Bo Co Mn Hc Mng My Tnh Cn Bn

LAB 1 : Ging Vin : Nguyn c Quang Sinh vin : Nguyn Duy - 106102205

Phn I : Gii thiu :

I.1 :Tng Quan AAA ( Authentication - Authorization - Accounting) AAA cho php nh qun tr mng bit c cc thng tin quan trng v tnh hnh cng nh mc an ton trong mng. N cung cp vic xc thc (authentication) ngi dng nhm bo m c th nhn dng ng ngi dng. Mt khi nhn dng ngi dng, ta c th gii hn thm quyn (authorization) m ngi dng c th lm. Khi ngi dng s dng mng, ta cng c th gim st tt c nhng g m h lm. AAA vi ba phn xc thc (authentication), cp quyn (authorization), tnh cc (accounting) l cc phn ring bit m ta c th s dng trong dch v mng, cn thit m rng v bo mt mng. AAA c th dng tp hp thng tin t nhiu thit b trn mng. Ta c th bt cc dch v AAA trn router, switch, firewall, cc thit b VPN, server

Cc dch v AAA c chia thnh ba phn, xc thc (Authentication), cp quyn (Authorization), tnh cc (Accounting). Xc thc (Authentication) : Dng nhn dng (identify) ngi dng. Trong sut qu trnh xc thc, username v password ca ngi dng c kim tra v i chiu vi c s d liu lu trong AAA Server. Tt nhin, ty thuc vo giao thc m AAA h tr m ha n u, t nht th cng m ha username v password.Xc thc s xc nh ngi dng l ai . Tin trnh ny ch l mt trong cc thnh phn iu khin ngi dng vi AAA. Mt khi username v password c chp nhn, AAA c th dng nh ngha thm quyn m ngi dng c php lm trong h thng. Cp quyn (Authorization) : Authorization cho php nh qun tr iu khin vic cp quyn trong mt khong thi gian, hay trn tng thit b, tng nhm, tng ngi dng c th hay trn tng giao thc. AAA cho php nh qun tr to ra cc thuc tnh m t cc chc nng ca ngi dng c php lm. Do , ngi dng phi c xc thc trc khi cp quyn cho ngi . Tnh cc (Accounting) : Accounting cho php nh qun tr c th thu thp thng tin nh thi gian bt u, thi gian kt thc ngi dng truy cp vo h thng, cc cu lnh thc thi, thng k lu lng, vic s dng ti nguyn v sau lu tr thng tin trong h thng c s d liu quan h. Ni cch khc, accounting cho php gim st dch v v ti nguyn c ngi dng s dng. V d: thng k cho thy ngi dng c tn truy cp l SBD truy cp vo HAN-ROUTER bng giao thc telnet vi s ln l 3 ln. im chnh trong Accounting l cho php ngi qun tr gim st tch cc v tin on c dch v v vic s dng ti nguyn. Thng tin ny c th c dng tnh cc khch hng, qun l mng, kim ton.

I.2 : Giao thc s dng cho dch v AAA C hai giao thc bo mt dng trong dch v AAA l TACACS (Terminal Access Controller Access Control System) v RADIUS (Remote Authentication Dial-In User Service). C hai giao thc u c phin bn v thuc tnh ring. Chng hn nh phin bn ring ca TACACS l TACACS+, tng thch hon ton vi TACACS. RADIUS cng c s m rng khi cho php khch hng thm thng tin xc nh c mang bi RADIUS.TACACS v RADIUS c dng t mt thit b nh l server truy cp mng (NAS) n AAA server. Khi Ngi dng gi t PC n NAS. NAS s hi thng tin xc thc ngi dng. T PC n NAS, giao thc s dng l PPP, v mt giao thc nh l CHAP hay PAP c dng truyn thng tin xc thc. NAS s truyn thng tin n AAA Server xc thc. N c mang bi giao thc TACACS hoc RADIUS.

