Professional Documents
Culture Documents
ACS Tacacs Lab-1
ACS Tacacs Lab-1
-------------------------------
II.
a.
b.
c.
d.
e.
M t yu cu:
Cu hnh nh m hnh : Client telnet vo R1. R1 s dng giao thc chc thc Tacacs+.
Ci t ACS server
Cu hnh ACS server( dng tacacs+)
Cu hnh ACS Client trn R1 kch hot dch v AAA
Trong ACS server to ba group Admin v Mod v Guest.
i. Group Admin telnet vo R1 c s dng tt c cc lnh
ii. Group Mod telnet vo R1 c s dng cc lnh trong danh sch quy nh.(show ip
route, ping)
iii. Group Guest ch telnet c vo R1
f. Bt cc thng ip ca giao thc TACACS+ bng Wireshark
III. Chun b:
-Trong bi lab ny s dng cc chng trnh:
VMware Workstation
Cisco Secure ACS
SolarWinds Engineer's Toolset
GNS3
-Client ci h iu hnh XP, Server ci t h iu hnh Window Server 2003
MSSV:0951020186
- Lp:09DTHM
IV.
Cisco Secure ACS chy trn nn Windows l mt phn mm ng dng bo mt mng cho php
ta iu khin cch truy cp mng, cc cuc gi vo, v truy cp Internet. Cisco Secure ACS hot
ng ging nh mt dch v ca Windows NT/2000 iu khin vic xc thc, cp quyn, v
tnh cc ngi dng truy cp vo mng.
Cisco Secure ACS cung cp dch v AAA cho cc thit b truy cp mng c chc nng nh AAA
client, router, NAS, PIX firewall v VPN 3000 Concentrator. Mt AAA client c th l mt thit
b bt k cung cp chc nng AAA client v s dng mt trong cc giao thc AAA h tr bi
Cisco Secure ACS. Cisco Secure ACS xem tt c thit b nh vy l AAA client. Cisco Secure ACS
s dng giao thc TACACS+/RADIUS cung cp dch v AAA nhm bo m mt mi trng
an ton tuyt i.
Cisco Secure ACS gip tp trung vic iu khin truy cp v tnh cc, thm vo l qun l
vic truy cp vo router v switch. Vi Cisco Secure ACS, cc nh qun tr mng c th nhanh
chng qun l ti khon v thay i ton b mc yu cu dch v cho ton b cc nhm
ngi dng.
Cisco Secure ACS d s dng bi tnh d ci t v qun tr. N thng chy trn nn
Windows NT Server hoc Windows Server. Cisco Secure ACS cho php xc thc username v
password lu trong c s d liu ca Windows NT/2000, ca chnh c s d liu trong Cisco
Secure ACS, c s d liu t bn ngoi,..
MSSV:0951020186
- Lp:09DTHM
o
o
o
o
o
o
V.
c th p dng vo mt hoc nhiu ngi dng hay nhm ngi dng v tham chiu bi tn
trong tng profile ring bit. Cc component bao gm gii hn truy cp mng (NAR), tp lnh
cp quyn, v cc ACL download c.
Network Configuration: Cu hnh v sa cha tham s NAS, thm, xa NAS, cu hnh AAA
tham s phn phi cho AAA server.
System Configuration: Khi to v kt thc cc dch v Cisco Secure ACS, cu hnh logging,
iu khin vic nhn bn c s d liu, v iu khin vic ng b ha h qun tr c s d
liu quan h.
Interface Configuration: Cu hnh cc trng do ngi dng nh ngha s c ghi li vo
trong file log, cu hnh cc ty chn TACACS+/RADIUS, v iu khin cch thc trnh by ty
chn trong giao din ngi dng.
Administration Control: iu khin vic qun tr Cisco Secure ACS t bt k Workstation no
trn mng.
External User Databases: cu hnh chnh sch user, cu hnh cc mc phn quyn cho user,
cu hnh cc dng c s d liu t bn ngoi.
Reports and Activity: lu li cc thng tin xy ra i vi Cisco Secure ACS nh l mt phn
danh sch ca cc loi bo co ph hp vi ta. Ta c th ci t nhng file ny vo trong c s
d liu hay ng dng bng tnh.
TACACS+ Accounting Report: cc danh sch cho bit thng tin khi mt session bt u v kt
thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong
mi phin.
RADIUS Accounting Report: danh sch cho bit thng tin khi mt session bt u v kt
thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi
trong mi phin.
- Failed Attemps Report: danh sch xc thc khng thnh cng.
- Logged in Users: danh sch tt c ngi dng truy cp gn y.
- Disable Accounts: cc account khng cho php hot ng na.
- Admin Accounting Report: bn lu li cc trng thi thao tc ca admin.
Online Document: ti liu hng dn s dng Cisco Secure ACS nh cch cu hnh, thao
tc, v khi nim c lin quan n Cisco Secure ACS.
Trin khai m hnh:
MSSV:0951020186
- Lp:09DTHM
interface FastEthernet0/0
ip address 192.168.1.87 255.255.255.0
duplex auto
speed auto
!
MSSV:0951020186
- Lp:09DTHM
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 192.168.1.0
network 192.168.2.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
tacacs-server host 192.168.4.87
tacacs-server directed-request
tacacs-server key trungniem
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
interface FastEthernet0/0
ip address 192.168.2.87 255.255.255.0
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.2.87 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 192.168.3.86 255.255.255.0
clock rate 2000000
!
router rip
version 2
network 192.168.2.0
network 192.168.3.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
interface FastEthernet0/0
ip address 192.168.4.86 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.3.87 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 192.168.3.0
network 192.168.4.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
!
control-plane
!
!
!
!
!
MSSV:0951020186
- Lp:09DTHM
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
MSSV:0951020186
- Lp:09DTHM
-Chn 1 trong bt k Group trong list hnh trn. Click chn Edit Setting.
- Check vo shell (exec).
- Check vo Privilege levels v nhp vo s 15.
-Chn submit+restart.
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
Chn Add . Lc ny giao din Shell Command Authorization Set hin ra.
o Name : Tn ca file cu hnh.
o Description : M t v file cu hnh ny.
o Unmatched command : Ch nh cch m server s thc hin vi nhng
lnh m bn khng nhp bn di. ( 2 tu chn l Permit v Deny ).
o Permit Unmatched Args: Cho php cc args m bn ko nhp vo. Nu bn
khng check vo th my t hiu l Deny.
o Add Command: Thm vo mt lnh mi. thm vo mt lnh th bn
nhp vo v sau nhn Add Command. Tip theo l bn s nhp thm
nhng Args ca lnh vi cu trc : permit/Deny arg. nhp thm mt
Arg th bn nhn enter xung dng.
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
-in tn user vo User. Chng ta nhp tn user l Admin1 , click chn Add/Edit:
- Password authentication: ACS internet database, password cho user admin1 l longthanc
- Chn group user ny l Admin. / chn Submit.
SV: Nguyn Trung Nim
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
o
o
o
o
o
o
o
MSSV:0951020186
- Lp:09DTHM
VII.
MSSV:0951020186
- Lp:09DTHM
VIII.
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
Chn file log cn xem mc Select a TACACS+ Accounting file v d chn file: TACACS+
Accounting active.csv
X.
Cc gi tin ca Tacacs+:
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM
MSSV:0951020186
- Lp:09DTHM