cisco AAA 认证配置.docx

AAA防火墙认证简单实验(2010-12-30 10:15:37)定义好防火墙初始设置 让其具有简单的连通性定义AAA 服务器的名字和协议ASA(config)# aaa-Server fanfan.3a protocol tacacs+定义AAA 服务器连接的接口，地址和加密密钥ASA(config)# aaa-server fanfan.3a (dmz) host 0ASA(config-aaa-server-host)# key ciscoSh run 查看一下ASA# sh run aaa-serveraaa-server fanfan.3a protocol tacacs+aaa-server fanfan.3a (dmz) host 0key cisco到AAA 服务器添加客户端 key cisco创建一个用户 fanfan 密码fanfan服务器已经定义了客户 客户也已经定义服务器 并且创建了用户接下来测试一下ASA# test aaa authentication fanfan.3aServer IP Address or name: 0Username: fanfanPassword: *INFO: Attempting Authentication test to IP address (timeout: 12 seconds)INFO: Authentication Successful -认证成功配置telnet 使用AAA服务器认证ASA(config)# telnet 0 0 insideASA(config)# aaa authen telnet console fanfan.3a现在到0 这台主机测试 telnet 可以看到 输入fanfan password fanfan 可以成功登录到ASA 穿越协议认证支持对 http https ftp telnet 四种类型配置 Cut-through （telnet）定义AAA服务器 已经定义过定义需认证的流量ASA(config)# access-list fanfan.auth permit tcp any any eq 23配置Cut-through inside telnet 出去的流量需要做认证ASA(config)# aaa authentication match fanfan.auth inside fanfan.3a到0 测试 outside 地址提示输入用户名密码 输入fanfan password fanfan 即可登录输入 show uauthASA# sh uauASA# sh uauth Current Most SeenAuthenticated Users 1 1Authen In Progress 0 1user fanfan at 0, authenticated (idle for 0:01:03) absolute timeout: 0:05:00 inactivity timeout: 0:00:00可以看到已经有一个名叫fanfan 的用户被认证ASA# sh aaa-server fanfan.3aServer Group: fanfan.3aServer Protocol: tacacs+Server Address: 0Server port: 49Server status: ACTIVE, Last transaction at 00:15:05 UTC Tue Nov 30 1999Number of pending requests 0Average round trip time 482msNumber of authentication requests 3Number of authorization requests 0Number of accounting requests 0Number of retransmissions 0Number of accepts 3Number of rejects 0Number of challenges 0Number of malformed responses 0Number of bad authenticators 0Number of timeouts 0Number of unrecognized responses 0配置Virtual telnet 技术可以认证非标准协议首先应该有一个没有被使用的 outside 地址 这里用01ASA(config)# virtual telnet 01ASA(config)# access-list fanfan.auth permit tcp any any eq 53ASA(config)# access-list fanfan.auth permit tcp any host 01 eq 23之前调用过aaaASA# sh run aaaaaa authentication telnet console fanfan.3aaaa authentication match fanfan.auth inside fanfan.3a0 测试 01 53端口提示访问DNS 这个服务之前要先认证telnet 01 telnet 到 虚拟telnet 地址 输入用户名和密码 fanfan pass fanfan在接着telnet 01 53认证成功！再次telnet 一下虚拟telnet 地址 01就等于注销了这次认证配置了Cut-through 认证之后 开始配置授权Tacacs+ 授权查看当前配置ASA(config)# sh run aaaaaa authentication telnet console fanfan.3aASA(config)# sh run aaaaaa authentication telnet console fanfan.3aASA(config)# sh run aaa-sASA(config)# sh run aaa-serveraaa-server fanfan.3a protocol tacacs+aaa-server fanfan.3a (dmz) host 0key cisco定义认证和授权流量ASA(config)# access-list fanfan.auth permit ip any anyASA(config)# aaa authentication match fanfan.auth inside fanfan.3aASA(config)# aaa author match fanfan.auth inside fanfan.3a定义用户首先进入第五个面板 选择 advanced options然后进入 tacacs+接着创建两个用户 xiaofan1 允许访问 www telnet xiaofan2 允许访问 www telnet 先设置xiaofan1Xiaofan2设置完成测试 telnet 输入xiaofan1 可以telnet成功无法打开输入xiaofan2 可以登录测试完毕DACLASA# sh run aaa-serveraaa-server fanfan.3a protocol radiusaaa-server fanfan.3a (dmz) host 0ASA# test aaa-server authentication fanfan.3aServer IP Address or name: 0Username: fanfanPassword: *INFO: Attempting Authentication test to IP address (timeout: 12 seconds)INFO: Authentication Successful配置虚拟telnetASA(config)# virtual telnet 01只放行预认证流量ASA(config)# access-list in permit tcp any host 01 eq 23ASA(config)# access-group in in in in per-user-override定义认证和授权流量ASA(config)# a