ACS Tacacs Lab-1

Mn Mng my tnh nng cao:
-------------------------------
Ging vin hng dn : Ths Nguyn c Quang

Sinh vin thc hin : Nguyn Trung Nim
Lp
: 09DTHM
MSSV
: 0951020186
Bo co bi Lab 1 Ging Vin: Nguyn c Quang

I. M Hnh Lab :
II.
a.
b.
c.
d.
e.
M t yu cu:
Cu hnh nh m hnh : Client telnet vo R1. R1 s dng giao thc chc thc Tacacs+.
Ci t ACS server
Cu hnh ACS server( dng tacacs+)
Cu hnh ACS Client trn R1 kch hot dch v AAA
Trong ACS server to ba group Admin v Mod v Guest.
i. Group Admin telnet vo R1 c s dng tt c cc lnh
ii. Group Mod telnet vo R1 c s dng cc lnh trong danh sch quy nh.(show ip
route, ping)
iii. Group Guest ch telnet c vo R1
f. Bt cc thng ip ca giao thc TACACS+ bng Wireshark
III. Chun b:
-Trong bi lab ny s dng cc chng trnh:
VMware Workstation
Cisco Secure ACS
SolarWinds Engineer's Toolset
GNS3
-Client ci h iu hnh XP, Server ci t h iu hnh Window Server 2003
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
IV.
Gii thiu Cisco Secure ACS:
Cisco Secure ACS chy trn nn Windows l mt phn mm ng dng bo mt mng cho php
ta iu khin cch truy cp mng, cc cuc gi vo, v truy cp Internet. Cisco Secure ACS hot
ng ging nh mt dch v ca Windows NT/2000 iu khin vic xc thc, cp quyn, v
tnh cc ngi dng truy cp vo mng.
Cisco Secure ACS cung cp dch v AAA cho cc thit b truy cp mng c chc nng nh AAA
client, router, NAS, PIX firewall v VPN 3000 Concentrator. Mt AAA client c th l mt thit
b bt k cung cp chc nng AAA client v s dng mt trong cc giao thc AAA h tr bi
Cisco Secure ACS. Cisco Secure ACS xem tt c thit b nh vy l AAA client. Cisco Secure ACS
s dng giao thc TACACS+/RADIUS cung cp dch v AAA nhm bo m mt mi trng
an ton tuyt i.
Cisco Secure ACS gip tp trung vic iu khin truy cp v tnh cc, thm vo l qun l
vic truy cp vo router v switch. Vi Cisco Secure ACS, cc nh qun tr mng c th nhanh
chng qun l ti khon v thay i ton b mc yu cu dch v cho ton b cc nhm
ngi dng.
Cisco Secure ACS d s dng bi tnh d ci t v qun tr. N thng chy trn nn
Windows NT Server hoc Windows Server. Cisco Secure ACS cho php xc thc username v
password lu trong c s d liu ca Windows NT/2000, ca chnh c s d liu trong Cisco
Secure ACS, c s d liu t bn ngoi,..
Cc mc bo mt khc nhau c th dng vi Cisco Secure ACS vi cc yu cu khc nhau.

Mc bo mt ngi dng-mng l PAP. Mc d n khng trnh by dng bo mt cao nht
ca tnh cht m ha b mt, PAP em li nhiu s tin li v n gin cho khch hng. Xc
thc PAP c th xc thc vi c s d liu trong Windows NT/2000. Xc thc CHAP cho php
mt mc cao hn v tnh bo mt cho cc password m ha khi giao tip t khch hng
cho n thit b truy cp mng (NAS). Microsoft CHAP (MS-CHAP) l mt phin bn ca CHAP
c a ra bi Microsoft lm vic gn gi, d dng hn trong h iu hnh Microsoft
Windows.
o Cc chc nng chnh.

