交换机访问控制 
版权声明:原创作品,谢绝转载!否则将追究法律责任。 |
通过本实验了解CISCO交换机的验证方法,防止非法用户访问交换机
初始配置
Switch
Conf t
Int f 0/1
No sw
Ip ad 10.1.1.2 255.255.255.0
End
Router
Conf t
Int e 0
Ip ad 10.1.1.1 255.255.255.0
No shut
测试
sw1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/52/116 ms
1, 在Router做TELNET 命令,访问Switch
Switch
Conf t
No service password-recovey
Enable secret ccie
Line vty 0 15
Login
Password ccie
End
在Router上校验
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Password: <ccie> 被隐藏
sw1>en
Password: <ccie> 被隐藏
sw1# 进入交换机特权模式
sw1#quit
[Connection to 10.1.1.2 closed by foreign host]
R1# 回到Router
2, 配置username和password对
这个配置使username 和password存储在本地交换机中,在switch上配置
Conf t
Username cisco password ccie
Line vty 0 15
Login local
End
在Router上校验
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Username: cisco
Password: <ccie> 被隐藏
sw1>en
Password: <ccie> 被隐藏
sw1#quit
[Connection to 10.1.1.2 closed by foreign host]
R1#
3, 配置多种特权等级
在交换机上配置用户,并对用户单独进行授权
Conf t
Username cisco privilege 2 password 0 ccie
在Router上校验
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Username: cisco
Password:
sw1#conf t
^
% Invalid input detected at '^' marker.
为什么会出错呢?因为我们没有对此用户的访问进行授权,现在交换机上进一步配置
Privilege exec level 2 conf t
Privilege configure level 2 interface
Privilege interface level 2 no switchport
Privilege interface level 2 ip address
Privilege interface level 2 no shut
在Router上校验
sw1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
sw1(config)#int f 0/2
sw1(config-if)#no sw
sw1(config-if)#ip ad 10.1.2.2 255.255.255.0
sw1(config-if)#shut
sw1(config-if)#no shut
sw1(config-if)#^Z
sw1#quit
[Connection to 10.1.1.2 closed by foreign host]
R1#
4, 在交换机上配置本地Authentication和Authorization服务,在本地交换机上AAA验证
Conf t
Aaa new-model
Aaa authentication login default local
Aaa authorization exec default local
Aaa authorization network default local
Username cisco password ccie
在Router上校验
Username: cisco
Password:
sw1>en
Password:
sw1#config t
Enter configuration commands, one per line. End with CNTL/Z.
sw1(config)#^Z
sw1#quit
[Connection to 10.1.1.2 closed by foreign host]
R1#
下面来讨论TACACS+ SERVER和RADIUS SERVER的验证授权和统计。
1, 配置TACACS+ SERVER
Conf t
Tacacs-server host 10.1.2.1
Aaa new-model
Aaa group server tacacs+ group cisco
Server 10.1.2.1
Exit
2, 配置TACACS+登录验证
aaa authentication login default group tacacs+
Line vty 0 15
Login authentication default
exit
3, 配置TACACS+的EXEC访问和network授权
aaa authorization exec defaut group tacacs+
aaa authorization network defaut group tacacs+
4, 配置TACACS+的统计
Aaa accounting network default start-stop group tacacs+
Aaa accounting exec default start-stop group tacacs+
1, 配置RADIUS SERVER
Conf t
Radius-server host 10.1.2.1
Aaa new-model
Aaa group server radius group cisco
Server 10.1.2.1
Exit
2, 配置RADIUS登录验证
Aaa authentication login default group radius
Line vtp 0 15
Login authentication default
Exit
3,配置RADIUS的EXEC访问和network授权
Aaa authorization network default group radius
Aaa authorization exec default group radius
3, 配置RADIUS的统计
Aaa accounting network default start-stop group radius
Aaa accounting exec default start-stop group radius
4, 配置RADIUS服务器
Radius-server key ccie
Redius-server retransmit 3
Radius-server tiomout 60
Radius-server deadtime 10 本文出自 “穿过地狱去看海” 博客,谢绝转载! 本文出自 51CTO.COM技术博客 |
cj231210
博客统计信息
热门文章
最新评论
友情链接
