Lab1 Tacac

Page | 1
Sinh
MSSV: 0951020202
: 09DTHM

Page | 2

:

1: : .....................................................................................................3
: .................................................................................................3
.................................................................3
: .....................................................................................................6
3 2k3 ....................................6
...................................................................................6
: ...............................................................................................................7
......................................................................................9
........................................................................................................11
2: ...........................................................................................................11
1: ...........................................................................................................12

Page | 3

1: :

- M hinh gm: 1 may client Windows 7 , 1 may server Windows Server 2003, 2 router Cisco
7200
- Su dung dinh tuyn RIP giua cac mang
- Phn mm Cisco Secure ACS

2: :

- Cai dt Cisco Secure ACS trn my chay Windows Server 2k3
- Su dung trnh duyt IE 6 SP1 hoc Nescape 7 hoc FireFox 7 tr ln, cai dt Java
Thc hin cac bc cai dt Cisco Secure ACS nh hinh v:
Page | 4

Bc 1: Bc 2:
Bc 3: Bc 4:
Bc 5: Bc 6:
Page | 5

Bc 7: Bc 8:
Bc 9: Bc 10:
Bc 11:
Page | 6

:
Giao din cua phn mm Cisco Secure ACS 4.0.1.27 sau khi cai dt

3: cs Server 2k3

- Tai giao din chon muc 'Network ConIiguration, d thm AAA Client chon 'Add Entry va
AAA Server chon 'Add Entry

Page | 7

- Thm AAA Client, nhp hostname cua AAA Client: R2, nhp dia chi IP cua AAA Client:
192.168.1.2 va 20.0.0.1, nhp key: 'abc ging AAA Server va ging key khi cu hinh trong
AAA Client, Authenticate Using: chon Tacacs(Cisco IOS). Click 'SubmitApply

- Tong t khi cu hinh AAA Server, AAA Server Name : AAASER(bt k), AAA Server IP
Address: 20.0.0.3, key: abc, AAA Server Type: TACACS +

:
- Tip tuc, tai giao din chinh cua Cisco Secure ACS 4.0.1.27 ta chon muc 'Group Setup
- Chon Group tuy y trong hp thoai Group, chon 'Rename Group: Administrator, chon 'Edit
Setting
Page | 8

Cu hinh Group, Jump To: chon 'TACACS, check vao 'Shell (exec) va 'Privilege level nhp ia
tri 15(15Quyn cao nht)

- Tao user, tai giao din chinh Cisco Secure ACS 4.0.1.27 chon muc 'User Setup, hp thoai
User: nhp 'wind, click 'Add/Edit

- Password Authentication: chon 'ACS Internal Database, sau do nhp Password cho user vua
tao: 123456, Group to which the user is assigned : chon 'Administrator, click 'Submit
Page | 9

-

- Sau khi hoan thanh thanh cng cac bc trn, tu may client chung ta telnet dn AAA Client.
Nu cu hinh dung chong trinh s yu cu nhp username va password (d dng ky khi tao
user trong Cisco Secure ACS), ta nhp username va password d dng nhp vo AAA Client.
Wireshark trn my AAA Server s bt dc cc gi tin cua Tacacs+

Page | 10

- Ta bit rng giao thc Tacacs+ h tr 3 tnh nng do la: Chng thc, Cp quyn, v Tnh
cc. Va do cng la tn cua cc gi tin trong giao thc Tacacs+ gm: Authentication,
Authorization, v Accounting. By gi ta s phn tch cu trc 1 trong 3 loai gi tin cua giao
thc Tacacs+, cu th l gi tin Authentication khi thc hin tinh nng chng thc

- Hnh trn l thng tin chi tit v gi tin Authentication:
Major version: s phin bn cua TACACS+
Minor version: s phin bn phu cua TACACS+
Type (1 bit): cho bit loai gi tin, dy la Authentication
Sequence number (1 bit): s th t cua cc gi tin hin tai trong phin lm vic, dy
l 1
Flags(1 bit):
o Unencypted: nu c nay dc thit lp, goi tin s khng dc m hoa, ngc
lai goi tin s dc m hoa tu phn data tr di, dy c nay ko dc thit lp
o Single connection: nu NAS bt c nay, no s h tr da phin Tacacs trn 1
kt ni TCP duy nht
Session ID: ID cua phin lam vic, no dc cp ngu nhin va khng thay di trong
sut phin lam vic.
Packet Length: chiu dai goi tin Tacacs (khng bao gm phn header), dy la 20 bit

