最简单的aaa认证-授权-审计-配置

1、防火墙技术实验报告时间：2012-03-13实验名称：简单的AAA配置班 级 计算机网络技术100#姓名 #实验内容1、拓扑图：f0/0:在 VMvare 内搭建一台 win2003JESip:192-168.139.4/24暫:192, 168,139-254/242、实验设备：1) .用一台PC机桥接到VMware内win server2003 服务器；2) .用两台 Router c3600，一台做 NAS 台做 Client ；3、实验步骤：NASNAS(co nfig)# int f1/0NAS(co nfig-if)#ip add 192.168.139.254 255.255.2

2、55.0NAS(co nfig-if)# no shutNAS(co nfig)# int f0/0NAS(co nfig-if)#ip add 192.168.2.254 255.255.255.0NAS(co nfig-if)# no shutNAS(c on fig)#user name cisco privilege 15 password ciscoNAS(config)#enable secret cisco 配置 enable 密码NAS(c on fig)#aaa n ew-modelNAS(c on fig)#aaa authe n login 开启AAA功能cisco gr

3、oup tacacs+ localNAS(c on fig)#aaa authe n loginNAS(co nfig)#l ine vty 0 15NAS(co nfig-li ne)#login authenNAS(co nfig-li ne)#exiNAS(co nfig)#l ine con 0lhy noneciscoNAS(co nfig-l in e)#log in authe nticati onlhyNAS(co nfig-li ne)#exiNAS(co nfig)#tacacs-server host 192.168.139.4 key cisco- 配置共享key-Cl

4、ie nt:Clie nt(co nfig)#i nt f0/0Client(config-if)#ip add 192.168.2.2 255.255.255.0Clie nt(c on fig-if)# no shutClie nt(con fig)# no ip routi ngClient(config)#ip default-gateway 192.168.2.254Clie nt#pi ng 192.168.139.254Type escape seque nee to abort.Sending 5, 100-byte ICMP Echos to 192.168.139.254,

5、 timeout is 2 seco nds:!在VMware中配置:0GroupS&tup%Shared ProfileComponentsNetworkConfigurationSystemConfigurationInterfaceCcnfigurait iomC D E F G 旦 HJE 亍豆亍U V XListFindUser: l：r Add/Edit0234567&M zL Yusers beginningletter/number:/U”rASetupGroup Se-tup% 1Shared Profile ComponentsNetworkConfiquration |i

6、x A |MI Group | Setup%I Shared Profile1 Components飞 I User Uj I SetupSupplementary User InfoReal Name |ccnp Description |ccnp|CiscoSecure PAP (Also used for- CHAP/IiIS-CHAP/ARAP, if the SeparateShared Profile Components厂 Routing厂EnabledNote: PPP LCP vill be autoaaticallj enabled if this service is e

7、nabled31眈pgGroup、Setup%Shared Profile ComponentsNetwork CnnfiHlirAtinnEnable OptionsJJShared Profile ComponentsNetworkI ConfigurationSystem Configurationf=l I In ter facea No Enable Privilege Max Privilege for any AAA ClientAAA Client IP Address192. 168. 139.254KeyTACACS+ (Cisco IOS)AuthenticatUsing

8、Single Connect TACACS+ AAA ClientShared ProfileComponentsSystem Configurationf=A4 I InterfaceIConfigurationAAA Client HostnameAAA Client IP AddressQ:isco192.168.139.25?Add EntryNetwork ConfigurationAuthenticatUsingTACACS+(Cisco IQS1Search弘Ar站 PrafjUComponinUNet workCciiifiuriHcnGroup SetupAdvanced C

9、onfigurationOptionsSystemConfiQurtionPntfrfac#Confi guratiin |IB:P Advaribed TACACS+ Featuresisplay a Time-of-Day access grid for every TACATS+ 3ervice where you can override the default Time-of-Day settings Di splay a window for each u户广户 u户1户广十戶rl t n r*rhi rPi -vm 1NAS:NAS#test aaa group tacacs+

