Cisco ACS+AAA配置
[导读] 最近在搭建公司的ACS,总结了一些经验写在这里。附件1是网上流传比较多的一份ACS、aaa以及包括PIX的配置说明,很详细,熟悉aaa的朋友可以直接看看附件1。附件2是cisco对aaa的官方说明,供参考。以下介绍ACS+aaa架构下aaa的配置模板。
最近在搭建公司的ACS,总结了一些经验写在这里。附件1是网上流传比较多的一份ACS、aaa以及包括PIX的配置说明,很详细,熟悉aaa的朋友可以直接看看附件1。附件2是cisco对aaa的官方说明,供参考。以下介绍ACS+aaa架构下aaa的配置模板。
aaa的配置可以大致分以下几个部分:
1.配置ACS(tacacs或radius)服务器
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server key *****
2.配置设备local后门用户
username testuser password *****
之所以配置后门用户,是考虑到在ACS异常的时候仍能telnet到设备。
3.启用aaa
aaa new-model
4.认证并应用到线路
aaa authentication login login-list group tacacs+ local
line vty 0 15
login authentication login-list
这里的login-list定义了访问控制的列表,即首先使用tacacs+认证,如果认证失败则使用local后门用户认证。后面的将认证应用到vty、配置accounting均调用这个login-list。
5.授权
aaa authorization exec default local if-authenticated
授权的配置不同的需求差异会很大,我个人不建议太复杂的授权,详细解释看看附件吧。
6.记账
aaa accounting exec login-list start-stop group tacacs+
aaa accounting commands 1 login-list start-stop group tacacs+
aaa accounting commands 15 login-list start-stop group tacacs+
aaa accounting network login-list start-stop group tacacs+
ACS+aaa的模式可以很好的管理网络设备的访问控制,只可惜ACS不是免费的软件,不过也自己搭建Tacacs服务器。
用ACS SERVER认证的PPPOE的实例
网络设计的目的:是路由器下的用户用PPPOE客户端从AAA SERVER 10.72.254.125/10.72.253.7进行认证上网.
以下是路由器的配置
!
version 12.2
service timestamps debug uptime
service timestamps log uptime<br
ersion 12.2
service timestamps debug uptime
service timestamps log uptime>no service password-encryption
!
hostname xxxxxxx
!
aaa new-model
!
!
aaa group server radius pppoe
server 10.72.254.125 auth-port 1645 acct-port 1646
server 10.72.253.7 auth-port 1645 acct-port 1646
!
aaa authentication ppp default group pppoe
aaa authorization network default group pppoe
aaa accounting network default start-stop group pppoe
aaa session-id common
enable secret 5 $1$nXz9$VFWaAXNkq/JfBUj4hn.Kx/
!
username xxx password 0 xxxxxx
ip subnet-zero
!
!
ip domain-name xxxxxx
ip name-server xxx.xxx.xxx
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group PPPOE
accept-dialin
protocol pppoe
virtual-template 10
pppoe limit max-sessions 500
!
vpdn-group pppoe
!
pppoe-forwarding
async-bootp dns-server xxx.xxx.xxx.xxx
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.75.255.240 255.255.255.255
!
interface GigabitEthernet0/0
no ip address
duplex full
speed 100
media-type rj45
pppoe enable
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
pppoe enable
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
pppoe enable
!
interface GigabitEthernet0/0.507
description jxtvnet-fengyuan-office
encapsulation dot1Q 507
pppoe enable
!
interface GigabitEthernet0/0.699
description pppoe-access-vlans
encapsulation dot1Q 699
pppoe enable
!
interface GigabitEthernet0/0.701
description Department DATA office-yangxiaodong
encapsulation dot1Q 701
pppoe enable
!
interface GigabitEthernet0/0.802
description Jing-mao-wei
encapsulation dot1Q 802
ip address 10.72.243.1 255.255.255.248
pppoe enable
!