o User Setup: Ta c th thm, xa, sa mt account ca ngi dng, v lit k tt c ngi dng
trong c s d liu.
o Group Setup: Ta c th to, sa, i tn nhm v lit k tt c user trong mt nhm.
Shared Profile Components: Pht trin v ti s dng tn, tp tt c cc thnh phn xc thc
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
o
o
o
o
o
o
V.
c th p dng vo mt hoc nhiu ngi dng hay nhm ngi dng v tham chiu bi tn
trong tng profile ring bit. Cc component bao gm gii hn truy cp mng (NAR), tp lnh
cp quyn, v cc ACL download c.
Network Configuration: Cu hnh v sa cha tham s NAS, thm, xa NAS, cu hnh AAA
tham s phn phi cho AAA server.
System Configuration: Khi to v kt thc cc dch v Cisco Secure ACS, cu hnh logging,
iu khin vic nhn bn c s d liu, v iu khin vic ng b ha h qun tr c s d
liu quan h.
Interface Configuration: Cu hnh cc trng do ngi dng nh ngha s c ghi li vo
trong file log, cu hnh cc ty chn TACACS+/RADIUS, v iu khin cch thc trnh by ty
chn trong giao din ngi dng.
Administration Control: iu khin vic qun tr Cisco Secure ACS t bt k Workstation no
trn mng.
External User Databases: cu hnh chnh sch user, cu hnh cc mc phn quyn cho user,
cu hnh cc dng c s d liu t bn ngoi.
Reports and Activity: lu li cc thng tin xy ra i vi Cisco Secure ACS nh l mt phn
danh sch ca cc loi bo co ph hp vi ta. Ta c th ci t nhng file ny vo trong c s
d liu hay ng dng bng tnh.
TACACS+ Accounting Report: cc danh sch cho bit thng tin khi mt session bt u v kt
thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong
mi phin.
RADIUS Accounting Report: danh sch cho bit thng tin khi mt session bt u v kt
thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi
trong mi phin.
- Failed Attemps Report: danh sch xc thc khng thnh cng.
- Logged in Users: danh sch tt c ngi dng truy cp gn y.
- Disable Accounts: cc account khng cho php hot ng na.
- Admin Accounting Report: bn lu li cc trng thi thao tc ca admin.
Online Document: ti liu hng dn s dng Cisco Secure ACS nh cch cu hnh, thao
tc, v khi nim c lin quan n Cisco Secure ACS.
Trin khai m hnh:
-Cu hnh cc Router:

>Cu hnh router R1:
!* R1.CiscoConfig
!* IP Address : 192.168.2.86
!* Community : niem.org
!* Downloaded 2/21/2012 2:22:17 AM by SolarWinds Config Transfer Engine Version 5.5.0
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.87 255.255.255.0
duplex auto
speed auto
!
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

interface Serial0/0
ip address 192.168.2.86 255.255.255.0
clock rate 2000000
!
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 192.168.1.0
network 192.168.2.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
tacacs-server host 192.168.4.87
tacacs-server directed-request
tacacs-server key trungniem
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
webvpn context Default_context
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

ssl authenticate verify all
!
no inservice
!
!
end
>Cu hnh router R2:
!* R2.CiscoConfig
!* IP Address : 192.168.2.87
!
version 12.4
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

!
!
!
!
!
ip address 192.168.2.87 255.255.255.0
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.2.87 255.255.255.0
clock rate 2000000
!
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 192.168.3.86 255.255.255.0
clock rate 2000000
!
router rip
version 2
network 192.168.2.0
network 192.168.3.0
!
!
!
no ip http server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!

!
no inservice
!
!
end
Cu hnh router R3:
!* R3.CiscoConfig
!* IP Address : 192.168.3.87
!
version 12.4
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

!
!
!
!
!
!
!
!
!
!
!
ip address 192.168.4.86 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.3.87 255.255.255.0
clock rate 2000000
!
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 192.168.3.0
network 192.168.4.0
!
!
!
no ip http server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!

!
no inservice
!
!
end
VI. Trin khai ACS Server:

a. Giao din ACS Server:
Sau khi ci t Cisco Secure ACS, khi ng chng trnh . y l giao din chch ca Cisco
Secure ACS:
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

b. To Group User:
Chng to ba Group l Admin ,Mod v Guest
B1:To Group Admin:
Vo Menu Group Setup .
-Chn 1 trong bt k Group trong list hnh trn. Click chn Edit Setting.
- Check vo shell (exec).
- Check vo Privilege levels v nhp vo s 15.
-Chn submit+restart.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
Tip theo rename cho Group 1 thnh Admin.

Chn Group setup -> Chn Group 1-> Click Rename Group
in tn mun i vo Group
Click Submit
-Nh vy chng ta hon thnh vic to Admin v phn quyn cho n.

B2:To Group Mod:
-Tng t nh to group admin , nhng khc Group Admin l Kt hp Privilege Levels v Command
Authorization.
-Trc tin chng to Command Authorization.
Vo menu Shared Profile Components
Chn Shell command Authorization Sets
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
Chn Add . Lc ny giao din Shell Command Authorization Set hin ra.
o Name : Tn ca file cu hnh.
o Description : M t v file cu hnh ny.
o Unmatched command : Ch nh cch m server s thc hin vi nhng
lnh m bn khng nhp bn di. ( 2 tu chn l Permit v Deny ).
o Permit Unmatched Args: Cho php cc args m bn ko nhp vo. Nu bn
khng check vo th my t hiu l Deny.
o Add Command: Thm vo mt lnh mi. thm vo mt lnh th bn
nhp vo v sau nhn Add Command. Tip theo l bn s nhp thm
nhng Args ca lnh vi cu trc : permit/Deny arg. nhp thm mt
Arg th bn nhn enter xung dng.
Trong mu trn c ngha nh sau : Group no c add file cu hnh ny vo th

d c privilage level 15 cng ch c thc hin lnh show ip route.
o Unmatched Command Deny : T chi tt c cc lnh.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

o Khng check vo Permit Unmatched Args : Deny tt c cc lnh khng
c trong bn di.
o Permit ip route : Cho php lnh show thc hin show ip route.
o Cu hnh xong chn Submit.
-Add Shell command Authorization v Group Mod:
Chn Group Setup->Chn Group Mod-> Chn Edit Setting
Chn Shell(exec)
Privilege level in s 15
Phn Sell Command Authorization Set, check Assign a Shell Commad Authoriziation Set
of any network deviece-> Chn Mod
Submit+reset
B3:To group Guest :

