M6 hinh
192. 168.2.0/24
Server-PT
RADIUS Server
Server-PT 10, 1.1.0/30 TACACS+ Server
= — 7
` aoe ” =.
PC-PT 2 "ei ai PC-PT
PC-A
192. 168. 1.0/24
Hình 3. 14 Mô hình AAA
Device Interfac | IP Address | Subnet Mask Default Switch
€ Gateway Port
RI T0/1 192.168.1.1 | 255.255.255.0 N/A S1 F0/1
S0/0/0 10.1.1.2 255.255.255.25 N/A N/A
2
T0/0 192.168.2.1 | 255.255.255.0 N/A S2 F0/2
S0/0/0 10.1.1.1 255.255.255.25 N/A N/A
24
2
R2 30/0/1 10.2.2.1 255.255 .255.25 N/A N/A
2
R3 FO/1 192.168.3.1 | 255.255.255.0 N/A S3 F0/5
30/0/1 10.2.2.2 255.255.255.25 N/A N/A
2
TACACS+ NIC 192.168.2.2 | 255.255.255.0 192.168.2.1 S2 F0/6 RADIUS NIC 192.168.3.2 | 255.255.255.0 192.168.3.1 S3 F0/1 PC-A NIC 192.168.1.3 | 255.255.255.0 192.168.1.1 S1 F0/2
PC-B NIC 192.168.23 | 255.255.255.0 192.168.2.1 S2 F0/1
PC-C NIC 192.168.3.3 | 255.255.255.0 192.168.3.1 S3 F0/18
Bang 3. 1 Bang quy hoach IP
Tao local user account va cau hinh local AAA trén R1 dé test console va vty logins.
User account: Admin and password adminlpa55
Rl(config)#username Admini secret adminipass Rl (config)#aaa new-model
Ri(config)#aaa authentication login default local Rl (config)? line console 0
Rl (config-line)#login authentication default R1 (config-line) end
R1£
Hình 3. 15 User accound
Cầu hình xác thực AAA cho R1 và cấu hình line console sử dụng xác thực AAA
User Access Veritication
Username -
Username: Admini
Password:
Ri>|
Hinh 3. 16 dang nhap Khi đó cần phải đăng nhập mới vào được RI
25
Cau hinh Local AAA Authentication cho VTY Lines trén R1 Cau hinh domain name va crypto key dé sir dung SSH
#'Ri — oO x
Physical Config CLI
IOS Command Line Interface
TTIICETCUHnr+rgutrazrrrcnm=er 7 OTe per rite Sir wre cNr iy 2 Ri(config)# ip domain-name ccnasecurity.com
Ri(config)#@crypto key generate rsa
The name for the keys will be: Rl.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 512
& Generating 512 bit RSA keys, keys will be non-exportable...-. [OK]
Rl(config)#aaa authentication login SSH-LOGIN local
*Mar 1 0:8:55.520: RSA key size needs to be at least 768 bits for ssh version 2
“Mar 1 0:8:55.520: %SSH-S-ENABLED: SSH 1.5 has been enabled Ri(config)#line vty 0 4
Ri(config-line)# login authentication SSH-LOGIN Ri(config-line)#transport input ssh
Rl (config-line) ¢end Rie
&SSYS-S-CONFIG_ I: Configured from console by console
Copy Paste
Hinh 3. 17 Cau hinh local AAA Authentication SSH Sử dụng ccnasecurity.com cho domain name trên R1.
ommand Prompt x |
cer PC Command Line 1.0 Admini 192.168.1.1 Password:
Hinh 3. 18 Kiém tra trén PC-A
Cau hinh R2 dé hỗ trợ xác thực dựa trên máy chủ sử dụng giao thức TACACS+
26
Client: R2 using the keyword tacacspa55 User account: Admin2 and password admin2pa55
R2 (contig) #username AdminZ secret adminzpess R2 (contig) ¢tacacs-server host 192.168.2.2 R2 (config)? tacacs-server key tacacspass R2 (config) #
Hinh 3. 19 User account Cau hinh AAA login authentication
R2 (config) aaa new-model
R2(config)# aaa authentication login default group tacacs+ local
Hình 3. 20 Cấu hình xác thực AAA Cầu hình colsole sử dụng xác thực AAA
a2 (config) # line console 0
R2 (config-line)#login authentication default R2 (config-line) gend
Hinh 3. 21 Line console AAA
Khi vao R2 sé yéu cau User va password
Username: Admin2 Password:
R2>|
Hinh 3. 22 Login
Cau hình R3 đề hỗ trợ xác thực dựa máy chủ sử dụng giao thức RADIUS
27
Client: R3 using the keyword radiuspa55 User account: Admin3 and password admin3pa55
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# username Admin3 secret admin3pas5 R3(config)# radius-server host 192.168.3.2 R3(config)#radius-server key radiuspass R3 (config) #
Hinh 3. 23 User Account
Cau hinh xac thuc AAA cho R1 va cau hinh line console str dụng xác thực AAA
R3 (ccn£fig) #aaa nevw-mocel
R3 (contig) #aaa authentication login default group radius local R3(config)#line console 0
R3(ccnfig-line)$# login authentication default R3 (config-line) end
Hinh 3. 24 Xac thuc AAA va line console Khi vao R3 sé yéu cau User va password
wee ee eeeeees AUTHORIZED ACCESS ONLY xxx xxx. .ưườ vu vớ UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
User Access Verification
Username: Admin3 Password:
R3>
Hinh 3. 25 Login 3.1.4 Dung may Domain Controller lam RADIUS Server
Từ Bảng điều khiển Trình quản lý Máy chủ chinh nhap vao Add Roles and Features
28
Fe Add Roles and Features Wizard x Add features that are required for Network Policy and Access Services?
