Kiem Soat Truy Cap Router Bang TACACS+ Server

8/9/2019 Kiem Soat Truy Cap Router Bang TACACS+ Server

1/18

Qu n l router b ng TACACS+ server k t h p Privilege

Levels

_TACACS+ v RADIUS server cung c p cho b n kh nng qu n l truy c p cc thi t b trong

m ng m t cch t p trung v i nhi u tnh nng b o m t t i u. privilege levels trong router Cisco l s

phn c p v quy n c a t ng user i v i thi t b. B i vi t ny d a vo t ng k t h p hai y u t trn

cung c p m t gi i php qu n l m m d o v nng cao tnh an ton cho h th ng m ng. C

TACACS+ v RADIUS u l hai giao th c c ch c nng t ng t nhau.V y cu h i t ra l t i saotc gi bi vi t l i ch n TACACS+? tr l i cu h i th ta hy xem u i m c a TACACS+ trong

v n qu n l router :

_RADIUS khng cho php ki m sot nh ng l nh m user c v khng c php s d ng

trn router. TACACS+ t ra m m d o v h u d ng h n trong v n qu n l router nh vo vi c cung

c p 2 ph ng th c ki m sot vi c u quy n (authentication) c trn ph ng di n user v group:

+ Gn nh ng cu l nh c th th c thi vo privilege levels v thng qua TACACS+

server p s phn c p v quy n ny n usertruy c p vo.

+ Xc nh nh ng l nh m c th th c thi trn router ln user ho c group thng qua

nh ng c u hnh trn TACACS+ server.

A. Ph n 1: Ch s d ng Privilege LevelsPrivilege Levels

_M c nh trn router c s n 3 previlege levels:

.Privilege level 0: t s d ng. G m 5 l nh: disable, enable, exit, help v log out

.Privilege level 1: non-privilege. T ng ng router>

.Privilege level 15: privilege t ng ng b n vo ch enable ( router#)

_Levels t 2-14 khng c c u hinh m c nh nh ng ta c th c u hnh chuy n i nh ng

l nh gi a cc levels v i nhau. bi t ang truy c p router level n o, ta g l nh show privilege. bi t nh ng l nh c th s d ng trong level t ng ng th ta g ? khi ang truy c p level c n xcnh.

M t yu c u

_Ci t, c u hnh ch ng th c v u quy n cho user d a vo privilege levels trnTACACS+

server

_C u hnh AAA service trn router

_Dng client v i ch ng trnh terminal ki m tra k t qu .


2/18

Thi t b

_Router Cisco 2691

_M t PC ci Windows XP lm client

_1 my tnh Windows Server 2003 ci ch ng trnh Cisco Secure ACS. Link:

. http://rapidshare.com/files/117780965/Cisco_Secure_ACS_4.0.1.27__Full_.rar. http://www.mediafire.com/?xwmgyygf2f4

Cc b c th c hi n

1.Ci t v c u hnh TACACS+ server:

a.Vi c ci t khng kh, c n ch cc v n sau:+ Dng Internet Explorer 6SP1 ho c Nescape 7 tr ln

+ Ci t Java. Link: www.java.com

+ Check t t c cc .

Sau khi ci t xong. Click vo bi u t ng ACS admin trn destop truy c p voserver thng qua trnh duy t web

Hnh 1: Giao di n chnh c a ch ng trnh Cisco Secure ACS 4.0

b.C u hnh trn TACACS+ Server:

B c 1: T o group y chng ta s t o ra 2 nhm. Nhm m t l Administrator c quy n

privilege level 15 v nhm guest c quy n privilege level 0.

.Vo Menu Group Setup
http://rapidshare.com/files/117780965/Cisco_Secure_ACS_4.0.1.27__Full_.rarhttp://www.mediafire.com/http://www.mediafire.com/http://rapidshare.com/files/117780965/Cisco_Secure_ACS_4.0.1.27__Full_.rar


3/18

Hnh 2: T o Group

.Ch n m t group b t k r i ch n Rename Group. Nh p vo

Administrator r i click Submit.

Hnh 3: T o Group mang tn Administrator

Lm t ng t t o ra thm m t group n a tn Guest. Ti p n ta phn

quy n cho 2 nhm theo privilege level nh ni trn: Tr c h t ta

phn quy n cho nhm Administrator.

Ch n Group l Administrator r i sau ch n Edit Settings

Hnh 4: C u hnh cho t ng group

Trong c a s Group Setup ti p theo ta lm l n l t nh sau;. Ch n TACACS+ trong m c Jumpto. Check vo Shell (exec). Check vo Privilege Level v nh p vo thng s 15. Ch n Submit + Restart


4/18

Hnh 5: C u hnh cho nhm Admin m c Privilege Level 15

Nh v y, nh ng user no thu c group Adminstrator khi k t n i vo

router thng qua TACACS+ server s c b quy n c p 15.

Vi c c u hnh cho nhm Guest Privlege Level 0 t ng t nh v y.

