ACS配置的几个要点:
1、在接口配置拦目中选择相应的项目,否则不会在其他拦目中显示出来
2、在设备端的示例
ACS认证(authentication):路由器方式和PIX不同
Step1>在设备端定义tacacs+服务器地址以及key
tacacs-server host 202.101.110.110
tacacs-server directed-request
tacacs-server key test
Step2>在ACS端定义设备的IP地址
Step3>在ACS上面建立用户名和用户组
Step4>在设备端配置AAA认证
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
line vty 0 4
login authentication default
授权、记帐:
aaa new-model
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
line vty 0 4
authorization commands 1 default
authorization commands 15 default
aaa accounting exec default start-stop group tacacs+
lin vty 0 4
accounting exec default
如果要记录用户所用的命令,设备端配置为:
aaa new-model
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line vty 0 4
accounting commands 0 default
accounting commands 1 default
accounting commands 15 default
一、AAA服务器配置:PIX/ASA方式
Chicago(config)#
username admin password cisco
Chicago(config)#
aaa-server mygroup protocol radius
Chicago(config-aaa-server)#
max-failed-attempts 4
Chicago(config-aaa-server)#
reactivation-mode depletion deadtime 5
Chicago(config-aaa-server)#
exit
Chicago(config)#
aaa-server mygroup host 172.18.124.11
Chicago(config-aaa-server)#
retry-interval 3
Chicago(config-aaa-server)#
timeout 30
Chicago(config-aaa-server)#
key cisco123
Chicago(config-aaa-server)#
exit
show running-config aaa-server (显示配置的命令)
show aaa-server(显示包括本地数据库在内的AAA服务器详细情况)
clear aaa-server statistics [
tag [
host
hostname]]
clear aaa-server statistics protocol
server-protocol
clear configure aaa-server [
server-tag]
二、配置管理会话的认证:
Chicago(config)#
aaa authentication telnet console
mygroup
LOCAL
Chicago(config)#
aaa authentication ssh console mygroup
Chicago(config)#
aaa authentication serial console mygroup(物理CONSOLE口)
aaa authentication http console mygroup
If this command is not configured, Cisco ASDM users can gain access to the ASA by entering only the enable password, and no username, at the authentication prompt
三、配置访问AAA:
access-list 150 extended permit ip any any
access-list 150 extended deny ip host 172.18.124.20 any
aaa authentication match 150 inside mygroup
timeout uauth
hh:mm:ss [
absolute |
inactivity]
It is recommended to configure the
absolute timeout command value for at least 2 minutes. Never configure the
timeout uauth duration to 0
auth-prompt [
prompt |
accept |
reject]
prompt text
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0
255.255.255.0
aaa authorization match 100 inside mygroup
aaa authorization command {
LOCAL |
tacacs_server_tag [
LOCAL]}
access-group 100 in interface inside per-user-override
Chicago(config)#
aaa accounting match 100 inside mygroup
Chicago(config)#
aaa accounting command privilege 15 mygroup 对特权级别15的用户记帐
Deploying Cut-Through Proxy Authentication
access-list 100 extended permit ip any any
aaa authentication match 100 inside LOCAL
实验配置示例:
pix525(config)# sh run
PIX Version 7.2(1)
!
hostname pix525
domain-name cisco.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.2 insidehost
name 172.16.16.2 bastionhost
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 192.1.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
passwd 5ya5JKHLgY0ZD3KU encrypted TELNET密码
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any
access-list aaaacl2 extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmzin extended permit ip any host bastionhost
global (outside) 1 interface
global (dmz) 1 172.16.16.10-172.16.16.20 netmask 255.255.255.0
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 192.168.20.0 255.255.255.0
nat (dmz) 1 172.16.16.0 255.255.255.0
access-group 101 in interface outside
access-group 101 in interface inside
access-group 101 in interface dmz
route outside 0.0.0.0 0.0.0.0 192.1.1.2 1
route inside 192.168.20.0 255.255.255.0 insidehost 1
aaa-server配置完成两项:指定协议和AAA服务器地址、KEY
aaa-server deng protocol radius
reactivation-mode timed
max-failed-attempts 4
aaa-server deng host 192.168.20.206
timeout 300
key deng
本地数据库
username dengzhaopeng password nuvFZK3pqSfYnWqN encrypted
username dengyusu password 6SGxhdEZqnTFVjew encrypted
aaa authentication telnet console LOCAL 用本地数据库对管理会话做认证
aaa authentication match aaaacl2 inside deng 用AAA服务器对指定的网段访问做认证
aaa authentication match dmzin inside deng 用AAA服务器对堡垒主机的访问做认证
telnet insidehost 255.255.255.255 inside
telnet timeout 5
ssh scopy enable 允许SSH访问类似FTP功能,但是进行加密文件传输
ssh 192.1.1.2 255.255.255.255 outside
ssh insidehost 255.255.255.255 inside
ssh timeout 5
ssh version 2
先产生密钥对(SHOW RUN中不显示?),调用域名
console timeout 0
pix525(config)# sh aaa-s
Server Group: deng
Server Protocol: radius
Server Address: 192.168.10.206
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 13:45:25 UTC Sun Dec 16 2007
Number of pending requests 0
Average round trip time 117ms
Number of authentication requests 4
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1
Number of rejects 3
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
pix525(config)# sh uau
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'dengyusu' at insidehost, authenticated (idle for 0:00:07)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
pix525(config)# clear uau
pix525(config)# sh uau
Current Most Seen
Authenticated Users 0 1
Authen In Progress 0 1
重点:最小化配置
ACS4.1上此例的配置:
1、只需要指定NAS,不需要指定ACS-SERVER。
匹配三项:IP地址、KEY、RADIUS类型
2、配置简单的用户和密码,使用ACS内部数据库,不需要指定组设置,会自动加入默认组
在ACS上下载ACL来控制用户访问:
pix525(config)# sh uau
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'dengyusu' at insidehost, authenticated (idle for 0:00:06)
access-list #ACSACL#-IP-11-47654143 (*)
absolute timeout: 3:00:00
inactivity timeout: 0:30:00
pix525(config)# clear uau
pix525(config)# sh uau
Current Most Seen
Authenticated Users 0 1
Authen In Progress 0 1
pix525(config)#
pix525(config)# sh uau
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'dengyuliang' at insidehost, authenticated (idle for 0:00:08)
absolute timeout: 3:00:00
inactivity timeout: 0:30:00
pix525(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 2 elements
access-list 101 line 1 extended permit icmp any any (hitcnt=73) 0x744a4825
access-list 101 line 2 extended permit tcp any any (hitcnt=35) 0xb978f075
access-list dmzin; 1 elements
access-list dmzin line 1 extended permit ip any host bastionhost (hitcnt=34) 0x6
c412b51
access-list #ACSACL#-IP-11-47654143; 2 elements (dynamic)
access-list #ACSACL#-IP-11-47654143 line 1 extended permit tcp any host bastionh
ost (hitcnt=1) 0xb9a69fc
access-list #ACSACL#-IP-11-47654143 line 2 extended permit icmp any host bastion
host (hitcnt=0) 0x49b825d3