10일차 dot1q 인증(ACS서버)

np수업자료/np-sw/dot1q
xp , 2003

dot

dot1.x
ACS서버에 계속 보고함으로써 로깅을 남길 수 있다.

211.48.42.4
npsong
npsong

LMA -
MAG -)

sw1
f1/3 vm2
f2/4 vm3

목요일 - 이중화
hsrp virp

sw1 r1 r2

ISDN 떄 accounting이란 말이 처음나옴?
------

ACS

인터페이스
per-user만씀

sw1에서
show vlan-switch하면 나온다
ㄵ1
test aaa group radius user1 12345 legacy 시 성공하면 됨

222222222222222222222222222222222222222222222222222222222222222222222222222

SW
vlan 10
name client-pc
exi
==> supplicant : dot1x를 인식하는 pc
==> 인증 성공하면 acs 서버가 할당해준다.
vlan 20
name ace-server
exit
===> acs 인증서버 vlan

vlan 30
name inter-router
exit
==> R2로 내부
==> tacas+ 테스트용

vlan 40
name GW-vlan
exi

ip routing
int vlan 10 : pc-vm2-xp의 GW
ip add 10.1.10.254 255.255.255.0
exi
===> : vm2의 GW xp
int vlan 20 : acs-vm3의 GW
ip add 10.1.20.254 255.255.255.0
exi
===> : vm3의 GW 2003
int vlan 30 : R2의 GW
ip add 10.1.30.254 255.255.255.0
exi
int vlan 40 : NAD의 VLAN ==> R1으로 GW
ip add 10.1.40.250 255.255.255.0
exi
===> : NAD의 VLAN ===> R1으로 GW  layer3라 게이트웨이 다 잡아줌.
ip route 0.0.0.0 0.0.0.0 10.1.40.254
 

int fa 1/1
description R1_GW
sw mo acc
sw acc vlan 40
spann portfast
exi
int fa 1/2
descripiton inter-Router-R2
sw mo acc
sw acc vlan 30
spann portfast
exi
int fa 1/3
description dot1x-user-win-xp
sw mo acc
sw acc vlan 10 <-- 물리적 구성을 확인하기 위한 ping테스트용 (테스트후뺀다)
spann portfast
exi
int fa 1/4
description ACS-2003
sw mo acc
sw acc vlan 20
spann portfast
exi

show vlan-sw brief
show ip int brief

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
R1
int fa 0/0
no shut
ip add 10.1.40.254 255.255.255.0
ip nat inside
exi

//ip route 10.1.0.0 255.255.0.0 10.1.40.250
//==> 스위치에 연결된 vlan10(10.1.10.x) vlan20(10.1.20.x) vlan30(10.1.30.x)
ip route 0.0.0.0 0.0.0.0 121.160.70.254

int fa 0/1
no shut
//ip add 59.5.100.x 255.255.255.0
ip nat outside
exi

access-list 10 deny 10.1.20.0 0.0.0.255
// 인증서버는 보면 안되니까 막아줌
access-list 10 per 10.1.0.0 0.255.255.255
access-list 10 remark ACS_VLAN20_deny_internet
ip nat inside source list 10 int fa 0/1

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
SW
default int fa 1/3
int fa 1/3
sw mo acc
exi
 나드설정 시작
aaa new-model         
 이 장비 aaa 활성화(authentication,authorization,accounting)

aaa authentication dot1x default group radius
이 장비에 인증을 필요로 하는 호스트가 접속하면 radius서버에 가서 인증을 확인

한다.

aaa authorization network default group radius
인증이 통과된 장비의 권한을 radius에 가서 확인한다.

aaa accounting dot1x default start-stop group radius
인증이 통과된 호스트가 통신 시작할 때와 종료할 때를 log로 radius서버에 알린

다.

aaa accounting system default start-stop group radius
이 장비가 aaa 메카니즘을 시작할 때와 종료할 때 radius 에 알린다.

radius-server host 10.1.20.250 key cisco123
이 장비가 통신할 radius 서버의 주소와 통신할 때 사용할 인증키를 지정한다.

dot1x system-auth-control
이 장비에 dot1x 인증을 시작한다. //no shut과 유사

vlan 55
name guest-vlan
vlan 44
name fail-vlan
exi

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

int fa 1/3
shut
dot1x port-control auto
==> 해당 포트에 dot1x를 활성화
dot1x auth-fail vlan 44
==> supplicant 가 입력한 username/password 가 틀렸을 때 할당될 vlan
dot1x auth-fail max-attempts 2
==> username/password 실패는 2번까지
dot1x guest-vlan 55
==> pc가 dot1x를 지원하지 않을 때 할당할 vlan
dot1x host-mode multi-host
==> 해당 포트에 연결된 호스트가 복수개 일 때
dot1x reauthentication
==> 주기적으로 재인증
dot1x timeout reauth-period 300

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
R2
aaa new-model
aaa authentication login bbb group taca
aaa authorization exec bbb group taca
aaa authorization command 15 bbb group taca
aaa authorization network bbb group tac
aaa accounting exec bbb start-stop group taca
aaa accounting command 15 bbb start-stop group tac
tacacs-server host 10.1.20.200 key cisco123

R2#test aaa group tacacs+ admin-r2 12345 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

line vty 0 4
login authentication bbb
authorization exec bbb
authorization command 15 bbb
accounting exec bbb
accounting command 15 bbb
exi

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Network Configuration : 장비 등록
Interface Configuration : radius , tacacs+ 의 인터페이스 생성 수정
User Setup : 사용자 등록
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
tacacs 인증 설정

network configuration > not assigned 클릭 > add entry 클릭
AAA client Hostname : 이름(admin-r2) ,
AAA client ip address: 장비 주소(R2:10.1.30.2)
Shared secret : cisco123
Authenticate Using : TACACS+(CISCO IOS) 선택
submit+apply 클릭

interface configuration > TACACS+(CISCO IOS) 클릭
PPP IP 체크 , Shell(exec) 체크
submit

User setup 클릭
User : admin-r2 입력 후 add/edit 클릭

User Setup 란에서
password : 12345
confirm password : 12345
TACACS+ Settings 란에서
PPP IP 체크
Shell(exec) 체크
Privilege level 체크 : 15입력

Shell Command Authorization Set 란에서
Per User Command Authorization 클릭
Deny 클릭
command 클릭 : clear
Arguments : permit ip route
Unlisted arguments
deny클릭