B c 2: T o user v add user vo groupChng ta s t o user mang tn balcony thu c group Aministrator v

user mang tn Guest thu c nhm Guest

Vo menu User, nh p vo tn balcony, ch n Add/Edit


5/18

Hnh 6: Thm user mang tn balcony

Trong mn hnh User Setup ti p theo ta c n nh p cc thng s sau:+ Password authentication: ACS internet Database+ Password cho user balcony+ Ch n nhm cho user ny l Administrator .


6/18

Hnh 7: C u hnh cho user balcony

Vi c t o v c u hnh cho user Guest v group Guest ta lm t ng t .

B c 3: C u hnh AAA server v Client:Vo menu Network Configuration. Tr c tin ta c u hnh AAA client.

Click vo Add Entry trong ph n AAA Client


7/18

Hnh 8: Ch n ph n c u hnh AAA Client

Trong c a s ti p theo ta c n nh p cc thng s sau:

+AAA Client hostname: hostname c a router (center)+AAA IP address: a ch c a router 10.0.0.1

+Key: kho th ng l ng gi a router v server ( ta ch n tu v c n

ph i kh p v i gi tr s nh p khi c u hnh router)

+Authentication Using: T t nhin l ch n TACACS+

Sau ta ch n Submit + Apply


8/18

Hnh 9: C u hnh cho AAA client

Ti p theo ta s c u hnh cho AAA Server:

Ch n Add Entry trong ph n AAA server:

Hnh 10: Ch n c u hnh thm m t AAA server.

Nh p vo cc gi tr sau:

+ AAA server name: t ty + AAA server IP: a ch IP c a my ci TACACS+

+ Key: kho giao tr c ( trng v i kho lc ny l 123456)

+ AAA server type: Ch n TACACS+

Ch n vo Submit + Apply


9/18

Hnh 11: C u hnh thng s cho AAA server

2.C u hnh trn router:Sau y l nh ng l nh c u hnh chnh : Ch l nh ng l nh ny dng cho Cisco IOS

12.05 tr v sau

center(config)#aaa new-modelcenter(config)#aaa authentication login default group tacacs+center(config)#aaa authorization exec default group tacacs+center(config)#tacacs-server host 10.0.0.254 //IP c a TACACS+ servercenter(config)#tacacs-server key 123456 //key nh p trn

C u hnh nhn chung t ng i n gi n. D i y l link download ton b file c uhnh c a router Center:

. http://www.box.net/shared/5cwvyi804k

. http://www.mediafire.com/?tqfyhj4x9ux

3. Ki m tra ho t ng:S d ng m t client ch y Windows XP v dng command line telnet vo router Center

ki m tra c u hnh b ng hai ti kho n balcony (admin) v Guest (guest)

Trn client ta vo CMD v g l nh telnet 192.168.1.10 . Thng bo yu c u nh pusername v password s hi n ln. Ta nhp vo balcony v password t ng ng nh c u hnh:
http://www.box.net/shared/5cwvyi804khttp://www.mediafire.com/http://www.mediafire.com/http://www.box.net/shared/5cwvyi804k


10/18

Hnh 12: Truy c p vo router v i ti kho n level 15

Ta th y nh hnh, v i level 15 khi login vo router ch privilege.

Ti p theo ta th login vo v i ti kho n Guest:

. Hnh 13: Login b ng ti kho n Guest

Hnh trn ch ng t user Guest v i level 0 nh ta c u hnh th ch c th s d ng 5

l nh nh nu u bi

B. Ph n 2: K t h p Privilege Levels v CommandAuthorization;

Nh c p trn. u i m c a TACACS+ so v i RADIUS l ch c nng Command

Authorization. Ni nm na l xc nh nh ng l nh m user c th ho c khng th s d ng khi truy

c p vo.

V y lc ny th nh ng l nh m m t user khi login vo thi t b c th th c hi n chnh l nh ngl nh n m trong Privilege Levels c a h tr i nh ng l nh m chng ta c u hnh trong Command

Authorization.

M t yu c u:

D a trn hai group s n c trn l Administrator ta c u hnh thm nh sau:

+ Administrator v i Level 15 nh ng khng th xo startup-config+ Guest lc ny ta set ln level 15 lun nh ng ch c php s d ng lnh Show


11/18

Cc b c th c th c hi n

Nh ni trn, tr c h t ta set quy n c a nhm Guest m c 15. Vi c set l n Level 15 by

gi ch c ngha l maximum Level. T t c u ph thu c vo Command Authorization m b n

s set sau ny.

Hnh 14: Chnh Level c a group Guest ln 15

B c 1: T o nh ng m u Command Authorization m t nhm nh ng l nh c th ho c koth th c thi dnh cho user.

Tr c tin ta vo menu Shared Profile Components. Click vo Shell Command

Authorization Sets

Hnh 15: Ch n ch c nng c u hnh Command Authorization


12/18

B m vo nt Add thm vo m t m u m i. N i dung c u hnh g m cc ph n v i ngha nh sau:

Hnh 16: Khung c u hnh Command Authorization

.Name: Tn c a m u c u hnh b n s t.

