-server host 172.18.124.113
tacacs-server key cisco

示例输出

请注意，由于空间方面的考虑，某些输出会分为两行。

AAA会话-用户捕获

telnet 10.32.1.64
Trying 10.32.1.64...
Connected to 10.32.1.64.
Escape character is '^]'.


User Access Verification

Username: fred
Password: 

vpn-2503>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:51   
*  2 vty 0     fred       idle                 00:00:00 rtp-cherry.cisco.com

  Interface      User        Mode                     Idle     Peer Address

vpn-2503>enable
Password: 
vpn-2503#

AAA会话- Cisco IOS调试

vpn-2503#show debug
General OS:
  TACACS access control debugging is on
  AAA Authentication debugging is on
  AAA Authorization debugging is on
vpn-2503#terminal monitor
vpn-2503#

!--- In this capture, AAA authentication first tries the TACACS+ !--- server (and goes to local authentication only if the server is down), !--- as configured in aaa authentication login default group tacacs+ local.

*Mar 15 18:21:25: AAA: parse name=tty3 idb type=-1 tty=-1
*Mar 15 18:21:25: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0
   port=3 channel=0
*Mar 15 18:21:25: AAA/MEMORY: create_user (0x524528) user='' ruser='' port='tty3'
   rem_addr='172.18.124.113' authen_type=ASCII service=LOGIN priv=1
*Mar 15 18:21:25: AAA/AUTHEN/START (4191717920): port='tty3' list=''
   action=LOGIN service=LOGIN
*Mar 15 18:21:25: AAA/AUTHEN/START (4191717920): using "default" list
*Mar 15 18:21:25: AAA/AUTHEN/START (4191717920): Method=tacacs+ (tacacs+)

!--- Test TACACS+ for user authentication.

*Mar 15 18:21:25: TAC+: send AUTHEN/START packet ver=192 id=4191717920
*Mar 15 18:21:25: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar 15 18:21:25: TAC+: Opening TCP/IP to 172.18.124.113/49 timeout=5
*Mar 15 18:21:25: TAC+: Opened TCP/IP handle 0x5475C8 to 172.18.124.113/49
*Mar 15 18:21:25: TAC+: 172.18.124.113 (4191717920) AUTHEN/START/LOGIN/ASCII queued
*Mar 15 18:21:25: TAC+: (4191717920) AUTHEN/START/LOGIN/ASCII processed
*Mar 15 18:21:25: TAC+: ver=192 id=4191717920 received AUTHEN status = GETUSER
*Mar 15 18:21:25: AAA/AUTHEN (4191717920): status = GETUSER
*Mar 15 18:21:27: AAA/AUTHEN/CONT (4191717920): continue_login (user='(undef)')
*Mar 15 18:21:27: AAA/AUTHEN (4191717920): status = GETUSER
*Mar 15 18:21:27: AAA/AUTHEN (4191717920): Method=tacacs+ (tacacs+)
*Mar 15 18:21:27: TAC+: send AUTHEN/CONT packet id=4191717920
*Mar 15 18:21:27: TAC+: 172.18.124.113 (4191717920) AUTHEN/CONT queued
*Mar 15 18:21:27: TAC+: (4191717920) AUTHEN/CONT processed
*Mar 15 18:21:27: TAC+: ver=192 id=4191717920 received AUTHEN status = GETPASS
*Mar 15 18:21:27: AAA/AUTHEN (4191717920): status = GETPASS
*Mar 15 18:21:29: AAA/AUTHEN/CONT (4191717920): continue_login (user='fred')
*Mar 15 18:21:29: AAA/AUTHEN (4191717920): status = GETPASS
*Mar 15 18:21:29: AAA/AUTHEN (4191717920): Method=tacacs+ (tacacs+)
*Mar 15 18:21:29: TAC+: send AUTHEN/CONT packet id=4191717920
*Mar 15 18:21:29: TAC+: 172.18.124.113 (4191717920) AUTHEN/CONT queued
*Mar 15 18:21:29: TAC+: (4191717920) AUTHEN/CONT processed
*Mar 15 18:21:29: TAC+: ver=192 id=4191717920 received AUTHEN status = PASS
*Mar 15 18:21:29: AAA/AUTHEN (4191717920): status = PASS

!--- TACACS+ passes user authentication. There is a check !--- to see if shell access is permitted for this user, as configured in !--- aaa authorization exec default group tacacs+ local.

