Ging vin hng dn : Ths Nguyn c Quang Sinh vin t hc hin : Nguyn Tr ung Ni m Lp : 09DTHM M SSV : 0951020186 Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
z SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
I . M Hnh Lab :
I I . M t yu cu: a. Cu hnh nh m hnh : Cl i ent t el net vo R1. R1 s dng gi ao t hc chc t hc Tacacs+. b. Ci t ACS ser ver c. Cu hnh ACS ser ver ( dng t acacs+) d. Cu hnh ACS Cl i ent t r n R1 kch hot dch v AAA e. Tr ong ACS ser ver t o ba gr oup Admi n v M od v Guest . i . Group Admin telnet vo R1 c s dng t t c cc l nh i i . Gr oup M od telnet vo R1 c s dng cc l nh trong danh sch quy nh.(show i p r out e, pi ng) i i i . Gr oup Guest ch telnet c vo R1 f . Bt cc thng ip ca gi ao t hc TACACS+ bng Wi r eshar k I I I . Chun b: -Tr ong bi l ab ny s dng cc chng t r nh: VM w ar e Wor kst at i on Ci sco Secur e ACS Sol ar Wi nds Engi neer ' s Tool set GNS3 -Cl i ent ci h iu hnh XP, Server ci t h iu hnh Wi ndow Ser ver 2003
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
) SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
I V. Gii t hiu Cisco Secure ACS: Ci sco Secur e ACS chy t r n nn Wi ndow s l mt phn mm ng dng bo mt mng cho php ta iu khi n cch t r uy cp mng, cc cuc gi vo, v t r uy cp Int er net . Ci sco Secur e ACS hot ng gi ng nh mt dch v ca Windows NT/2000 iu khi n vi c xc t hc, cp quyn, v tnh cc ngi dng t r uy cp vo mng. Ci sco Secur e ACS cung cp dch v AAA cho cc t hi t b t r uy cp mng c chc nng nh AAA cl i ent , r out er , NAS, PIX f i r ew al l v VPN 3000 Concent r at or . M t AAA cl i ent c t h l mt t hi t b bt k cung cp chc nng AAA client v s dng mt t r ong cc gi ao t hc AAA h t r bi Ci sco Secur e ACS. Ci sco Secur e ACS xem t t c t hi t b nh vy l AAA cl i ent . Ci sco Secur e ACS s dng gi ao t hc TACACS+/RADIUS cung cp dch v AAA nhm bo m mt mi trng an t on t uyt i . Ci sco Secur e ACS gi p t p t r ung vi c iu khi n t r uy cp v tnh cc, thm vo l qun l vi c t r uy cp vo r out er v sw i t ch. Vi Ci sco Secur e ACS, cc nh qun t r mng c t h nhanh chng qun l t i khon v thay i t on b mc yu cu dch v cho t on b cc nhm ngi dng. Ci sco Secur e ACS d s dng bi t nh d ci t v qun t r . N thng chy t r n nn Wi ndow s NT Ser ver hoc Wi ndow s Ser ver . Ci sco Secur e ACS cho php xc t hc user name v password lu trong c s d l i u ca Wi ndow s NT/ 2000, ca chnh c s d l i u t r ong Ci sco Secure ACS, c s d l i u t bn ngoi ,.. Cc mc bo mt khc nhau c t h dng vi Ci sco Secur e ACS vi cc yu cu khc nhau. M c bo mt ngi dng-mng l PAP. M c d n khng t r nh by dng bo mt cao nht ca t nh cht m ha b mt, PAP em li nhi u s t i n l i v n gin cho khch hng. Xc t hc PAP c t h xc t hc vi c s d l i u t r ong Wi ndow s NT/ 2000. Xc t h c CHAP cho php mt mc cao hn v t nh bo mt cho cc passw or d m ha khi gi ao t i p t khch hng cho n t hi t b t r uy cp mng (NAS). M i cr osof t CHAP (M S-CHAP) l mt phi n bn ca CHAP c a ra bi Microsoft l m vi c gn gi, d dng hn trong h iu hnh M i cr osof t Wi ndow s. o Cc chc nng chnh. o User Set up: Ta c t h t hm, xa, sa mt account ca ngi dng, v l i t k t t c ngi dng trong c s d l i u. o Gr oup Set up: Ta c t h to, sa, i tn nhm v l i t k t t c user trong mt nhm. Shar ed Pr of i l e Component s: Pht t r i n v t i s dng tn, t p tt c cc thnh phn xc thc Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
c t h p dng vo mt hoc nhiu ngi dng hay nhm ngi dng v t ham chi u bi tn t r ong t ng profile ring bi t. Cc component bao gm gii hn truy cp mng (NAR), tp lnh cp quyn, v cc ACL download c. o Net w or k Conf i gur at i on: Cu hnh v sa cha tham s NAS, thm, xa NAS, cu hnh AAA t ham s phn phi cho AAA server. o Syst em Conf i gur at i on: Khi to v kt thc cc dch v Cisco Secure ACS, cu hnh l oggi ng, iu khin vic nhn bn c s d liu, v iu khin vic ng b ha h qun tr c s d l i u quan h. o Int er f ace Conf i gur at i on: Cu hnh cc t r ng do ngi dng nh ngha s c ghi li vo t r ong f i l e l og, cu hnh cc t y chn TACACS+/RADIUS, v iu khin cch thc trnh by t y chn trong gi ao di n ngi dng. o Administration Control: iu khin vic qun tr Cisco Secure ACS t bt k Wor kst at i on no t r n mng. o Ext er nal User Dat abases: cu hnh chnh sch user , cu hnh cc mc phn quyn cho user, cu hnh cc dng c s