I.2.1 Tng quan v TACACS: TACACS l giao thc c chun ha s dng giao thc hng kt ni (connection-oriented) l TCP trn port 49. - TACACS c cc u im sau: o Vi kh nng nhn gi reset (RST) trong TCP, mt thit b c th lp tc bo cho u cui khc bit rng c hng hc trong qu trnh truyn. o TCP l giao thc m rng v c kh nng xy dng c ch phc hi li. N c th tng thch pht trin cng nh lm tc nghn mng vi vic s dng sequence number truyn li. o Ton b payload c m ha vi TACACS+ bng cch s dng mt kha b mt chung (shared secret key). TACACS+ nh du mt trng trong header xc nh xem th c m ha hay khng. o TACACS+ m ha ton b gi bng vic s dng kha b mt chung nhng b qua header TACACS chun. Cng vi header l mt trng xc nh body c c m ha hay khng. Thng th trong ton b thao tc, body ca mt gi c m ha hon ton truyn thng an ton. o TACACS+ c chia lm ba phn: xc thc (authentication), cp quyn (authorization) v tnh cc (accounting). Vi cch tip cn theo module, ta c th s dng cc dng khc ca xc thc v vn s dng TACACS+ cp quyn v tnh cc. Chng hn nh, vic s dng phng thc xc thc Kerberos cng vi vic cp quyn v tnh cc bng TACACS+ l rt ph bin. o TACACS+ h tr nhiu giao thc. o Vi TACACS+, ta c th dng hai phng php iu khin vic cp quyn thc thi cc dng lnh ca mt user hay mt nhm nhiu user. Phng php th nht l to mt mc phn quyn (privilege) vi mt s cu lnh gii hn v user xc thc bi router v TACACS server ri th s c cp cho mc c quyn xc nh ni trn. Phng php th hai l to mt danh sch cc dng lnh xc nh trn TACACS+ server cho php mt user hay mt nhm s dng.

I.2.2 : Tng quan v RADIUS: RADIUS l giao thc bo mt mng da theo m hnh client-server. N dng giao thc UDP. RADIUS server thng chy trn my tnh. Client l cc dng thit b c th truyn thng tin n RADIUS server c ch nh trc v sau ng vai tr phc p m n tr v. Giao tip gia client v RADIUS server c xc thc thng qua vic s dng kha b mt chung khng c truyn qua mng. Mt s u im ca RADIUS l: RADIUS c phn overhead t hn so vi TACACS v n s dng UDP, trong phn overhead khng c a ch ch, port ch. Vi cch thc phn phi dng source code, RADIUS l dng giao thc hon ton m rng. Ngi dng c th thay i n lm vic vi bt k h thng bo mt hin c. RADIUS yu cu chc nng tnh cc (accounting) m rng.

RADIUS thng c dng tnh cc da trn ti nguyn s dng. V d nh ISP s tnh cc cho ngi dng v chi ph kt ni. Ta c th ci t RADIUS Accounting m khng cn s dng RADIUS xc thc v cp quyn. Vi chc nng accounting m rng, RADIUS cho php d liu c gi t cc thit b xut pht cng nh l thit b ch, t gip ta theo di vic s dng ti nguyn (thi gian, s lng cc gi tin, s lng byte,...) trong sut phin lm vic.

I.2.3 : Gii thiu CISCO SECURE ACS :