*Mar 15 18:21:29: TAC+: Closing TCP/IP 0x5475C8 connection to 172.18.124.113/49
*Mar 15 18:21:29: tty3 AAA/AUTHOR/EXEC (3409614729): Port='tty3' list='' service=EXEC
*Mar 15 18:21:29: AAA/AUTHOR/EXEC: tty3 (3409614729) user='fred'
*Mar 15 18:21:29: tty3 AAA/AUTHOR/EXEC (3409614729): send AV service=shell
*Mar 15 18:21:29: tty3 AAA/AUTHOR/EXEC (3409614729): send AV cmd*
*Mar 15 18:21:29: tty3 AAA/AUTHOR/EXEC (3409614729): found list "default"
*Mar 15 18:21:29: tty3 AAA/AUTHOR/EXEC (3409614729): Method=tacacs+ (tacacs+)
*Mar 15 18:21:29: AAA/AUTHOR/TAC+: (3409614729): user=fred
*Mar 15 18:21:29: AAA/AUTHOR/TAC+: (3409614729): send AV service=shell
*Mar 15 18:21:29: AAA/AUTHOR/TAC+: (3409614729): send AV cmd*
*Mar 15 18:21:29: TAC+: using previously set server 172.18.124.113 from group tacacs+
*Mar 15 18:21:29: TAC+: Opening TCP/IP to 172.18.124.113/49 timeout=5
*Mar 15 18:21:29: TAC+: Opened TCP/IP handle 0x547A10 to 172.18.124.113/49
*Mar 15 18:21:29: TAC+: Opened 172.18.124.113 index=1
*Mar 15 18:21:29: TAC+: 172.18.124.113 (3409614729) AUTHOR/START queued
*Mar 15 18:21:29: TAC+: (3409614729) AUTHOR/START processed
*Mar 15 18:21:29: TAC+: (3409614729): received author response status = PASS_ADD
*Mar 15 18:21:29: TAC+: Closing TCP/IP 0x547A10 connection to 172.18.124.113/49
*Mar 15 18:21:29: AAA/AUTHOR (3409614729): Post authorization status = PASS_ADD
*Mar 15 18:21:29: AAA/AUTHOR/EXEC: Authorization successful
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): Port='tty3' list='' service=CMD

!--- TACACS+ passes exec authorization and wants to perform the !--- show users command, as configured in !--- aaa authorization commands 1 default group tacacs+ none.

*Mar 15 18:21:32: AAA/AUTHOR/CMD: tty3 (4185871454) user='fred'
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): send AV service=shell
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): send AV cmd=show
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): send AV cmd-arg=users
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): send AV cmd-arg=
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): found list "default"
*Mar 15 18:21:32: tty3 AAA/AUTHOR/CMD (4185871454): Method=tacacs+ (tacacs+)
*Mar 15 18:21:32: AAA/AUTHOR/TAC+: (4185871454): user=fred
*Mar 15 18:21:32: AAA/AUTHOR/TAC+: (4185871454): send AV service=shell
*Mar 15 18:21:32: AAA/AUTHOR/TAC+: (4185871454): send AV cmd=show
*Mar 15 18:21:32: AAA/AUTHOR/TAC+: (4185871454): send AV cmd-arg=users
*Mar 15 18:21:32: AAA/AUTHOR/TAC+: (4185871454): send AV cmd-arg=
*Mar 15 18:21:32: TAC+: using previously set server 172.18.124.113 from group tacacs+
*Mar 15 18:21:32: TAC+: Opening TCP/IP to 172.18.124.113/49 timeout=5
*Mar 15 18:21:32: TAC+: Opened TCP/IP handle 0x54F26C to 172.18.124.113/49
*Mar 15 18:21:32: TAC+: Opened 172.18.124.113 index=1
*Mar 15 18:21:32: TAC+: 172.18.124.113 (4185871454) AUTHOR/START queued
*Mar 15 18:21:33: TAC+: (4185871454) AUTHOR/START processed
*Mar 15 18:21:33: TAC+: (4185871454): received author response status = PASS_ADD
*Mar 15 18:21:33: TAC+: Closing TCP/IP 0x54F26C connection to 172.18.124.113/49
*Mar 15 18:21:33: AAA/AUTHOR (4185871454): Post authorization status = PASS_ADD

!--- TACACS+ passes command authorization and wants to !--- get into enable mode, as configured in !--- aaa authentication enable default group tacacs+ enable.

