CCNP(ISCW)实验:配置AAA支持Radius
预配置
R1(config)#int e1/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
实验过程:
第一步:配置R1使用 radius登录
R1(config)#aaa new-model
//启动aaa 服务
R1(config)#aaa authentication login AUTH group radius
//配置AAA 登陆时采用radius认证
R1(config)#radius-server host 192.168.1.11 key server123
//配置radius server 的ip地址和密钥
R1(config)#en pass cisco
line con 0
exec-timeout 0 0
logging synchronous
login authentication AUTH
line aux 0
line vty 0 4
login authentication AUTH
第二步:打开acs界面
第三步:点击,在aaa client点击
第四步:
第五步:确认添加成功
第六步:点击“”在出现的界面中输入用户名:ccie,点击:
第七步:配置好ccie用户名的密码等信息,点击:
第八步:在R1上登录进行测试
R1#test aaa group radius admin admin new-code
Trying to authenticate with Servergroup radius
User successfully authenticated
R1#debug radius verbose
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is on
Radius packet hex dump debugging is off
Radius packet protocol debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Username:
Mar 1 00:23:18.891: RADIUS/ENCODE(00000003): ask "Username: "
Mar 1 00:23:18.891: RADIUS/ENCODE(00000003): send packet; GET_USER
//要求我们输入用户名
Username: admin
Password:
Mar 1 00:23:23.379: RADIUS/ENCODE(00000003): ask "Password: "
Mar 1 00:23:23.379: RADIUS/ENCODE(00000003): send packet; GET_PASSWORD
//要求我们输入密码
R1>
Mar 1 00:23:27.171: RADIUS/ENCODE(00000003):Orig. component type = EXEC
Mar 1 00:23:27.171: RADIUS(00000003): Storing nasport 0 in rad_db
Mar 1 00:23:27.171: RADIUS(00000003): Config NAS IP: 0.0.0.0
Mar 1 00:23:27.175: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.11
R1#debug radius authentication
//调试radius认证数据包
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Mar 1 00:27:44.811: RADIUS/ENCODE(00000004):Orig. component type = EXEC
Mar 1 00:27:44.811: RADIUS: AAA Unsupported Attr: interface [153] 4
Mar 1 00:27:44.811: RADIUS: 74 74 [tt]
Mar 1 00:27:44.815: RADIUS(00000004): Storing nasport 0 in rad_db
Mar 1 00:27:44.815: RADIUS/ENCODE(00000004): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Mar 1 00:27:44.815: RADIUS(00000004): Config NAS IP: 0.0.0.0
Mar 1 00:27:44.815: RADIUS/ENCODE(00000004): acct_session_id: 3
Mar 1 00:27:44.815: RADIUS(00000004): sending
Mar 1 00:27:44.819: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.11
Mar 1 00:27:44.819: RADIUS(00000004): Send Access-Request to 192.168.1.11:1645 id 1645/6, len 70
Mar 1 00:27:44.819: RADIUS: authenticator 9B 81 52 C7 8A DC 8A D2 - 69 E2 35 6F F6 86 34 C5
Mar 1 00:27:44.819: RADIUS: User-Name [1] 7 "admin"
R1>r 1 00:27:44.823: RADIUS: User-Password [2] 18
Mar 1 00:27:44.823: RADIUS: NAS-Port [5] 6 0
Mar 1 00:27:44.823: RADIUS: NAS-Port-Type [61] 6 Async [0]
Mar 1 00:27:44.823: RADIUS: Calling-Station-Id [31] 7 "async"
Mar 1 00:27:44.823: RADIUS: NAS-IP-Address [4] 6 192.168.1.1
Mar 1 00:27:44.895: RADIUS: Received from id 1645/6 192.168.1.11:1645, Access-Accept, len 48
Mar 1 00:27:44.895: RADIUS: authenticator 12 1F 0D 4F 33 90 BA 24 - AE 2D 0C 02 1B 96 6F 23
Mar 1 00:27:44.895: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
Mar 1 00:27:44.895: RADIUS: Class [25] 22
Mar 1 00:27:44.899: RADIUS: 43 41 43 53 3A 30 2F 66 35 2F 63 30 61 38 30 31 [CACS:0/f5/c0a801]
Mar 1 00:27:44.899: RADIUS: 30 31 2F 30 [01/0]
Mar 1 00:27:44.903: RADIUS(00000004): Received from id 1645/6
R1#debug aaa authentication
//调试AAA的认证信息
AAA Authentication debugging is on
R1#exit
R1>en
Password:
Mar 1 00:30:07.063: AAA: parse name=tty0 idb type=-1 tty=-1
Mar 1 00:30:07.063: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Mar 1 00:30:07.063: AAA/MEMORY: create_user (0x63A8C500) user='admin' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Mar 1 00:30:07.067: AAA/AUTHEN/START (831857078): port='tty0' list='' action=LOGIN service=ENABLE
Mar 1 00:30:07.067: AAA/AUTHEN/START (831857078): console enable - default to enable password (if any)
Mar 1 00:30:07.067: AAA/AUTHEN/START (831857078): Method=ENABLE
Mar 1 00:30:07.067: AAA/AUTHEN(831857078): Status=GETPASS
R1#
Mar 1 00:30:12.047: AAA/AUTHEN/CONT (831857078): continue_login (user='(undef)')
Mar 1 00:30:12.047: AAA/AUTHEN(831857078): Status=GETPASS
Mar 1 00:30:12.047: AAA/AUTHEN/CONT (831857078): Method=ENABLE
Mar 1 00:30:12.047: AAA/AUTHEN(831857078): Status=PASS
Mar 1 00:30:12.047: AAA/MEMORY: free_user (0x63A8C500) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
实验结果
PC机telnet如图所示:
telnet需要密码,进入全局模式需要密码
本地路由器console口登录,如图:
更多相关文章
- CCNP(ISCW)实验:配置AAA支持Tacacs+
- CCNP(ISCW)实验:配置Router 将AAA用于管理访问授权
- C语言通过定义结构体UCI读写配置文件
- 03-K8s部署安装配置nginx-ingress和配置外网访问
- 多厂商***系列之四:Cisco&H3C Dynamic LAN-To-LAN ***【 包含路由
- 多厂商***系列之一:加密基础与IPSec【附带思科与H3C的配置介绍】
- 实战 | Pinpoint全链路监控搭建
- 配置中心Apollo安装配置
- Nginx安装后第一个要改的配置…