d liu t bn ngoi . o Reports and Activity: lu li cc thng tin xy ra i vi Cisco Secure ACS nh l mt phn danh sch ca cc loi bo co ph hp vi ta. Ta c th ci t nhng file ny vo trong c s d liu hay ng dng bng tnh. o TACACS+ Account i ng Repor t : cc danh sch cho bi t thng tin khi mt session bt u v kt t hc, ghi l i thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong mi phin. o RADI US Account i ng Repor t : danh sch cho bi t thng tin khi mt session bt u v k t t hc, ghi l i thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi t r ong mi phin. - Fai l ed At t emps Repor t : danh sch xc t hc khng thnh cng. - Logged i n User s: danh sch t t c ngi dng t r uy cp gn y. - Di sabl e Account s: cc account k hng cho php hot ng na. - Admi n Account i ng Repor t : bn lu li cc trng thi thao tc ca admin. o Onl i ne Document : t i l i u hng dn s dng Cisco Secure ACS nh cch cu hnh, t hao t c, v k hi ni m c lin quan n Cisco Secure ACS. V. Trin khai m hnh: -Cu hnh cc Rout er : >Cu hnh rout er R1: !* R1.CiscoConfig !* IP Address : 192.168.2.86 !* Community : niem.org !* Downloaded 2/21/2012 2:22:17 AM by SolarWinds Config Transfer Engine Version 5.5.0
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
! hostname R1 ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! aaa session-id common ! resource policy ! memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.87 255.255.255.0 duplex auto speed auto ! Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
6 SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
interface Serial0/0 ip address 192.168.2.86 255.255.255.0 clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router rip version 2 network 192.168.1.0 network 192.168.2.0 ! ! ! no ip http server no ip http secure-server ! snmp-server community niem.org RW ! ! ! ! ! tacacs-server host 192.168.4.87 tacacs-server directed-request tacacs-server key trungniem ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! webvpn context Default_context Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
) SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
ssl authenticate verify all ! no inservice ! ! end
>Cu hnh router R2: !* R2.CiscoConfig !* IP Address : 192.168.2.87 !* Community : niem.org !* Downloaded 2/21/2012 2:07:34 AM by SolarWinds Config Transfer Engine Version 5.5.0
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
8 SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
! ! ! ! ! interface FastEthernet0/0 ip address 192.168.2.87 255.255.255.0 shutdown duplex auto speed auto ! interface Serial0/0 ip address 192.168.2.87 255.255.255.0 clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 ip address 192.168.3.86 255.255.255.0 clock rate 2000000 ! router rip version 2 network 192.168.2.0 network 192.168.3.0 ! ! ! no ip http server no ip http secure-server ! snmp-server community niem.org RW ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
g SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! ! end
Cu hnh router R3: !* R3.CiscoConfig !* IP Address : 192.168.3.87 !* Community : niem.org !* Downloaded 2/21/2012 2:09:12 AM by SolarWinds Config Transfer Engine Version 5.5.0
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
o SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.4.86 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 192.168.3.87 255.255.255.0 clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router rip version 2 network 192.168.3.0 network 192.168.4.0 ! ! ! no ip http server no ip http secure-server ! snmp-server community niem.org RW ! ! ! ! ! ! control-plane ! ! ! ! ! Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! ! end
VI . Trin khai ACS Server: a. Giao din ACS Server: Sau khi ci t Ci sco Secur e ACS, khi ng chng trnh . y l giao din chch ca Ci sco Secur e ACS:
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
z SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
b. To Group User: Chng t o ba Gr oup l Admi n ,M od v Guest B1:To Group Admin: Vo Menu Group Setup .
-Chn 1 t r ong bt k Gr oup t r ong l i st hnh t r n. Cl i ck chn Edi t Set t i ng. - Check vo shel l (exec). - Check vo Privilege levels v nhp vo s 15. -Chn submi t +r est ar t .