*Mar 15 18:21:34: AAA/MEMORY: dup_user (0x523E58) user='fred' ruser=''
   port='tty3' rem_addr='172.18.124.113' authen_type=ASCII service=ENABLE
   priv=15 source='AAA dup enable'
*Mar 15 18:21:34: AAA/AUTHEN/START (125091438): port='tty3' list=''
   action=LOGIN service=ENABLE
*Mar 15 18:21:34: AAA/AUTHEN/START (125091438): using "default" list
*Mar 15 18:21:34: AAA/AUTHEN/START (125091438): Method=tacacs+ (tacacs+)
*Mar 15 18:21:34: TAC+: send AUTHEN/START packet ver=192 id=125091438
*Mar 15 18:21:34: TAC+: Opening TCP/IP to 172.18.124.113/49 timeout=5
*Mar 15 18:21:34: TAC+: Opened TCP/IP handle 0x54D080 to 172.18.124.113/49
*Mar 15 18:21:34: TAC+: Opened 172.18.124.113 index=1
*Mar 15 18:21:34: TAC+: 172.18.124.113 (125091438) AUTHEN/START/LOGIN/ASCII queued
*Mar 15 18:21:34: TAC+: (125091438) AUTHEN/START/LOGIN/ASCII processed
*Mar 15 18:21:34: TAC+: ver=192 id=125091438 received AUTHEN status = GETPASS
*Mar 15 18:21:34: AAA/AUTHEN (125091438): status = GETPASS
*Mar 15 18:21:37: AAA/AUTHEN/CONT (125091438): continue_login (user='fred')
*Mar 15 18:21:37: AAA/AUTHEN (125091438): status = GETPASS
*Mar 15 18:21:37: AAA/AUTHEN (125091438): Method=tacacs+ (tacacs+)
*Mar 15 18:21:37: TAC+: send AUTHEN/CONT packet id=125091438
*Mar 15 18:21:37: TAC+: 172.18.124.113 (125091438) AUTHEN/CONT queued
*Mar 15 18:21:37: TAC+: (125091438) AUTHEN/CONT processed
*Mar 15 18:21:37: TAC+: ver=192 id=125091438 received AUTHEN status = PASS
*Mar 15 18:21:37: AAA/AUTHEN (125091438): status = PASS
*Mar 15 18:21:37: TAC+: Closing TCP/IP 0x54D080 connection to 172.18.124.113/49
*Mar 15 18:21:37: AAA/MEMORY: free_user (0x523E58) user='fred' ruser='' 
   port='tty3' rem_addr='172.18.124.113' authen_type=ASCII service=ENABLE priv=15

!--- TACACS+ passes enable authentication.

AAA会话- Cisco Secure UNIX调试

!
--- In this capture, AAA authentication first tries the TACACS+ !--- server (and goes to local authentication only if the server is down), !--- as configured in aaa authentication login default group tacacs+ local.

Sep  7 07:22:32 rtp-cherry CiscoSecure: DEBUG - AUTHENTICATION
   START request (bace1fbf)
Sep  7 07:22:32 rtp-cherry CiscoSecure: DEBUG - 
Sep  7 07:22:32 rtp-cherry User Access Verification

!--- Test TACACS+ for user authentication:

Sep  7 07:22:32 rtp-cherry CiscoSecure: DEBUG - Username: 
Sep  7 07:22:33 rtp-cherry CiscoSecure: DEBUG - AUTHENTICATION
   CONTINUE request (bace1fbf)
Sep  7 07:22:33 rtp-cherry CiscoSecure: DEBUG - Password: 
Sep  7 07:22:35 rtp-cherry CiscoSecure: DEBUG - AUTHENTICATION
   CONTINUE request (bace1fbf)
Sep  7 07:22:35 rtp-cherry CiscoSecure: DEBUG - Authentication -
   LOGIN successful; [NAS=10.32.1.64, Port=tty2, User=fred, Priv=1]

!--- TACACS+ passes user authentication. There is a check !--- to see if shell access is permitted for this user, as configured in !--- aaa authorization exec default group tacacs+ local.

