Cisco | Identity Service Enginee (ISE) -Basic
1. Ketik Setup
2. Konfigurasi.
3. Klik Provider, Next
4. Administration | System | Deplyment | Pilih Deployment Node, Klik Edit. Centang
5. Buat Group user local. Group user bisa dibagi beberap prvilage (full or readonly) dan nanti akan dipakai untuk login ke perangkat (device). Administratiorn | Identity Management | Groups.
6.Buat user local dan arahkan ke group yg mana (dimana group nya dibaut sebelmnya diatas). User nanti akan dipakai untuk login ke perangkat (device). Administratiorn | Identity Management | Identiy.
Hasilnya sebagai berikut:
7. Buat Device Group. Klik Administration | Network Device Group | Add
8. Daftar Perangkat ke dalam TACACS. Klik Administration | Network Device | Add
Tahap-II (Buat Profile Authentikasi)
9. Work Centers | Device Administratiorn | Policy Elements | Reult | TACACS Command Set.
a.Admin (Full Access)
9. Work Centers | Device Administratiorn | Policy Elements | Reult | TACACS Command Set.
a.Admin (Full Access)
b.Read-Only (Monitor)
Hasilnya:
Tahap-III (Buat TACACS Profile)
9. Work Centers | Device Administratiorn | Policy Elements | Reult | TACACS Profile.
a. Admin-Full
b. Readonly (Monitor)
Khusus Nexus
Summary:
Tahap-IV (Buat Device Admin Policy Set)
9. Work Centers | Device Administratiorn | Deice Admin Policy Set | Policy Set| Klik Add (+).
a. Policy Set. Set Nexus_IOS_Policy_Set
c. Autthorization Policy.
Dibagian Condition, sesaui dengan Nexus dan IOS sesuai gamabr dibawah.
Selesai Untuk Seting Server TACAS
.---------------------------------------------------------------------------------------------------------
Tahap V. Seting Switch Cisco IOS
line vty 0 4
exec-timeout 5 0
login authentication ISE
transport input ssh
transport output all
!
aaa new-model
!
aaa group server tacacs+ ISE
server name ISE
!
tacacs server ISE
address ipv4 192.168.100.210
key Test123
ip tacacs source-interface Loopback0
!
aaa authentication login default group ISE local
aaa authentication enable default group ISE enable
!
aaa accounting update newinfo
aaa accounting exec default start-stop group ISE
aaa accounting commands 0 default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa session-id common
!
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE local if-authenticated
aaa authorization commands 0 default group ISE local if-authenticated
aaa authorization commands 1 default group ISE local if-authenticated
aaa authorization commands 15 default group ISE local if-authenticated
!
==============
NX0S-LAB
---------------
conf t
!
feature tacacs+
tacacs-server host 192.168.100.210 key Test123
aaa group server tacacs+ ISE
server 192.168.10.200
use-vrf management
ip tacacs source-interface mgmt0
!
aaa authentication login error-enable
aaa authentication login ascii-authenticatio
!
aaa accounting default group ISE
!
aaa authentication login console local
aaa authentication login default group ISE local
aaa authorization commands default group ISE local
!
-----------------------------------------------------------------------------------------
Hasilnya:
Tahap-III (Buat TACACS Profile)
9. Work Centers | Device Administratiorn | Policy Elements | Reult | TACACS Profile.
a. Admin-Full
b. Readonly (Monitor)
Khusus Nexus
Summary:
Tahap-IV (Buat Device Admin Policy Set)
9. Work Centers | Device Administratiorn | Deice Admin Policy Set | Policy Set| Klik Add (+).
a. Policy Set. Set Nexus_IOS_Policy_Set
b. Authentication Policy. Then, Next. Setelah Klik tanda panah point no.6 masuk tahap seting Authentication Policy.
c. Autthorization Policy.
Dibagian Condition, sesaui dengan Nexus dan IOS sesuai gamabr dibawah.
Selesai Untuk Seting Server TACAS
.---------------------------------------------------------------------------------------------------------
Tahap V. Seting Switch Cisco IOS
line vty 0 4
exec-timeout 5 0
login authentication ISE
transport input ssh
transport output all
!
aaa new-model
!
aaa group server tacacs+ ISE
server name ISE
!
tacacs server ISE
address ipv4 192.168.100.210
key Test123
ip tacacs source-interface Loopback0
!
aaa authentication login default group ISE local
aaa authentication enable default group ISE enable
!
aaa accounting update newinfo
aaa accounting exec default start-stop group ISE
aaa accounting commands 0 default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa session-id common
!
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE local if-authenticated
aaa authorization commands 0 default group ISE local if-authenticated
aaa authorization commands 1 default group ISE local if-authenticated
aaa authorization commands 15 default group ISE local if-authenticated
!
==============
NX0S-LAB
---------------
conf t
!
feature tacacs+
tacacs-server host 192.168.100.210 key Test123
aaa group server tacacs+ ISE
server 192.168.10.200
use-vrf management
ip tacacs source-interface mgmt0
!
aaa authentication login error-enable
aaa authentication login ascii-authenticatio
!
aaa accounting default group ISE
!
aaa authentication login console local
aaa authentication login default group ISE local
aaa authorization commands default group ISE local
!
-----------------------------------------------------------------------------------------
Seting SW-CENTRAL (R2)
conf terminal
hostname SW-GW
!
username admin privilege 15 password 0 123
!
ip domain-name training.lab
!
interface Loopback0
ip address 192.168.254.1 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
description Linkt-toISE
switchport access vlan 100
switchport mode access
!
interface Ethernet0/1
description link to server-AD
switchport access vlan 100
switchport mode access
!
interface Ethernet0/2
!
interface Ethernet0/3
description Link-toPalo
switchport access vlan 999
switchport mode access
!
interface Ethernet1/0
switchport access vlan 100
switchport mode access
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip nat inside
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!
interface Vlan999
ip address 192.168.99.1 255.255.255.248
ip nat outside
!
router ospf 1
!
ip nat inside source list 1 interface Vlan999 overload
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 192.168.99.4
!
access-list 1 permit any
!
line vty 0 4
exec-timeout 5 0
transport output all
!
crypto key generate rsa
!
conf terminal
hostname SW-GW
!
username admin privilege 15 password 0 123
!
ip domain-name training.lab
!
interface Loopback0
ip address 192.168.254.1 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
description Linkt-toISE
switchport access vlan 100
switchport mode access
!
interface Ethernet0/1
description link to server-AD
switchport access vlan 100
switchport mode access
!
interface Ethernet0/2
!
interface Ethernet0/3
description Link-toPalo
switchport access vlan 999
switchport mode access
!
interface Ethernet1/0
switchport access vlan 100
switchport mode access
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip nat inside
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!
interface Vlan999
ip address 192.168.99.1 255.255.255.248
ip nat outside
!
router ospf 1
!
ip nat inside source list 1 interface Vlan999 overload
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 192.168.99.4
!
access-list 1 permit any
!
line vty 0 4
exec-timeout 5 0
transport output all
!
crypto key generate rsa
!
Posting Komentar untuk "Cisco | Identity Service Enginee (ISE) -Basic"