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
) SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
Ti p t heo r ename cho Gr oup 1 t hnh Admi n. Chn Gr oup set up -> Chn Gr oup 1-> Cl i ck Rename Gr oup in t n mun i vo Gr oup Cl i ck Submi t
-Nh vy chng ta hon t hnh vi c t o Admi n v phn quyn cho n. B2:To Group M od: -Tng t nh to gr oup admi n , nhng khc Group Admin l Kt hp Pr i vi lege Level s v Command Aut hor i zat i on. -Trc t i n chng t o Command Aut hor i zat i on. Vo menu Shar ed Pr of i l e Component s
Chn Shel l command Aut hor i zat i on Set s
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
Chn Add . Lc ny giao din Shell Command Authorization Set hin ra. o Name : Tn ca file cu hnh. o Description : M t v file cu hnh ny. o Unmatched command : Ch nh cch m server s thc hin vi nhng lnh m bn khng nhp bn di. ( 2 tu chn l Permit v Deny ). o Permit Unmatched Args: Cho php cc args m bn ko nhp vo. Nu bn khng check vo th my t hiu l Deny. o Add Command: Thm vo mt lnh mi. thm vo mt lnh th bn nhp vo v sau nhn Add Command. Tip theo l bn s nhp thm nhng Args ca lnh vi cu trc : permit/Deny arg. nhp thm mt Arg th bn nhn enter xung dng.
Trong mu trn c ngha nh sau : Group no c add file cu hnh ny vo th d c privilage level 15 cng ch c thc hin lnh show ip route. o Unmatched Command Deny : T chi tt c cc lnh. Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
o Khng check vo Permit Unmatched Args : Deny tt c cc lnh khng c trong bn di. o Permit ip route : Cho php lnh show thc hin show ip route. o Cu hnh xong chn Submit.
-Add Shel l command Aut hor i zat i on v Gr oup M od: Chn Gr oup Set up->Chn Gr oup M od-> Chn Edi t Set t i ng Chn Shel l (exec) Pr i vi l ege l evel in s 15 Phn Sel l Command Aut hor i zat i on Set , check Assi gn a Shel l Commad Aut hor i zi at i on Set of any net w or k devi ece-> Chn M od Submi t +r eset
B3:To group Guest : Tng t nh group Admin nhng vi Pr i vi l ege l eve 0
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
6 SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
c. To User v add user vo Group: To User admi n 1 v mod1, guest 1 : -Vo menu User Set up:
-in t n user vo User . Chng t a nhp t n user l Admi n1 , cl i ck chn Add/ Edi t :
- Passw or d aut hent i cat i on: ACS int ernet dat abase, passw or d cho user admin1 l l ongt hanc - Chn gr oup user ny l Admin. / chn Submi t . Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
) SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
-Lm tng t cho user Guest 1 v M od1
Sau khi hon t hnh:
d. Cu hnh ACS server: Vo M enu Net w or k Conf i gur at i on: Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
8 SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
-Cu hnh ACS server: o to mt AAA Server Ti mc AAA Server chn Add Entry o AAA Server Name : Tn Server (t ty ). o AAA Server IP Address : IP ca my ci ACS Server. o Key : Kha trao i vi Client (Ging vi kha ca Client). o AAA Server Type : TACACS + o Trafic Type : Inboud/Outbound o Cu hnh xong chn Submit + Apply
e. Cu hnh ACS server to mt AAA Client ti mc AAA Client Chn Add Entry. o AAA Client Host Name : Tn Router mun truy cp ti. Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
g SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
o AAA Client IP Address : IP ca Router mun truy cp ti. o Shared Secret : kha trao i vi Server ( Kha ny phi ging nhau Client v Server v s c yu cu khi cu hnh router ). o Authenticate Using chn TACACS + (CISCO IOS). o Cu hnh xong chn Submit + Apply
VI I . Cu hnh ACS Client trn R1: -Sau y l nhng l nh cu hnh c bn: ch l nhng l nh ny c dng cho IOS ci sco 12.05 t r v sau. Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
zo SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
VI I I . Kim tra kt qu sau khi cu hnh: - cl i ent dng l nh t elnet 192. 168. 2. 86 ki m t r a. -Logi n bng user Admi n1:
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
z SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
-Logi n bng user guest 1:
-Logi n bng user mod1:
->Ch s dng c l nh pi ng v show i p r out e.
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
zz SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
I X. Xem Report s TACACS+ Accounting s dng chc nng ny chng ta cn cu hnh AAA Account i ng. Vo menu Repor t s and act i vi t y-> chn TACACS+ Account i ng
Chn file log cn xem mc Select a TACACS+ Accounting file v d chn file: TACACS+ Accounting active.csv
X. Cc gi t in ca Tacacs+: Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
z) SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
- Thnh phn gi tin : + Major version : TACACS+ (Phin bn chnh, y l phin bn TACACS+) + Minor version : 0 (phin bn nh, y mun ni l phin bn nh ca TACACS+ c s hiu phin bn l 0). + Type : Authoziration (2) (loi gi tin, y l gi Authoziration c th hiu s hiu m ha l 2). Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang
z SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM
+ Sequence number : 2 (s th t ca gi tin thuc loi gi tin Type c gi, y ch s th t ca gi Authoziration bt c l gi u tin c gi). + Flags : 0x00 (Encrypted payload, multiple connection) (cc c dng m ha cc gi tin v ng truyn, gi tr not set cho thy n cha c ci t). + Session ID : 4196086279 (ID cho phin lm vic vi TACACS+, y l 4196086279). + Paclet Length : 19 (chiu di gi tin, khng bao gm c cc Header).