当前位置:Gxlcms > mysql > CiscoACS4.1在PIX上的AAA认证

CiscoACS4.1在PIX上的AAA认证

时间:2021-07-01 10:21:17 帮助过:37人阅读

【详细过程】 要求:外网需要TELNET到内网的路由器上,通过ACS做 认证 PIX上的配置如下 interface Ethernet0 nameif inside security-level 100 ip address 172.16.16.1 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 19

【详细过程】
要求:外网需要TELNET到内网的路由器上,通过ACS做认 证

PIX上的配置如下
interface Ethernet0
nameif inside
security-level 100
ip address 172.16.16.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 192.1.1.1 255.255.255.0

access-list 101 extended permit tcp any host 172.16.16.2 eq telnet
access-list outacl extended permit icmp any any
access-list outacl extended permit tcp any host 172.16.16.2 eq 23

aaa-server acs protocol tacacs+
aaa-server acs host 192.168.1.101
key cisco123
aaa authentication match 101 outside acs

telnet 192.168.1.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside

如果要使用虚拟TELNET,加入如下命令:
static (inside,outside) 172.16.16.101 172.16.16.101 netmask 255.255.255.255
virtual telnet 172.16.16.101
aaa authentication match 102 outside acs
access-list 102 extended permit tcp any host 172.16.16.101 eq telnet

TELNET到INSIDE路由器的输出--CCIE115是ACS上面定义的用户,192.1.1.2是外网地址
pixfirewall(config)# sh uau
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'ccie115' at 192.1.1.2, authenticated (idle for 0:00:01)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00

使用虚拟TELNET输出:
wan#telnet 172.16.16.101
Trying 172.16.16.101 ... Open

LOGIN Authentication

Username: ccie115

Password:


Authentication Successful


[Connection to 172.16.16.101 closed by foreign host]
认证成功之后即关闭了虚拟TELNET窗口

在此例中,
删除 access-list outacl extended permit tcp any host 172.16.16.2 eq 23这条命令
添加 access-list 101 extended permit tcp any host 172.16.16.2 eq 23
思想是:不允许OUTSIDE可以直接TELNET到INSIDE,101被AAA调用,通过认证后才可以TELNET到INSIDE

无忧网客联盟专业讨论 网络技术,CCNA CCNP CCIE CCSP

文章转载至http://bbs.net527.cn 无忧网客联盟

无忧网客联 盟主站

无忧linux 时代

人气教程排行