interface GigabitEthernet0/0.805
description Guo-tu-ting
encapsulation dot1Q 805
ip address 10.72.242.1 255.255.255.248
pppoe enable
!
interface GigabitEthernet0/0.806
description Shang-jian-ju
encapsulation dot1Q 806
ip address 172.19.1.1 255.255.255.248
pppoe enable
!
interface GigabitEthernet0/0.807
description Fang-zhi-ji-tuan
encapsulation dot1Q 807
ip address 172.19.5.1 255.255.255.248
pppoe enable
!
interface GigabitEthernet0/0.808
description Wen-jiao-lu-xiao-qu
encapsulation dot1Q 808
pppoe enable
!
interface GigabitEthernet0/0.810
description Yi-zhi
encapsulation dot1Q 810
ip address 172.19.7.1 255.255.255.248
pppoe enable
!
interface GigabitEthernet0/0.811
description zhong-zi-guan-li-zhan
encapsulation dot1Q 811
pppoe enable
!
interface GigabitEthernet0/0.814
description Yen-yei-gong-shi
encapsulation dot1Q 814
pppoe enable
!
interface GigabitEthernet0/0.815
description Xin-hua-shu-dian
encapsulation dot1Q 815
pppoe enable
!
interface GigabitEthernet0/1
ip address 10.72.207.245 255.255.255.252
duplex full
speed 100
media-type rj45
!
interface Virtual-Template10
mtu 1492
ip unnumbered GigabitEthernet0/1
no peer default ip address
ppp authentication chap
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.72.207.246
no ip http server
ip pim bidir-enable
!
!
snmp-server community xxxxx RO
snmp-server community xxxxx RW
!
!
radius-server host 10.72.254.125 auth-port 1645 acct-port 1646 key cisco
radius-server host 10.72.253.7 auth-port 1645 acct-port 1646 key cisco
radius-server retransmit 3
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
login authentication no_tacacs
line aux 0
line vty 0 4
password xxxxx
!
!
end
[page]
注:
在配置中有以下特点:
1、做了两台AAA SERVER服务器,用户如果从主的服务器上不法认证,就会到时从的服务器上进行认证。
相关内容:
aaa group server radius pppoe
server 10.72.254.125 auth-port 1645 acct-port 1646
server 10.72.253.7 auth-port 1645 acct-port 1646
!
aaa authentication ppp default group pppoe
aaa authorization network default group pppoe
aaa accounting network default start-stop group pppoe
radius-server host 10.72.254.125 auth-port 1645 acct-port 1646 key cisco
radius-server host 10.72.253.7 auth-port 1645 acct-port 1646 key cisco
做法是:建了RADIUS组PPPOE,然后配置了两台AAA SERVER服务器。
AAA用户的认证在ACS SERVER进行了限速;
AAA用户的地址池也是在AAA SERVER上进行设置的.
其它参考CISCO网站.
Cisco拨号配置
hostname router
!
aaa new-model
aaa authentication login default tacacs+
aaa authentication login no_tacacs enable
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+
enable secret 5 $1$kN4g$CvS4d2.rJzWntCnn/0hvE0
!
interface Ethernet0
ip address 10.111.4.20 255.255.255.0
!
interface Serial0
no ip address
shutdown
interface Serial1
no ip address
shutdown
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode interactive
peer default ip address pool Cisco2511-Group-142
no cdp enable
group-range 1 16
!
ip local pool Cisco2511-Group-142 10.111.4.21 10.111.4.3
tacacs-server host 10.111.4.2
tacacs-server key tac
!
line con 0
exec-timeout 0 0
password cisco
login authentication no_tacacs
line 1 16
login authentication tacacs
modem InOut
modem autoconfigure type usr_courier
autocommand ppp
transport input all
stopbits 1
rxspeed 115200
txspeed 115200
flowcontrol hardware
line aux 0
transport input all
line vty 0 4
password cisco
!
end