10、cisco cisco n ew-codeTryi ng to authe nticate with Servergroup tacacs+Sending passwordUser successfully authe nticated 认证成功NAS#NAS(c on fig)#aaa authe nticati on en able default group tacacs+ 将 enable力卩入 AAA 认证中NAS(c on fig)#aaa authorizati on exec default group tacacs+NAS(c on fig)#aaa acco un ti n

11、g exec default start-stop group tacacs+ 默认审计方式NAS(c on fig)#aaa acco un ti ng comma nds 15 default start-stop group tacacs+ 命令审计方式Clie nt:将enable加入AAA认证里的验证结果:lien t#te Inet 192.168.139.254Tryi ng 192.168.139.254 . Ope nUser Access Verificatio nUsern ame: ciscoPassword:NASenPassword:NAS#co nf t验证成功N

12、AS(co nfig-if)#e ndNAS#exiConnection to 192.168.139.254 closed by foreign host Clie nt#授权(authorization)验证结果：Clie nt#te Inet 192.168.139.254Tryi ng 192.168.139.254 . Ope nUsern ame: ciscoPassword:NAS#直接进入特权模式NAS#co nf tNAS(co nfig)#exiNAS#exiConnection to 192.168.139.254 closed by foreign hostClie n

13、t#授权成功审计(accounting)用 default 验证：Clie nt#te Inet 192.168.139.254Tryi ng 192.168.139.254 . Ope nUsern ame: ciscoPassword:NAS#co nf tEn ter con figurati on comma nds, one per line. End with CNTL/Z. NAS(co nfig)#e ndNAS#sh runnin g-c onfigNAS#sh versionNAS#exiConnection to 192.168.139.254 closed by for

14、eign hostClie nt#审计(acco un ti ng)用 comma nds 验证：Clie nt#te Inet 192.168.139.254Tryi ng 192.168.139.254 . Ope nUsern ame: ciscoPassword:NAS#co nf tEn ter con figurati on comma nds, one per line. End with CNTL/Z.NAS(co nfig)#exiNAS#sh runnin g-c onfigNAS#sh version NAS#co nf tEn ter con figurati on c

15、omma nds, one per line. End with CNTL/Z.NAS(co nfig)#i nt Io 0NAS(co nfig-if)#ip add 222.2 255.255.255.0NAS(co nfig-if)#exiNAS(co nfig)#exiNAS#exi Connection to 192.168.139.254 closed by foreign host Clie nt#实验结果：审计(accounting)用default验证的结果：9 SrtTEMlUf+r SetupReports and ActivitySelectGroup SrtupSha

16、red Profile CornporientsNetworkConfigurationSystemCwfifluritlonInterface ConfigurationControlReport吕 B VrACAcsrX0c：c：ciujTtirLg 唸 TACACS十 7 Administration Fl RADIUS Accountingr-K Famm 亡 dAuthEnTicatigE IQ Failed Att亡npt占 型 Logged-in Users R Dismbltdl Autmmt 書 icr ACS Backup AndSelectH Refresh Downlo

17、adTACACS+ Accounting active.csvDate 4-TimeUser-Group-Caler-IdAcct-Tlaesel aptNameName03/14/201220:12:51ciscoDefaultGroup192.168. 2. 2stop4803/14/201220:12:03ciscoDefaultGroup192.168. 2. 2start审计(acco un ti ng)用comma nds验证的结果:ito StstemiIJ terS*tupReports and ActivitySelectReportsTimeGmupNaonepnv-lvi

18、空I計廿咼efih | C cvn p on finisNc-t wqfLCanfiguntionSyjtwnCcrfigurationI InterfaceE)i| CcntrollExternal? User 1* J D讥豳生骼営Z7I R#port$閱TACXS+ IcuGunt in昌TACACS+ 直 dm! qj. strati cmKftDM 丘punting VcIF AccauiLting PassedFailed ttEinp t兰 Lg&菲d-in匸口&珥 Di 甘ablrtiACS Bmukup And03/14/201220:16:34ioC JDefaultGroupip address2. 2.2. 2255.255.255. 01503/14/201220:16:34ciscoDefaultGroii