Cisco Secure ACS chy trn nn Windows l mt phn mm ng dng bo mt mng cho php ta iu khin cch truy cp mng, cc cuc gi vo, v truy cp Internet. Cisco Secure ACS hot ng ging nh mt dch v ca Windows NT/2000 iu khin vic xc thc, cp quyn, v tnh cc ngi dng truy cp vo mng. Cisco Secure ACS cung cp dch v AAA cho cc thit b truy cp mng c chc nng nh AAA client, router, NAS, PIX firewall v VPN 3000 Concentrator. Mt AAA client c th l mt thit b bt k cung cp chc nng AAA client v s dng mt trong cc giao thc AAA h tr bi Cisco Secure ACS. Cisco Secure ACS xem tt c thit b nh vy l AAA client. Cisco Secure ACS s dng giao thc TACACS+/RADIUS cung cp dch v AAA nhm bo m mt mi trng an ton tuyt i. Cisco Secure ACS gip tp trung vic iu khin truy cp v tnh cc, thm vo l qun l vic truy cp vo router v switch. Vi Cisco Secure ACS, cc nh qun tr mng c th nhanh chng qun l ti khon v thay i ton b mc yu cu dch v cho ton b cc nhm ngi dng. Cisco Secure ACS d s dng bi tnh d ci t v qun tr. N thng chy trn nn Windows NT Server hoc Windows Server. Cisco Secure ACS cho php xc thc username v password lu trong

c s d liu ca Windows NT/2000, ca chnh c s d liu trong Cisco Secure ACS, c s d liu t bn ngoi,.. Cc mc bo mt khc nhau c th dng vi Cisco Secure ACS vi cc yu cu khc nhau. Mc bo mt ngi dng-mng l PAP. Mc d n khng trnh by dng bo mt cao nht ca tnh cht m ha b mt, PAP em li nhiu s tin li v n gin cho khch hng. Xc thc PAP c th xc thc vi c s d liu trong Windows NT/2000. Xc thc CHAP cho php mt mc cao hn v tnh bo mt cho cc password m ha khi giao tip t khch hng cho n thit b truy cp mng (NAS). Microsoft CHAP (MS-CHAP) l mt phin bn ca CHAP c a ra bi Microsoft lm vic gn gi, d dng hn trong h iu hnh Microsoft Windows. Giao din chnh ca chng trnh Cisco Secure ACS .

Cc chc nng chnh. o User Setup: Ta c th thm, xa, sa mt account ca ngi dng, v lit k tt c ngi dng trong c s d liu. o Group Setup: Ta c th to, sa, i tn nhm v lit k tt c user trong mt nhm. Shared Profile Components: Pht trin v ti s dng tn, tp tt c cc thnh phn xc thc c th p dng vo mt hoc nhiu ngi dng hay nhm ngi dng v tham chiu bi tn trong tng profile ring bit. Cc component bao gm gii hn truy cp mng (NAR), tp lnh cp quyn, v cc ACL download c.

o o o o o o o o

Network Configuration: Cu hnh v sa cha tham s NAS, thm, xa NAS, cu hnh AAA tham s phn phi cho AAA server. System Configuration: Khi to v kt thc cc dch v Cisco Secure ACS, cu hnh logging, iu khin vic nhn bn c s d liu, v iu khin vic ng b ha h qun tr c s d liu quan h. Interface Configuration: Cu hnh cc trng do ngi dng nh ngha s c ghi li vo trong file log, cu hnh cc ty chn TACACS+/RADIUS, v iu khin cch thc trnh by ty chn trong giao din ngi dng. Administration Control: iu khin vic qun tr Cisco Secure ACS t bt k Workstation no trn mng. External User Databases: cu hnh chnh sch user, cu hnh cc mc phn quyn cho user, cu hnh cc dng c s d liu t bn ngoi. Reports and Activity: lu li cc thng tin xy ra i vi Cisco Secure ACS nh l mt phn danh sch ca cc loi bo co ph hp vi ta. Ta c th ci t nhng file ny vo trong c s d liu hay ng dng bng tnh. TACACS+ Accounting Report: cc danh sch cho bit thng tin khi mt session bt u v kt thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong mi phin. RADIUS Accounting Report: danh sch cho bit thng tin khi mt session bt u v kt thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong mi phin. - Failed Attemps Report: danh sch xc thc khng thnh cng. - Logged in Users: danh sch tt c ngi dng truy cp gn y. - Disable Accounts: cc account khng cho php hot ng na. - Admin Accounting Report: bn lu li cc trng thi thao tc ca admin. Online Document: ti liu hng dn s dng Cisco Secure ACS nh cch cu hnh, thao tc, v khi nim c lin quan n Cisco Secure ACS.