Sep  7 07:22:35 rtp-cherry CiscoSecure: DEBUG - 
Sep  7 07:22:36 rtp-cherry CiscoSecure: DEBUG - AUTHORIZATION request (9ad05c71)
Sep  7 07:22:36 rtp-cherry CiscoSecure: DEBUG - Authorization - Request authorized;
   [NAS = 10.32.1.64, user = fred, port = tty2, input: service=shell cmd* output: ]

!--- TACACS+ passes exec authorization and wants to perform the !--- show users command, as configured in !--- aaa authorization commands 1 default group tacacs+ none.

Sep  7 07:22:38 rtp-cherry CiscoSecure: DEBUG - AUTHORIZATION request (563ba541)
Sep  7 07:22:38 rtp-cherry CiscoSecure: DEBUG - Authorization - Request authorized;
   [NAS = 10.32.1.64, user = fred, port = tty2, input: service=shell cmd=show
   cmd-arg=users cmd-arg= output: ]

!--- TACACS+ passes command authorization and wants to !--- get into enable mode, as configured in !--- aaa authentication enable default group tacacs+ enable.

Sep  7 07:22:40 rtp-cherry CiscoSecure: DEBUG - AUTHENTICATION
   START request (f7e86ad4)
Sep  7 07:22:40 rtp-cherry CiscoSecure: DEBUG - Password: 
Sep  7 07:22:41 rtp-cherry CiscoSecure: DEBUG - AUTHENTICATION
   CONTINUE request (f7e86ad4)
Sep  7 07:22:41 rtp-cherry CiscoSecure: DEBUG - Authentication - ENABLE successful;
   [NAS=10.32.1.64, Port=tty2, User=fred, Priv=15]

!--- TACACS+ passes enable authentication.

高级思科安全配置文件示例

group LANadmins{ service=shell { cmd=interface{ permit "Ethernet " deny "Serial " } cmd=aaa{ deny "." } cmd=tacacs-server{ deny "." } default cmd=permit }	此配置文件允许作为组“LAN管理员”成员的任何用户登录到路由器并输入大多数命令。不允许用户更改串行接口配置或更改AAA配置（因此他们无法删除命令授权或禁用TACACS服务器）。
group Boston_Admins{ service=shell { allow "10.28.17.1" "." "." allow bostonswitch "." "." allow "^bostonrtr[0-9]+" "." "." set priv-lvl=15 default cmd=permit } service=shell { allow "^NYrouter[0-9]+" "." "." set priv-lvl=1 default cmd=deny } }	此配置文件赋予其组成员在bostonswitch、bostonrtr1 - bostonrtr9设备和10.28.17.1设备上的启用权限。这些设备允许使用所有命令。对NYrouterX设备的访问仅限于用户exec级别，如果要求授权，所有命令都将被拒绝。
group NY_wan_admins{ service=shell { allow "^NYrouter[0-9]+" "." "." set priv-lvl=15 default cmd=permit } service=shell { allow "^NYcore$" "." "." default cmd=permit cmd=interface{ permit "Serial 0/[0-9]+" permit "Serial 1/[0-9]+" } } }	该组具有对所有NY路由器的完全访问权限，以及对Serial 0/x和Serial 1/x接口上的NY核心路由器的完全访问权限。请注意，用户还可以在核心路由器上禁用AAA。
user bob{ password = des "******" privilege = des "******" 15 member = NY_wan_admins }	此用户是“NY_wan_admins”组的成员，并继承这些权限。此用户还指定了登录密码和启用密码。
group LAN_support { service=shell { default cmd = deny cmd = set{ deny "port enable 3/10" permit "port enable " deny "port disable 3/10" permit "port disable " permit "port name " permit "port speed " permit "port duplex " permit "vlan [0-9]+ [0-9]+/[0-9]+" deny "." } cmd = show{ permit "." } cmd = enable{ permit "." } } }	此配置文件专为Catalyst交换机设计。用户只能使用某些set命令。不允许它们禁用端口3/10（中继端口）。允许用户指定端口所分配的VLAN，但拒绝所有其他set vlan命令。