.Unmatched Commands: Ch nh cch m server s th c hi n v i nh ng l nh m b nkhng nh p bn d i. ( 2 tu ch n l Permit v Deny )

.Args: argument. V d ip route, ip interface brief.. l args c a l nh show

.Permit Unmatched Args: Cho php cc args m b n ko nh p vo. N u b n khngcheck vo th my t hi u l Deny.

.Add Command: Thm vo m t l nh m i. thm vo m t l nh th b n nh p vo vsau nh n Add Command. Ti p theo l b n s nh p thm nh ng Args c a l nh v i c u trc : permit/Deny arg. nh p thm m t Arg th b n nh n enter xu ngdng. d hi u th ta i vo c u hnh nh sau:

T o m u cho nhm Admin: T o m u cho nhm Admin. Nhm Admin c s d ng t tc cc l nh Level 15 tr l nh erase startup-config. Ta lm nh sau:

.Nh p vo Name l Admin

.Unmatched commands: ch n permit t c l cho php t t c cc l nh.

.Nh p erase r i ch n Add command

.Click vo erase, g vo khung bn ph i deny startup-config

.Check vo permit unmatched Args n u ko my s c m c cc Args khc c a l nherase


13/18

Xong ta nh n Submit

Hnh 17: t o m u command authorization cho group Admin

T o m u cho nhm Guest:

Nhm Guest hi n ang Level 15, t c l c y quy n h n c a Admin nn ta th c

hi n theo t ng l permit m t s l nh, cn l i l deny all. C th l ch cho php Guest th chi n 2 l nh: show ip route v show ip interface brief

.Nh p vo Name l Guest

.Unmatched commands: Ch n Deny

.Add command Show. Khung bn ph i nh p vo deny run; permit ip route; permit

ip interface brief.Th c ra nh p vo deny run l th a b i vi c khng check vo Permit unmatched Arg ng m th c hi n l nh ny.

.Click vo Submit.


14/18

Hnh 18: T o m u cho group Guest

B c 2: C u hnh Command Athorization cho t ng group

B c 1 ta ch c u hnh nh ng m u cho t ng group, sang b c ny ta s p nh ng m u

vo t ng nhm thch h p.

C u hnh cho nhm Admin:

+Vo menu Group Setup. Ch n group name l Administrator nh c u hnh.Click vo Edit Setting+Ko thanh cu n xu ng. ph n Shell Command Authorazation Sets ta ch nAssign Shell Command Authorization Set for any network devices . Clickvo v ch n Admin ngay bn d i.+Click vo Submit + Restart


15/18

Hnh 19: C u hnh cho nhm Admin.

C u hnh cho nhm Guest :Ta lm t ng t :


16/18

Hnh 20: C u hnh cho nhm Guest

B c 3: C u hnh trn router

center(config)#aaa new-modelcenter(config)#aaa authentication login default group tacacs +center(config)#aaa authorization exec defa ult group tacacs+center(config)#aaa authorization commands 15 default group tacacs+center(config)#tacacs-server host 10.0.0.254center(config)#tacacs-server key 123456

B c 4: Ki m tra ho t ngTrn PC, ta m command line v telnet vo a ch 192.168.1.10 c a router:

Ti kho n Admin cho ta k t qu :

Nh ta th y hnh bn d i th k t qu c a l nh erase startup-config l

authorization failed


17/18

Hnh 21: Login b ng ti kho n nhm Admin

Ti kho n Guest:

Hnh 22: Login b ng ti kho n Guest

Hnh trn cho ta th y ti kho n Guest ch c th s d ng 2 l nh nh c u hnh.

H n Ch :Do khng c i u ki n th c hnh trn thi t b th t nn mnh s d ng 2 ch ng trnh gi

l p r t uy tn l Dynamip v Microsoft Virtual PC 2007

Bi vi t trn ch l h ng d n s d ng. Cc b n khi s d ng ph i tu bi n ph h p

v i yu c u mnh c n.

[ balcony www.diendantinhoc.com ]


18/18

Kiem Soat Truy Cap Router Bang TACACS+ Server

Documents

1. Cách thức truy cập Truy cập vào địa chỉ: ...library.buh.edu.vn/Resources/Docs/thongbao/Huong dan_TRA CUU CSDL... · Cách thức truy cập Truy cập vào địa

Manual Soat

Lab Tacacs+

Tarifas soat 2012

EXPOSICION SOAT

Kiem Soat Tien

TACACS+ em um ponto de acesso Aironet para a autenticação ...€¦ · Nota: À revelia, o TACACS+ usa a porta TCP 49.Nota: A chave secreta compartilhada que você configura no ACS

Tarifas Soat 2015

Chuong 2.2 - Mo Hinh Kiem Soat Truy Nhap MAC

MANUAL TARIFARIO SOAT 2011

Tarifario SOAT 2014

Manual Tarifario SOAT 2015

SOAT capacitación

(Manual tarifario soat 2011)

Manual Tarifario SOAT 2012

Chuong 2.1 - Mo Hinh Kiem Soat Truy Nhap DAC

Tarifas Soat 2013

Generalidades SOAT[1]

BOLETÍN ESTADÍSTICO SOAT

cartilla SOAT