Tng t nh group Admin nhng vi Privilege leve 0
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

c. To User v add user vo Group:
To User admin 1 v mod1, guest1 :
-Vo menu User Setup:
-in tn user vo User. Chng ta nhp tn user l Admin1 , click chn Add/Edit:
- Password authentication: ACS internet database, password cho user admin1 l longthanc
- Chn group user ny l Admin. / chn Submit.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

-Lm tng t cho user Guest1 v Mod1
Sau khi hon thnh:
d. Cu hnh ACS server:

Vo Menu Network Configuration:
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
o
o
o
o
o
o
o
-Cu hnh ACS server:

to mt AAA Server Ti mc AAA Server chn Add Entry
AAA Server Name : Tn Server (t ty ).
AAA Server IP Address : IP ca my ci ACS Server.
Key : Kha trao i vi Client (Ging vi kha ca Client).
AAA Server Type : TACACS +
Trafic Type : Inboud/Outbound
Cu hnh xong chn Submit + Apply
e. Cu hnh ACS server

to mt AAA Client ti mc AAA Client Chn Add Entry.
o AAA Client Host Name : Tn Router mun truy cp ti.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

o AAA Client IP Address : IP ca Router mun truy cp ti.
o Shared Secret : kha trao i vi Server ( Kha ny phi ging nhau Client v Server v s
c yu cu khi cu hnh router ).
o Authenticate Using chn TACACS + (CISCO IOS).
o Cu hnh xong chn Submit + Apply
VII.
Cu hnh ACS Client trn R1:

-Sau y l nhng lnh cu hnh c bn: ch l nhng lnh ny c dng cho IOS cisco
12.05 tr v sau.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
VIII.
Kim tra kt qu sau khi cu hnh:

- client dng lnh telnet 192.168.2.86 kim tra.
-Login bng user Admin1:
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

-Login bng user guest1:
-Login bng user mod1:
->Ch s dng c lnh ping v show ip route.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

IX.
Xem Reports TACACS+ Accounting
s dng chc nng ny chng ta cn cu hnh AAA Accounting.

Vo menu Reports and activity-> chn TACACS+ Accounting
Chn file log cn xem mc Select a TACACS+ Accounting file v d chn file: TACACS+
Accounting active.csv
X.
Cc gi tin ca Tacacs+:
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
- Thnh phn gi tin :

+ Major version : TACACS+ (Phin bn chnh, y l phin bn TACACS+)
+ Minor version : 0 (phin bn nh, y mun ni l phin bn nh ca TACACS+ c s hiu
phin bn l 0).
+ Type : Authoziration (2) (loi gi tin, y l gi Authoziration c th hiu s hiu m ha l
2).
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

+ Sequence number : 2 (s th t ca gi tin thuc loi gi tin Type c gi, y ch s th
t ca gi Authoziration bt c l gi u tin c gi).
+ Flags : 0x00 (Encrypted payload, multiple connection) (cc c dng m ha cc gi tin v
ng truyn, gi tr not set cho thy n cha c ci t).
+ Session ID : 4196086279
(ID cho phin lm vic vi TACACS+, y l 4196086279).
+ Paclet Length : 19 (chiu di gi tin, khng bao gm c cc Header).
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM

ACS Tacacs Lab-1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACS Tacacs Lab-1

Uploaded by

Copyright:

Available Formats

Mn Mng my tnh nng cao:

Ging vin hng dn : Ths Nguyn c Quang

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Gii thiu Cisco Secure ACS:

Cc mc bo mt khc nhau c th dng vi Cisco Secure ACS vi cc yu cu khc nhau.

o Cc chc nng chnh.

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

-Cu hnh cc Router:

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

webvpn context Default_context

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

webvpn context Default_context

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

webvpn context Default_context

VI. Trin khai ACS Server:

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Tip theo rename cho Group 1 thnh Admin.

-Nh vy chng ta hon thnh vic to Admin v phn quyn cho n.

Chn Shell command Authorization Sets

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Trong mu trn c ngha nh sau : Group no c add file cu hnh ny vo th

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

B3:To group Guest :

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Sau khi hon thnh:

d. Cu hnh ACS server:

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

-Cu hnh ACS server:

e. Cu hnh ACS server

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Cu hnh ACS Client trn R1:

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Kim tra kt qu sau khi cu hnh:

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

-Login bng user mod1:

->Ch s dng c lnh ping v show ip route.

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang

Xem Reports TACACS+ Accounting

s dng chc nng ny chng ta cn cu hnh AAA Accounting.

SV: Nguyn Trung Nim

Bo co bi Lab 1 Ging Vin: Nguyn c Quang