- 论坛徽章:
- 0
|
BY设计和需求
bY网络设备需要分级管理,并要和AD集成,根据不同用户和不同的地点进行不同的授权;BY 网络设备地点: 北京软件园(包括上地6号,亦庄IDC), 烽火办公地点, 武汉, 上海 ,及其他;
北京软件园:
管理用户 (对本区域的设备有配置的权限)
一般用户 (对本区域的设备只有一般的管理权限)
烽火:
管理用户 (对本区域的设备有配置的权限)
一般用户 (对本区域的设备只有一般的管理权限)
武汉
管理用户 (对本区域的设备有配置的权限)
一般用户 (对本区域的设备只有一般的管理权限)
其它
管理用户 (对本区域的设备有配置的权限)
一般用户 (对本区域的设备只有一般的管理权限)
设置一个super用户组,用户管理公司的所有设备;
Definition
BY-Auth-Admins
G-Admins
BY-Zpark-Auth-Admins
G-Zpark-Admins
BY-Zpark-Auth-Users
G-Zpark-Users
BY-FH-Auth-Admins
G-FH-Admins
BY-FH-Auth-Users
G-FH-GroupUsers
BY-WH-Auth-Admins
G-WH-Admins
BY-WH-Auth-Users
G-WH-GroupUsers
BY-SH-Auth-Admins
G-FH-Admins
BY-SH-Auth-Users
G-FH-GroupUsers
NAR
NDGs
Tacacs+ Clients
commnets
NAR-Zpark
Devices-Zpark
192.168.3.12
192.168.3.13
192.168.3.14
192.168.3.15
192.168.3.16
192.168.3.17
192.168.3.18
192.168.3.19
192.168.3.249
NAR-FH
Devcices-FH
192.168.3.29
192.168.3.30
NAR-WH
Devices-WH
NAR-SH
Devices-SH
2. 安装
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.png
屏幕剪辑的捕获时间: 2009-9-9, 14:06
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.png
屏幕剪辑的捕获时间: 2009-9-9, 14:06
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image003.png
屏幕剪辑的捕获时间: 2009-9-9, 14:06
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image004.png
屏幕剪辑的捕获时间: 2009-9-9, 14:08
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image005.png
屏幕剪辑的捕获时间: 2009-9-9, 14:08
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image006.png
屏幕剪辑的捕获时间: 2009-9-9, 14:09
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image007.png
屏幕剪辑的捕获时间: 2009-9-9, 14:09
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image008.png
3. 配置文档
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.png
屏幕剪辑的捕获时间: 2009-9-9, 14:12
点击桌面的ACS admin的快捷方式,在Administration control菜单添加管理员帐号,administrator privileges选择grant all,这样可以拥有完全的管理权限;submit提交完成配置;
完成第一步后,通过远程访问
http://x.x.x.x:2002访问
,打开远程管理控制台;
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.png
CiscoSecure ACS Login
http://bj-doc.beyondsoft.com:2002
屏幕剪辑的捕获时间: 2009-9-9, 14:18
打开external user databases菜单-unknown user policy-选择check the following external user databases,如下配置
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image003.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:1595/index2.htm
屏幕剪辑的捕获时间: 2009-9-9, 14:22
打开external user databases菜单-database configuration - windows database - configure -no check “dialin permission” , selected domain list - submit
onfigure - check configuration domain list
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image004.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:1852/index2.htm
屏幕剪辑的捕获时间: 2009-9-9, 16:36
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image005.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:1852/index2.htm
屏幕剪辑的捕获时间: 2009-9-9, 16:36
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image006.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:1852/index2.htm
屏幕剪辑的捕获时间: 2009-9-9, 16:37
打开external user databases菜单-database group mapping - windows database-domain configurations-new configuration,配置如下
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image007.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:1852/index2.htm
屏幕剪辑的捕获时间: 2009-9-9, 14:34
配置beyondsoft domain,完成映射。
external user databases-database group mappings - windows database - beyondsoft - add mapping
beyondsoft域内创建BY-Zpark-Auth_admins,和ciscosecure group:group1进行映射;建议对group 1改名为:G-Zpark-Admins;
注意securegroup系统默认内置了500个映射组。
注意nt groups和acs groups之间的映射关系。
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image008.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:30
定义域(beyondsoft)的order mapping关系
external user databases-database group mappings - windows database - beyondsoft - order mappings
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image009.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:35
Interface configuration 菜单
Interface configuration - tacacs+ (cisco IOS) -
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image010.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:38
Interface configuration - advanced options -
注意check group-level shared network access restrictions , 用于启用shared profile components内相关选项;
注意check network device groups ,用于启用shared profile components内相关选项;
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image011.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:39
Network configuration, 定义NETWORK DEVICE GROUPS (NGDs),并向NGDs中添加TACACS+ 的clients已经tacacs+或者radius服务器
Network configuration - add entry , 添加NDG:
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image012.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:46
添加clients或者服务器
举例
Network configuration - Devices-Zpark
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image013.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:44
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image014.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:49
Shared profile components
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image015.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:42
配置NAR
Shared profile components - network access restrictions
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image016.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:52
举例:配置NAR-ZPARK
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image017.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:53
配置shell commands
Shared profile components - shell command authorization sets
举例
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image018.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:54
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image019.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:55
Group setup
修改组名,这个组就是acs groups和nt groups之间是有mappings关系的。
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image020.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:1852/index2.htm
屏幕剪辑的捕获时间: 2009-9-9, 14:48
编辑设置(edit settings)
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image021.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:58
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image022.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:59
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image023.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:59
file:///C:/DOCUME~1/YUANRE~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image024.png
CiscoSecure ACS
http://bj-doc.beyondsoft.com:10064/index2.htm
屏幕剪辑的捕获时间: 2009-9-10, 11:59
配置顺序和配置项目小结:
点击桌面的ACS admin的快捷方式,在Administration control菜单添加管理员帐号,administrator privileges选择grant all,这样可以拥有完全的管理权限;submit提交完成配置;
完成第一步后,通过远程访问
http://x.x.x.x:2002访问
,打开远程管理控制台;
打开external user databases菜单-unknown user policy-选择check the following external user databases
打开external user databases菜单-database configuration - windows database - configure -no check “dialin permission” , selected domain list - submit
onfigure - check configuration domain list
打开external user databases菜单-database group mapping - windows database-domain configurations-new configuration
Interface configuration 菜单 ,启用exec命令授权和配置高级选项,比如NDGs,shared components等等
Network configuration, 定义NETWORK DEVICE GROUPS (NGDs),并向NGDs中添加TACACS+ 的clients已经tacacs+或者radius服务器
Group setup , 组设置,更改组名,编辑组特性:NAR设置和TACACS+ Settings等相关配置。
屏幕剪辑的捕获时间: 2009-9-9, 14:10
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u3/104147/showart_2054525.html |
|