CCNP(ISCW)实验：在Cisco路由器上配置AAA本地认证

原创

starshomes 2021-01-29 11:34:54 ©著作权

©著作权归作者所有：来自51CTO博客作者starshomes的原创作品，谢绝转载，否则将追究法律责任

实验说明 R1(config)#int e1/0 R1(config-if)#ip add 192.168.1.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#int lo0 R1(config-if)#ip add 1.1.1.1 255.255.255.0 R1(config-if)#no sh

R2(config)#int e1/0 R2(config-if)#ip add 192.168.1.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#int lo0 R2(config-if)#ip add 2.2.2.2 255.255.255.0

实验过程：第一步：在R1配置AAA认证 R1(config)#aaa new-model //启动AAA R1(config)#aaa authentication login default local //配置任何登录采用local本地用户数据库 R1(config)#user admin pass admin //配置本地用户和密码

第二步：在R1进行console登录测试 R1#debug aaa authentication AAA Authentication debugging is on R1#exit R1 con0 is now available

Press RETURN to get started.

*Mar 1 00:25:49.051: %SYS-5-CONFIG_I: Configured from console by admin on console User Access Verification

Username: admin *Mar 1 00:25:51.603: AAA/BIND(00000004): Bind i/f
*Mar 1 00:25:51.607: AAA/AUTHEN/LOGIN (00000004): Pick method list 'default' Username: admin Password:

R1>en R1# *Mar 1 00:26:00.087: AAA: parse name=tty0 idb type=-1 tty=-1 *Mar 1 00:26:00.087: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 *Mar 1 00:26:00.087: AAA/MEMORY: create_user (0x63781434) user='admin' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) *Mar 1 00:26:00.091: AAA/AUTHEN/START (3606483107): port='tty0' list='' action=LOGIN service=ENABLE *Mar 1 00:26:00.091: AAA/AUTHEN/START (3606483107): console enable - default to enable password (if any) *Mar 1 00:26:00.091: AAA/AUTHEN/START (3606483107): Method=ENABLE R1# *Mar 1 00:26:00.091: AAA/AUTHEN(3606483107): can't find any passwords *Mar 1 00:26:00.091: AAA/AUTHEN(3606483107): Status=ERROR *Mar 1 00:26:00.091: AAA/AUTHEN/START (3606483107): Method=NONE *Mar 1 00:26:00.091: AAA/AUTHEN(3606483107): Status=PASS *Mar 1 00:26:00.095: AAA/MEMORY: free_user (0x63781434) user='admin' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

第三步：从R2上telnet R1 R2#telnet 192.168.1.1 Trying 192.168.1.1 ... Open

User Access Verification

Username: admin Password: //配置R1上的本地用户名和密码 R1>en % Error in authentication. //这里没有登上去是因为R1没有配置enable密码

第四步：查看R1的debug信息 *Mar 1 00:30:58.943: AAA: parse name=tty130 idb type=-1 tty=-1 *Mar 1 00:30:58.943: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 *Mar 1 00:30:58.943: AAA/MEMORY: create_user (0x6377BDB0) user='admin' ruser='NULL' ds0=0 port='tty130' rem_addr='192.168.1.2' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) *Mar 1 00:30:58.943: AAA/AUTHEN/START (3517876181): port='tty130' list='' action=LOGIN service=ENABLE *Mar 1 00:30:58.947: AAA/AUTHEN/START (3517876181): non-console enable - default to enable password *Mar 1 00:30:58.947: AAA/AUTHEN/START (3517876181): Method=ENABLE R1(config)# *Mar 1 00:30:58.947: AAA/AUTHEN(3517876181): Status=GETPASS R1(config)# *Mar 1 00:31:03.335: AAA/AUTHEN/CONT (3517876181): continue_login (user='(undef)') *Mar 1 00:31:03.335: AAA/AUTHEN(3517876181): Status=GETPASS *Mar 1 00:31:03.335: AAA/AUTHEN/CONT (3517876181): Method=ENABLE *Mar 1 00:31:03.335: AAA/AUTHEN(3517876181): Status=PASS *Mar 1 00:31:03.339: AAA/MEMORY: free_user (0x6377BDB0) user='NULL' ruser='NULL' port='tty130' rem_addr='192.168.1.2' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

第五步：重新配置R1上的认证 R1(config)#no aaa authentication login default //关闭上面的aaa R1(config)#aaa authentication login libo local //配置名为libo的本地认证，我们将应用到console口 R1(config)#aaa authentication login libovty enable //配置名为libovty的本地认证，我们将用到vty下 R1(config)#line con 0 R1(config-line)#login authentication libo R1(config)#line vty 0 4 R1(config-line)#login authentication libovty

第六步：在R2上重新telnet R1 R2#telnet 192.168.1.1 Trying 192.168.1.1 ... Open

User Access Verification

Password:

R1>en Password:

第七步：在R1上查看debug信息 *Mar 1 00:42:18.387: AAA/BIND(00000006): Bind i/f
*Mar 1 00:42:18.387: AAA/AUTHEN/LOGIN (00000006): Pick method list 'libovty' //我们看到了自己定义的vtp认证方式 *Mar 1 00:42:18.395: AAA/AUTHEN/ENABLE(00000006): Processing request action LOGIN *Mar 1 00:42:18.395: AAA/AUTHEN/ENABLE(00000006): Done status GET_PASSWORD R1(config)# *Mar 1 00:42:33.399: AAA/AUTHEN/ENABLE(00000006): Processing request action LOGIN *Mar 1 00:42:33.403: AAA/AUTHEN/ENABLE(00000006): Done status PASS R1(config)# *Mar 1 00:42:35.795: AAA: parse name=tty130 idb type=-1 tty=-1 *Mar 1 00:42:35.795: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 *Mar 1 00:42:35.795: AAA/MEMORY: create_user (0x63AB0004) user='NULL' ruser='NULL' ds0=0 port='tty130' rem_addr='192.168.1.2' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) *Mar 1 00:42:35.795: AAA/AUTHEN/START (718214766): port='tty130' list='' action=LOGIN service=ENABLE *Mar 1 00:42:35.799: AAA/AUTHEN/START (718214766): non-console enable - default to enable password *Mar 1 00:42:35.799: AAA/AUTHEN/START (718214766): Method=ENABLE R1(config)# *Mar 1 00:42:35.799: AAA/AUTHEN(718214766): Status=GETPASS R1(config)# *Mar 1 00:42:37.531: AAA/AUTHEN/CONT (718214766): continue_login (user='(undef)') *Mar 1 00:42:37.531: AAA/AUTHEN(718214766): Status=GETPASS *Mar 1 00:42:37.531: AAA/AUTHEN/CONT (718214766): Method=ENABLE *Mar 1 00:42:37.531: AAA/AUTHEN(718214766): Status=PASS *Mar 1 00:42:37.535: AAA/MEMORY: free_user (0x63AB0004) user='NULL' ruser='NULL' port='tty130' rem_addr='192.168.1.2' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)