Shulou(Shulou.com)06/01 Report--

AAA adopts Cpact S structure, the client runs on NAS and the user information is managed centrally on the server.

The user wants to access the network resources to establish a connection with the gateway. The gateway transmits the user's authentication, authorization and billing information to the radius server for audit and billing.

NAS in AAA refers to Network Access Server, network access server (refers to network devices such as routers and switches)

Network device to AAA server uses Radius protocol, 1812 authentication port, 1813 billing port

Radius working link

Composition of radius server: User, Clients, Dictionary

User: used to store user information (such as user name, password and configuration information such as protocol, ip address, etc.)

Clients: used to store radius client information (such as shared secret of access device, IP address, etc.)

Dictionary: used to store information about the meaning of attributes and attribute values in the radius protocol

The interaction of authentication messages between the radius client and the radius server is accomplished through a shared key, which cannot be transmitted through the network, which increases the security of information exchange.

In order to prevent the user's password from being stolen when it is transmitted on an insecure network, the password is encrypted during transmission.

Message format:

Authentication method:

1. Non-authentication: users are very trusted and do not authenticate them. Generally speaking, this method is not adopted.

2. Local authentication: configure user information on the access server. Advantages: high speed, low cost, disadvantages: limited hardware conditions

3. Remote authentication: used in conjunction with radius protocol, the access server acts as the client and communicates with the radius server

Authorization method:

1. Direct authorization: direct authorization through

2. Local authorization: authorization based on the account configuration on the local server

3. TACACS authorization: the user is authorized by the Tacacs server

4. If-authenticated authorization:

5. RADIUS authentication authorization: the authentication and authorization of radius protocol are bound together and cannot be authorized by RADIUS alone.

Billing method: audit action

1. No charge

2. Remote billing: remote billing through RADIUS server or TACACS server

AAA uses Candace S, client is the managed resource, and server centrally stores user information.

RADIUS: remote authentication dial-up user service: protects the network from unauthorized access. It is often used in various network environments that require high security and maintain remote user access.

Configure AAA

Create an AAA domain and configure related properties

1. Configure the AAA scheme used by users

2. Create an ISP domain

3. Configure the status of the ISP domain

4. Configure the maximum number of accessible users

5. Configure optional billing switch

Radius scheme AAA # create radius Scheme name

Primary authentication 172.16.18.1 181configuration primary authentication server IP address

Primary accounting 172.16.18.1 1813 # configure the main audit server IP address

The shared secret key of key authentication cipher 123456 # when exchanging messages with the authentication server is 123456

The shared key of key accounting cipher 123456 # when exchanging messages with the audit server is 123456

User-name-format without-domain # access users without domain names are usually in "userid@isp-name" format

Nas-ip 172.16.18.254 this device address (Radius client address)

Server-type extended # service type is extended

Security-policy-server 172.16.18.253 deploy Security Policy Server

Domain ISP # create the domain name as ISP

Authentication default radius-scheme AAA # Certification entry

Authorization default radius-scheme AAA # Authorization entry

Accounting default radius-scheme AAA # Audit entry

User-interface vty 0 4

Authentication-mode scheme

Display domain

Display domain name default_admin

Display authentication-scheme default

Display accounting-scheme default

Service-scheme authorization mode

AAA can complete the authentication and authorization functions on the router.

CiscoAAA configuration Information

Router (config) # aaa new-model enable aaa

Router (config) # aaa authentication attempts login 2 attempted landing 2 times

Router (config) # aaa authentication fail-message C enter incorrect password and report error message

Enter TEXT message. End with the character'Che.

Login invalid!

C

Router (config) # aaa authentication password-prompt logininvalid!

The aaa authentication password prompt is: logininvalid! (just enter the authentication password)

Router (config) # aaa authentication username-prompt passwd:

The prompt for aaa authentication user name is: passwd: (just enter the user name)

Router (config) # aaa authentication login local local aaa authentication local authentication method

* May 16 09 Bad authentication method-list name 55 local 57.240:% AAAA-4-BADMETHNAME: Bad authentication method-list name "local" (this is only a warning)

Router (config) # username ma password guangjie username ma password guangjie

Router (config) # line vty 0 4

Router (config-line) # login authentication local login authentication is local (local is the name of aaa login method)

AAA: Warning authentication list "local" is not defined for LOGIN.

Router (config-line) # transport input telnet only allows telnet

Router (config-line) # rotary xx (X represents a number, the modified port is based on 3000 plus X, assuming Xbox 10, the login telnet port is 3010)

Router (config-line) # privilege level 15 permissions are at level 15

Router (config) # access-list 100 deny tcp any any eq telnet defines a network segment

Router (config) # access-list 100 permit ip any any

Router (config-line) # access-class 100 in call

Many times when we operate too fast, it is easy to make mistakes, disconnect remotely, restart the device without saving it, and do not rush to speed up the remote configuration (disconnect do not always want to run to other people)

Reason:

1. The number of devices is related, the user name and password are inconsistent, and the management cannot be centralized.

2. The number of users, the number of users, and the inability to centralize management

3. Users change frequently

The difference between RADIUS and HWTACACS:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.