14일차 RADIUS 복습과 TACAS로 인증.

clt+alt+화살표 (화면 방향바꾸기)
\\\\\\\\\\\\\\\\\\\\\\\
tacas

#R1

inte

66, 쌤은 70
## r1
int f 0/1
ip addr 121.160.70.66 255.255.255.0
no shut

## sw1
vlan 10
ip add 10.1.10.254 255.255.255.0
vlan 20
ip add 10.1.20.254 255.255.255.0
vlan 30
ip add 10.1.30.254 255.255.255.0
vlan 40
ip add 10.1.40.250 255.255.255.0

 

 

\필기 투당!!!

 

 

sw1\\\\\\\\\\\\\\
vlan 10
name client-pc
exi
vlan 20
name ace-server
exit
vlan 30
name inter-router
exit
vlan 40
name GW-vlan
exi

ip routing
int vlan 10
ip add 10.1.10.254 255.255.255.0
exi
int vlan 20
ip add 10.1.20.254 255.255.255.0
exi
int vlan 30
ip add 10.1.30.254 255.255.255.0
exi
int vlan 40
ip add 10.1.40.250 255.255.255.0
exi
ip route 0.0.0.0 0.0.0.0 10.1.40.254

inter fa 1/1
description R1_GW
sw mo acc
sw acc vlan 40
spann portfast
exi
int fa 1/2
description inter-Router-R2
sw mo acc
sw acc vlan 30
spann portfast
exi
int fa 1/3
description dot1x-user-win-xp
sw mo acc
sw acc vlan 10
spann portfast
exi
int fa 1/4
description ACS-2003
sw mo acc
sw acc vlan 20
spann portfast
exi

show vlan-sw brief
show ip int brief

\\\\\\\\\\\\\\\\\\\\\\\\\
R1
int fa 0/0
no shut
ip add 10.1.40.254 255.255.255.0
ip nat inside
exi

ip route 0.0.0.0 0.0.0.0 121.160.40.254

int fa 0/1
no shut
ip add 121.160.70.66 255.255.255.0
ip nat outside
exi

access-list 10 deny 10.1.20.0 0.0.0.255
access-list 10 per 10.1.0.0 0.255.255.255
access-list 10 remark ACS_VLAN20_deny_internet
ip nat inside source list 10 int fa 0/1

 

\\\\\\\\\\\\\\
xp
10.1.10.1
255.255.255.0
10.1.10.254
168.126.63.1

ACS서버
10.1.20.250
255.255.255.0
10.1.20.254

\\\\\\\\\\\\\\
SW1
ip routing
vlan 10
name client-pc
exi
show vlan-switch brief
//1/3 default인지 확인

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group
radius-server host 10.1.20.250 key cisco123

dot1x system-auth-control

vlan 55
name guest-vlan
vlan 44
name fail-vlan
exi

-- - -- - - - -  -
int fa 1/3
shut
dot1x port-control auto
dot1x auth-fail vlan 44
dot1x auth-fail max-attempts 2
dot1x guest-vlan 55
dot1x host-mode multi-host
dot1x reauthentication
dot1x timeout reauth-period 300
no shut
\\\\\\\\\\\
ACS-------
@ admin
id : song-admin
pw : cisco123
스크롤바 내려서 grant all하고 submit
---------
@ network
위에 not assigned 클릭
위에 add entry 클릭
aaa clinet IP address : 10.1.20.254
shared secret : cisco123
authenticate using : RADIUS (IETF)
하고 submit+apply
-----------
@ interface configuration
맨위에 radius를 일단 클릭해준다.
----------
group
group1 edit
맨 밑에 64,65,81 체크
64
tag1 : vlan
65
tag1 : 802
81
tag1 : value 10

-----------
usersettup
user: user1 치고나서 add/edit 클릭
password:12345
group1
-----------

tag1 = vlan / 802 / 10 (64,65,81)

test aaa group radius user1 12345 legacy
//테스트

\\\\\\\\\\\\\\이제부터 타카스
r2

int fa 0/0
no shut
ip add 10.1.20.2 255.255.255.0
ip add 10.1.30.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.40.250
ping 121.160.70.66
ping 10.1.40.254
ping 121.160.70.254
ping 168.126.63.1

aaa new-model
aaa authentication login bbb group taca
aaa authorization exec bbb group taca
aaa authorization command 15 bbb group taca
aaa authorization network bbb group tac
aaa accounting exec bbb start-stop group taca
aaa accounting command 15 bbb start-stop group tac
tacacs-server host 10.1.20.250 key cisco123

line vty 0 4
login authentication bbb
authorization exec bbb
authorization command 15 bbb
accounting exec bbb
accounting command 15 bbb
exi

\\\\\\\\\\\
2003
  PPP IP 
  Shell (exec) 

user
  shell
  privi 15

라우터1 연결하고 유저3을 만드세요
GLBP하고 나면 실장비

  clear
  permit ip inter br

report and actitivity
-> failed attempts에서 시도 실패확인.