Phn II : LAB ACS TACACS +

II.1 : M hnh .

Yu cu : Xy dng ACS Server trn my Window 2k3 cp quyn cho Client truy cp vo Router B.. II.2 : Cu hnh ACS Server: II2.1 : Ch s dng Privilege Levels Mc nh trn router c sn 3 previlege levels: Privilege level 0: t s dng. Gm 5 lnh: disable, enable, exit, help v log out Privilege level 1: non-privilege. Tng ng router> Privilege level 15: privilege tng ng bn vo ch enable ( router#) Levels t 2-14 khng c cu hinh mc nh nhng ta c th cu hnh chuyn i nhng lnh gia cc levels vi nhau. bit ang truy cp router level no, ta g lnh show privilege. bit nhng lnh c th s dng trong level tng ng th ta g ? khi ang truy cp level cn xc nh . Sau khi ci t ACS Server ,m giao din chnh ca chng trnh :

Bc 1 : To Group User Vo Menu Group Setup .To Cc Group nh hnh di .Group Admin c privilege level 15 ,Group Guest c privilege level 0 v mt Group Test c privilege level 15 s dng trong phn Kt hp Privilege Levels v Command Authorization:

Set Privilege Levels cho mi nhm ta chn tn nhm ri vo Edit Setting Tm ti phn TACACS + Setting .Check vo Shell (exec),chn Privilege Levels sau nhn Submit + Restart

Bc 2 : To User v Add User vo nhm Vo Menu User Setting .in tn user mun to ri chn Add/Edit.

Trong phn ny tm ti mc User Setup .Trong mc Password Authentication chn ACS Internal Database .Trong mc Password chn Password cho User.Password ny cng vi tn User dng ng nhp vo h thng Router .Trong mc Group To Which The User is assigned chn tn nhm m mun Add user ny vo.Lc ny User s c quyn m thit lp trong nhm tng ng.Cu hnh xong chn Submit.

Sau khi to xong mt List User.

Bc 3 : Cu hnh AAA Client v AAA Server Vo Menu Network Configuration

to mt AAA Client ti mc AAA Client Chn Add Entry. o AAA Client Host Name : Tn Router mun truy cp ti. o AAA Client IP Address : IP ca Router mun truy cp ti. o Shared Secret : kha trao i vi Server ( Kha ny phi ging nhau Client v Server v s c yu cu khi cu hnh router ). o Authenticate Using chn TACACS + (CISCO IOS). o Cu hnh xong chn Submit + Apply

to mt AAA Server Ti mc AAA Server chn Add Entry o AAA Server Name : Tn Server (t ty ). o AAA Server IP Address : IP ca my ci ACS Server. o Key : Kha trao i vi Client (Ging vi kha ca Client). o AAA Server Type : TACACS + o Trafic Type : Inboud/Outbound o Cu hnh xong chn Submit + Apply

Bc 4 : Cu hnh Router : Cu hnh trn 3 Router bnh thng cho kt ni c vi nhau. Trn Router R1 Cu hnh AAA Client nh sau. router rip hostname R1 network 10.0.0.0 ! ! logging queue-limit 100 ip classless ! ! aaa new-model tacacs-server host 30.0.0.2 ! tacacs-server directed-request aaa authentication login default group tacacs+ tacacs-server key 123456 aaa authorization exec default group tacacs+ ! aaa session-id common radius-server authorization permit missing ip subnet-zero Service-Type ! call rsvp-sync ip cef ! mpls ldp logging neighbor-changes mgcp profile default ! ! no voice hpi capture buffer dial-peer cor custom no voice hpi capture destination ! ! gatekeeper mta receive maximum-recipients 0 shutdown ! ! interface Serial1/0 line con 0 ip address 10.0.0.2 255.0.0.0 stopbits 1 serial restart_delay 0 line aux 0 ! line vty 0 4 interface Serial1/1 ! ip address 10.0.0.3 255.0.0.0 End serial restart_delay 0

Kim tra kt qu : T Command line ca my Client nhp lnh telnet 10.0.0.3 truy cp ti Router R1.

ng nhp bng user admin1 trong group Admin c Privilege level 15. Ta thy user vo c ch config chng t n c th thc hin mi thao tc trn Router R1. Logout v ng nhp bng user gues1 trong group Guest c Privilege level 0.