Page | 11

ho ng ca giao thc TACACS+:
NAS (Network Access Server) co dc thng tin v username/pass tu ngi dungva
gi goi tin'Authentication(start)' dn Tacacs+ server
Khi user va pass hp l va Server khng cn bit thm thng tin gi nua thi no s tr li
vi goi tin 'Reply(finnished)'
NAS yu cu mt s thng tin xac thc tu ngi dung va goi tip goi tin
'Authorization(request)' dn Server
Server s tr li vi goi tin 'Response(Pass)' ma no bao gm cac thng tin yu cu
phn quyn (timeout, allowed idletime, etc)
NAS gi goi tin 'Accounting(start)' d bao cho bit ngi dung dc bt du dng
nhp vao mang.
TACACS server gi tip goi tin 'Reply(Success)` cho bit qua trinh tinh cc dc
ghi nhn thanh cng
Khi ngi dung logoII thi NAS s goi goi tin Accounting(Stop)' vi cac thng tin sau
:
o Thi gian bt du
o Thi gian kt thuc
o Thi gian d qua, thi gian hoan thanh phin lam vic
o Mui gi
o Tng s byte ma ngi dung d gi va nhn
o S byte ngi dung d nhn
o S byte ngi dung d gi
o Tng s goi tin ma ngi dung gi va nhn
o S goi tin ngi dung d nhn
o S goi tin ngi dung d gi
o Ly do ngi dung ngt kt ni
TACACS server s gi goi tin 'Reply(Success) cho bit qua trinh tinh cc dc ghi
nhn thanh cng

2:
R1.CiscoConfig

!* R1.CiscoConfig
!* IP Address : 10.0.0.3
!* Community : private
!* Downloaded 2/21/2012 10:10:15 PM by
SolarWinds Config Transfer Engine Version 5.5.0

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
Page | 12

!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
ip address 10.0.0.3 255.0.0.0
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.1.2 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
interface Serial2/4
no ip address
shutdown
!
interface Serial2/5
no ip address
shutdown
!
interface Serial2/6
no ip address
shutdown
!
interface Serial2/7
no ip address
shutdown
!
router rip
network 10.0.0.0
network 192.168.1.0
!
!
no ip http server
no ip http secure-server
!
!
snmp-server community public RO
snmp-server community private RW
!
control-plane
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
1:
R2.CiscoConfig

* R2.CiscoConfig
!* IP Address : 192.168.1.3
!* Community : private
!* Downloaded 2/21/2012 10:10:48 PM by
SolarWinds Config Transfer Engine Version 5.5.0

!
Page | 13

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+
local
aaa authorization config-commands
aaa authorization exec default group tacacs+
local if-authenticated
aaa authorization commands 1 default group
tacacs+ if-authenticated
aaa authorization commands 15 default group
tacacs+ local if-authenticated
aaa accounting exec default start-stop group
tacacs+
aaa accounting commands 1 default start-stop
group tacacs+
aaa accounting commands 15 default start-stop
group tacacs+
!
aaa session-id common
!
!
ip cef
!
!
no ip address
shutdown
duplex half
!
ip address 20.0.0.2 255.0.0.0
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.1.3 255.255.255.0
clock rate 64000
!
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
interface Serial2/4
no ip address
shutdown
!
interface Serial2/5
no ip address
shutdown
!
interface Serial2/6
no ip address
shutdown
!
interface Serial2/7
no ip address
shutdown
!
router rip
network 20.0.0.0
network 192.168.1.0
!
!
no ip http server
no ip http secure-server
!
!
snmp-server community public RO
snmp-server community private RW
!
!
tacacs-server host 20.0.0.3
tacacs-server key abc
!
!
control-plane
Page | 14

!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end

Lab1 Tacac

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab1 Tacac

Uploaded by

Copyright:

Available Formats

Page | 1

You might also like