交换机访问控制

    [多云 September 16, 2007 20:12 | by ]
通过本实验了解CISCO交换机的验证方法,防止非法用户访问交换机 初始配置SwitchConf tInt f 0/1No swIp ad 10.1.1.2 255.255.255.0End RouterConf tInt e 0Ip ad 10.1.1.1 255.255.255.0No shut Server IP ad ...
通过本实验了解CISCO交换机的验证方法,防止非法用户访问交换机

初始配置
Switch
Conf t
Int f 0/1
No sw
Ip ad 10.1.1.2 255.255.255.0
End


Router
Conf t
Int e 0
Ip ad 10.1.1.1 255.255.255.0
No shut


Server IP address 10.1.2.1/24
测试
sw1#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/52/116 ms

1,  在Router做TELNET 命令,访问Switch

Switch
Conf t
No service password-recovey
Enable secret ccie
Line vty 0 15
Login
Password ccie
End
在Router上校验
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open


User Access Verification

Password: 被隐藏
sw1>en
Password: 被隐藏
sw1#           进入交换机特权模式
sw1#quit

[Connection to 10.1.1.2 closed by foreign host]
R1#           回到Router


2,  配置username和password对
这个配置使username 和password存储在本地交换机中,在switch上配置
Conf t
Username cisco password ccie
Line vty 0 15
Login local
End
在Router上校验
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open


User Access Verification

Username: cisco
Password: 被隐藏
sw1>en
Password: 被隐藏
sw1#quit

[Connection to 10.1.1.2 closed by foreign host]
R1#


3,  配置多种特权等级
在交换机上配置用户,并对用户单独进行授权
Conf t
Username cisco privilege 2 password 0 ccie
在Router上校验
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open


User Access Verification

Username: cisco
Password:
sw1#conf t
      ^
% Invalid input detected at '^' marker.
为什么会出错呢?因为我们没有对此用户的访问进行授权,现在交换机上进一步配置
Privilege exec level 2 conf t
Privilege configure level 2 interface
Privilege interface level 2 no switchport
Privilege interface level 2 ip address
Privilege interface level 2 no shut
在Router上校验
sw1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw1(config)#int f 0/2
sw1(config-if)#no sw
sw1(config-if)#ip ad 10.1.2.2 255.255.255.0
sw1(config-if)#shut
sw1(config-if)#no shut
sw1(config-if)#^Z
sw1#quit

[Connection to 10.1.1.2 closed by foreign host]
R1#


4,  在交换机上配置本地Authentication和Authorization服务,在本地交换机上AAA验证
Conf t
Aaa new-model
Aaa authentication login default local
Aaa authorization exec default local
Aaa authorization network default local
Username cisco password ccie

在Router上校验
Username: cisco
Password:

sw1>en
Password:
sw1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
sw1(config)#^Z
sw1#quit

[Connection to 10.1.1.2 closed by foreign host]
R1#


下面来讨论TACACS+ SERVER和RADIUS SERVER的验证授权和统计。
1,  配置TACACS+ SERVER
Conf t
Tacacs-server host 10.1.2.1
Aaa new-model
Aaa group server tacacs+ group cisco
Server 10.1.2.1
Exit

2,  配置TACACS+登录验证
aaa authentication login default group tacacs+
Line vty 0 15
Login authentication default
exit

3,  配置TACACS+的EXEC访问和network授权
aaa authorization exec defaut group tacacs+
aaa authorization network defaut group tacacs+

4,  配置TACACS+的统计
Aaa accounting network default start-stop group tacacs+
Aaa accounting exec default start-stop group tacacs+



1,  配置RADIUS SERVER
Conf t
Radius-server host 10.1.2.1
Aaa new-model
Aaa group server radius group cisco
Server 10.1.2.1
Exit

2,  配置RADIUS登录验证
Aaa authentication login default group radius
Line vtp 0 15
Login authentication default
Exit

3,配置RADIUS的EXEC访问和network授权
Aaa authorization network default group radius
Aaa authorization exec default group radius

3,  配置RADIUS的统计
Aaa accounting network default start-stop group radius
Aaa accounting exec default start-stop group radius

4,  配置RADIUS服务器
Radius-server key ccie
Redius-server retransmit 3
Radius-server tiomout 60
Radius-server deadtime 10

Technology | Comments(0) | Trackbacks(0) | Reads(7204)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive