203实验指导AAA.docx
《203实验指导AAA.docx》由会员分享,可在线阅读,更多相关《203实验指导AAA.docx(19页珍藏版)》请在冰点文库上搜索。
203实验指导AAA
实验指导(AAA)
一、实验任务
二、实验步骤
1.预配:
-------------------------
R1:
hostnameR1
interfacee0/0
noshutdown
duplexfull
ipaddress10.1.1.105255.255.255.0
interfaces1/1
noshutdown
clockrate128000
ipaddress10.12.12.1255.255.255.0
enablepasswordcisco
-------------------------
R2:
hostnameR2
interfaces1/0
noshutdown
clockrate128000
ipaddress10.12.12.2255.255.255.0
-------------------------
PC:
IP地址配置为10.1.1.XX(XX为计算机的编号),测试和R1的连通性
2.安装ACS,做基本配置(AAA上):
如下配置,配置ACS的工作IP:
如下配置,添加AAA的客户端(R1):
如下配置,按“restart”按钮重启服务:
如下配置,添加用户admin和user1:
3.配置认证(R1上):
aaanew-model
aaaauthenticationloginMYLOGINgrouptacacs+
tacacs-serverhost10.1.1.5
tacacs-serverkeycisco
linevty04
loginauthenticationMYLOGIN
R1#testaaagrouptacacs+admincisconew-code
TryingtoauthenticatewithServergrouptacacs+
Sendingpassword
Usersuccessfullyauthenticated
测试:
在R2上telnet10.12.12.1
R2#telnet10.12.12.1
Trying10.12.12.1...Open
Username:
admin
Password:
4.配置授权(R1上):
aaaauthorizationconfig-commands
aaaauthorizationexecMYEXECgrouptacacs+
aaaauthorizationcommands15MYCOMM15grouptacacs+
linevty04
authorizationcommands15MYCOMM15
authorizationexecMYEXEC
测试:
在R2上telnet10.12.12.1,看是否能配置rip路由协议?
能配置EIGRP路由协议?
5.配置审计(R1上):
aaaaccountingexecMYEXECstart-stopgrouptacacs+
aaaaccountingcommands15MYCOMM15start-stopgrouptacacs+
linevty04
accountingcommands15MYCOMM15
accountingexecMYEXEC
三、完整配置
-----------------------------R1------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
boot-start-marker
boot-end-marker
!
enablepasswordcisco
!
aaanew-model
!
!
aaaauthenticationloginMYLOGINgrouptacacs+
aaaauthorizationconfig-commands
aaaauthorizationexecMYEXECgrouptacacs+
aaaauthorizationcommands15MYCOMM15grouptacacs+
aaaaccountingexecMYEXECstart-stopgrouptacacs+
aaaaccountingcommands15MYCOMM15start-stopgrouptacacs+
!
aaasession-idcommon
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceEthernet0/0
ipaddress10.1.1.150255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
ipaddress10.12.12.1255.255.255.0
serialrestart-delay0
clockrate128000
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
network10.0.0.0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
tacacs-serverhost10.1.1.50
tacacs-serverkeycisco
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
authorizationcommands15MYCOMM15
authorizationexecMYEXEC
accountingcommands15MYCOMM15
accountingexecMYEXEC
loginauthenticationMYLOGIN
!
!
End
-----------------------------R2------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceEthernet0/0
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
ipaddress10.12.12.2255.255.255.0
serialrestart-delay0
clockrate128000
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
!
!
End