CCNP(ISCW)实验：配置AAA支持Radius

原创

starshomes 2021-03-11 09:34:08 ©著作权

©著作权归作者所有：来自51CTO博客作者starshomes的原创作品，谢绝转载，否则将追究法律责任

预配置 R1(config)#int e1/0 R1(config-if)#ip add 192.168.1.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#exit

实验过程：第一步：配置R1使用 radius登录 R1(config)#aaa new-model //启动aaa 服务 R1(config)#aaa authentication login AUTH group radius //配置AAA 登陆时采用radius认证 R1(config)#radius-server host 192.168.1.11 key server123 //配置radius server 的ip地址和密钥 R1(config)#en pass cisco

line con 0 exec-timeout 0 0 logging synchronous login authentication AUTH line aux 0 line vty 0 4 login authentication AUTH

第二步：打开acs界面第三步：点击，在aaa client点击第四步：第五步：确认添加成功第六步：点击“”在出现的界面中输入用户名：ccie，点击：第七步：配置好ccie用户名的密码等信息，点击：第八步：在R1上登录进行测试 R1#test aaa group radius admin admin new-code Trying to authenticate with Servergroup radius User successfully authenticated

R1#debug radius verbose Radius protocol debugging is on Radius protocol brief debugging is off Radius protocol verbose debugging is on Radius packet hex dump debugging is off Radius packet protocol debugging is off Radius packet retransmission debugging is off Radius server fail-over debugging is off

Username: *Mar 1 00:23:18.891: RADIUS/ENCODE(00000003): ask "Username: " *Mar 1 00:23:18.891: RADIUS/ENCODE(00000003): send packet; GET_USER //要求我们输入用户名 Username: admin Password: *Mar 1 00:23:23.379: RADIUS/ENCODE(00000003): ask "Password: " *Mar 1 00:23:23.379: RADIUS/ENCODE(00000003): send packet; GET_PASSWORD //要求我们输入密码 R1> *Mar 1 00:23:27.171: RADIUS/ENCODE(00000003):Orig. component type = EXEC *Mar 1 00:23:27.171: RADIUS(00000003): Storing nasport 0 in rad_db *Mar 1 00:23:27.171: RADIUS(00000003): Config NAS IP: 0.0.0.0 *Mar 1 00:23:27.175: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.11

R1#debug radius authentication //调试radius认证数据包 Radius protocol debugging is on Radius protocol brief debugging is off Radius protocol verbose debugging is off Radius packet hex dump debugging is off Radius packet protocol (authentication) debugging is on Radius packet protocol (accounting) debugging is off Radius packet retransmission debugging is off Radius server fail-over debugging is off

*Mar 1 00:27:44.811: RADIUS/ENCODE(00000004):Orig. component type = EXEC *Mar 1 00:27:44.811: RADIUS: AAA Unsupported Attr: interface [153] 4
*Mar 1 00:27:44.811: RADIUS: 74 74 [tt] *Mar 1 00:27:44.815: RADIUS(00000004): Storing nasport 0 in rad_db *Mar 1 00:27:44.815: RADIUS/ENCODE(00000004): dropping service type, "radius-server attribute 6 on-for-login-auth" is off *Mar 1 00:27:44.815: RADIUS(00000004): Config NAS IP: 0.0.0.0 *Mar 1 00:27:44.815: RADIUS/ENCODE(00000004): acct_session_id: 3 *Mar 1 00:27:44.815: RADIUS(00000004): sending *Mar 1 00:27:44.819: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.11 *Mar 1 00:27:44.819: RADIUS(00000004): Send Access-Request to 192.168.1.11:1645 id 1645/6, len 70 *Mar 1 00:27:44.819: RADIUS: authenticator 9B 81 52 C7 8A DC 8A D2 - 69 E2 35 6F F6 86 34 C5 *Mar 1 00:27:44.819: RADIUS: User-Name [1] 7 "admin" R1>r 1 00:27:44.823: RADIUS: User-Password [2] 18 * *Mar 1 00:27:44.823: RADIUS: NAS-Port [5] 6 0
*Mar 1 00:27:44.823: RADIUS: NAS-Port-Type [61] 6 Async [0] *Mar 1 00:27:44.823: RADIUS: Calling-Station-Id [31] 7 "async" *Mar 1 00:27:44.823: RADIUS: NAS-IP-Address [4] 6 192.168.1.1
*Mar 1 00:27:44.895: RADIUS: Received from id 1645/6 192.168.1.11:1645, Access-Accept, len 48 *Mar 1 00:27:44.895: RADIUS: authenticator 12 1F 0D 4F 33 90 BA 24 - AE 2D 0C 02 1B 96 6F 23 *Mar 1 00:27:44.895: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Mar 1 00:27:44.895: RADIUS: Class [25] 22
*Mar 1 00:27:44.899: RADIUS: 43 41 43 53 3A 30 2F 66 35 2F 63 30 61 38 30 31 [CACS:0/f5/c0a801] *Mar 1 00:27:44.899: RADIUS: 30 31 2F 30 [01/0] *Mar 1 00:27:44.903: RADIUS(00000004): Received from id 1645/6

R1#debug aaa authentication //调试AAA的认证信息 AAA Authentication debugging is on R1#exit R1>en Password: *Mar 1 00:30:07.063: AAA: parse name=tty0 idb type=-1 tty=-1 *Mar 1 00:30:07.063: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 *Mar 1 00:30:07.063: AAA/MEMORY: create_user (0x63A8C500) user='admin' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) *Mar 1 00:30:07.067: AAA/AUTHEN/START (831857078): port='tty0' list='' action=LOGIN service=ENABLE *Mar 1 00:30:07.067: AAA/AUTHEN/START (831857078): console enable - default to enable password (if any) *Mar 1 00:30:07.067: AAA/AUTHEN/START (831857078): Method=ENABLE *Mar 1 00:30:07.067: AAA/AUTHEN(831857078): Status=GETPASS R1# *Mar 1 00:30:12.047: AAA/AUTHEN/CONT (831857078): continue_login (user='(undef)') *Mar 1 00:30:12.047: AAA/AUTHEN(831857078): Status=GETPASS *Mar 1 00:30:12.047: AAA/AUTHEN/CONT (831857078): Method=ENABLE *Mar 1 00:30:12.047: AAA/AUTHEN(831857078): Status=PASS *Mar 1 00:30:12.047: AAA/MEMORY: free_user (0x63A8C500) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

实验结果 PC机telnet如图所示： telnet需要密码，进入全局模式需要密码