Ta thy rng user ny khng c quyn truy cp vo ch config ca Router R1.Quyn hn ca n ch c th thc hin trong 5 lnh trn.

II.2.2 : Kt hp Privilege Levels v Command Authorization. Trong trng hp ny ta c th ty chnh cc quyn hn ca user c thc hin trong router bng cch to ra c lnh permit v deny sau p dng cho cc nhm user.iu ny cho php nh qun tr qun l mt cch d dng v linh ng hn so vi cp quyn mt cch cng nhc theo Privilage level. Nhng lnh m mt user khi login vo thit b c th thc hin chnh l nhng lnh nm trong Privilege Levels ca h tr i nhng lnh m chng ta cu hnh trong Command Authorization.

Bc 1 : To mt User test Trong Group Test .Group ny c Privilage level 15. Bc 2 : to ra cc Command Authorization ta vo Menu Shared Profile Components.

Vo Shell Command Authorization Sets

Chn Add . Lc ny giao din Shell Command Authorization Set hin ra. o Name : Tn ca file cu hnh. o Description : M t v file cu hnh ny. o Unmatched command : Ch nh cch m server s thc hin vi nhng lnh m bn khng nhp bn di. ( 2 tu chn l Permit v Deny ). o Permit Unmatched Args: Cho php cc args m bn ko nhp vo. Nu bn khng check vo th my t hiu l Deny. o Add Command: Thm vo mt lnh mi. thm vo mt lnh th bn nhp vo v sau nhn Add Command. Tip theo l bn s nhp thm nhng Args ca lnh vi cu trc : permit/Deny arg. nhp thm mt Arg th bn nhn enter xung dng.

Trong mu trn c ngha nh sau : Group no c add file cu hnh ny vo th d c privilage level 15 cng ch c thc hin lnh show ip route. o Unmatched Command Deny : T chi tt c cc lnh. o Khng check vo Permit Unmatched Args : Deny tt c cc lnh khng c trong bn di. o Permit ip route : Cho php lnh show thc hin show ip route. o Cu hnh xong chn Submit. Bc 3 : Cu hnh cho nhm nhn tp tin lnh va to. Vo Group Setup : chn nhm cn add nhng lnh va to ri nhn Edit Setting.

Check vo Assign a Shell Command Authorization Set for any network device v chn tn file m ta va to.Xong nhn Submit + Restart .

Bc 4 : Cu hnh cho Router R1 . router rip network 10.0.0.0 ! ip classless no ip http server no ip http secure-server ! tacacs-server host 30.0.0.2 tacacs-server directed-request tacacs-server key 123456 ! radius-server authorization permit missing Service-Type call rsvp-sync ! mgcp profile default ! dial-peer cor custom ! gatekeeper shutdown ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! end

hostname R1 ! logging queue-limit 100 ! aaa new-model ! aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa session-id common ip subnet-zero ! ip cef mpls ldp logging neighbor-changes ! no voice hpi capture buffer no voice hpi capture destination ! mta receive maximum-recipients 0 ! interface Serial1/0 ip address 10.0.0.2 255.0.0.0 serial restart_delay 0 ! interface Serial1/1 ip address 10.0.0.3 255.0.0.0 serial restart_delay 0 !

Kim tra kt Qu : T Command Line ca my client nhp vo lnh telnet 10.0.0.3 truy cp n Router R1.

Ta thy rng User Test ch s dng c lnh show ip route mc d c Privilege Level 15 .

II.2.3 : Bt lu lng Tacacs+ trao i gia ACS Server v Client.