The following tools are required to manage this feature, but do not have to be installed on the same server.
4 Remote Server Administration Tools 4 Role Administration Tools
[Tools] Network Policy and Access Services Tools
Include management tools (if applicable)
ara [ ee |
Hinh 3. 26 Cai dat RADIUS Server
Toi Server roles chon Network policy and access services
& Add Roles and Features Wizard _ n x
DESTINATION seRvER
Select server roles WUN-EUPSUG85IC
Select one or more roles to install on the selected server.
Before You Begin
Roles Description
LO Active Directory Certificate Services - Netwrork Policy and Access Services (LL) Active Directory Domain Services provides Network Policy Server (DO Active Directory Federation Services (NPS), which helps safeguard the [D) Active Directory Lightweight Directory Sennces secunty of your network.
[Active Directory Rights Management Services CO Device Health Attestation ( DHCP Server LO ONS Server (Fax Server
[HD File and Storage Services (1 of 12 installed) (Host Guardian Service
Hyper-V LD MuhiPoint Services (2) Network Controller
CO Print ond Document Services (Remote Access D) Remote Desktop Services [Volume Activation Services 1 Web Server (lis)
[eee] Lm | Hinh 3. 27 Cai dat RADIUS Server Nhan Add Features
29
Tia Add Roles and Features Wizard
— n x
. . . . DESTINATION SERVER
Confirm installation selections WAN-EUIPSUQEStC
Before You Begin To install the following roles, role services, or features on selected server, click Install.
Installation Type (1_ Restart the destination server ically if required
Server Selection Optional features (such as administration tools) might be displayed on this page because they have I been selected automatically. If you do not want to install these optional features, click Previous to clear Server Roles their check boxes.
Features
Network Policy and Acces... | Network Policy and Access Services a _ Remote Server Administration Tools
Role Administration Tools
Network Policy and Access Services Tools
Export configuration settings Specify an alternate source path
we› | a) Fear
Hinh 3. 28 Cai dat RADIUS Server Sau do nhan next va Install
30
Tx Add Roles and Features Wizard n
. DESTINATION SERVER
Installation progress 'WIN-EUIP9UQ6S1C
View installation progress
@ Feature installation
Installation succeeded on WIN-EUIP9UQ651C.
Network Policy and Access Services
Remote Server Administration Tools Role Administration Tools
Network Policy and Access Services Tools
You can close this wizard without interrupting running tasks. View task progress or open this page again by clicking Notifications in the command bar, and then Task Details.
Export configuration settings
< Previous Next > Close Cancel
Hinh 3. 29 cai dat RADIUS Server Cài đặt thành công
Mở run -> g6 nps.msc
© Run x
íal Type the name of a program, folder, document, or Internet resource, and Windows will open it for you.
Open: [HRMH v
@ This task will be created with administrative privileges.
Hinh 3. 30 Mo run
31
@ Network Policy Server
m n x File Action View Help
es#* 2 Bủ
l@wsm — —-
v RADIUS ClientsandServers|(~—
a RADIUS Cients RADIUS Clients
Remote RADIUS Server
> & Policies RADIUS cliorte allow youto specify the network access aorvor, that provide socese to yournetwors.
BQ Accounting
> Wh Templates Management EB Configure RADIUS Clients Lean nore Remote RADIUS Server Groups
Remote RADIUS server croups allow you to specify where to forward connection requests when the local NPS.
server's configured as a RADIUS proxy.
Corfigure Remote RADIUS Server Groupe Laam more
< >
Hinh 3. 31 Giao dién RADIUS Server