Hng dn Cu Hnh Chng Thc AAABi vit c lin quan:Cu hnh AAA vi Microsoft Radius Sever:http://forum.vdctraining.vn/showthre...dius-Sever.vdc

Qu trnh cu hnh AAA trn router thng qua mt s bc sau:

1. Kch hot AAA bng cch dng cu lnh aaa new-model global mode2. Nu ta c nh dng mt server ring dng cho qu trnh chng thc v d nh RADIUS Server, TACACS+ Server, Kerberos Server th ta cu hnh tham s dng cho phng thc bo mt ng vi loi server ta chn3. nh ngha cc phng php chng thc bng cch dng cu lnh aaa authentication4. Apply nhng phng php ny vo mt interface hay mt mode line no .5. Cu hnh Authorization bng cu lnh aaa authorization (Option)6. Cu hnh Accounting bng cu lnh aaa accounting (Option)

I. Kch hot AAA kch hot aaa trn router hoc NAS, vo global mode nhp lnh aaa new-model. disable th dng thm no trc cu lnh

R1(config)#aaa new-modelR1(config)#no aaa new-model

Nhng cu lnh trn n gin ch l tt v m tnh nng aaa. Sau khi ta nhp th cc mode CON, VTY, AUX v TTY line s yu cu username v password cho qu trnh chng thc. Nhng thit lp password trc cho nhng ng trn s c remove t ng.

II. nh ngha Security Server1. TACACS ServerGi s lc ny ta dng TACACS+ Server dng cho qu trnh chng thc. Ta dng cu lnh tacacs-server host trong global mode. xa cu lnh ta thm ch no trc cu lnh ch n mt server Tacacs no . C php cu lnh nh sau:

R1(config)#tacacs-server host {hostname | ip address} [single-connection] [port port#] [timeout seconds] [key string]R1(config)#no tacacs-server host hostname

host: Tn ca Tacacs serverip-address: a ch IP ca TacacsSingle Connection: y l mt tnh nng ty chn. N yu cu router ch duy tr mt kt ni n AAA/Tacacs Server.Port: Override default port l port 49 (Option)Port#: S port ca Server (range t 1 n 65535)Timeout: Override thi gian time out mc nh v xc nh thi gian timeoutKey: Xc nh router s dng key cho qu trnh chng thc v m ha. Key ny phi trng khp so vi key c cu hnh trong TACACS daemon. Nu key c cu hnh ch nh cho server c th th s override cu lnh xc nh key trong global mode l tacacs-server key.String : Nhng k t dng cho qu trnh chng thc v n cng l key m ha.

Ta c th nh ngha nhiu TACACS Server. Cisco IOS s tm kim theo th t m ta xc nh. Cc tnh nng single connection, port, timeout, key l cc tnh nng gia tng tnh bo mt. Ta c mt s v d nh sau

- Xc nh tacacs server vi hostname l SRV1 nh sau

R1(config)#aaa new-modelR1(config)#tacacs-server host SRV1

- V d di y Cisco IOS s dng Tacacs Server vi IP l 192.168.1.1 trc sau . Nu 192.168.1.1 khng c th n c th sau dng server c tn l SRV2

R1(config)#aaa new-modelR1(config)#tacacs-server host 192.168.1.1R1(config)#tacacs-server host SRV2

- V d dng Tacacs server c IP 192.168.1.4 trn port 51. Thi gian time out cho kt ni l 3 giy v ch dng single connection. Key cho qu trnh chng thc l a_secret

R1(config)#aaa new-modelR1(config)#tacacs-server host 192.168.1.4 single-connection port 51 timeout 3 key a_secret

Ngoi ra ta c th xc nh key global mode dng cho qu trnh chng thc v m ha nh sau:

R1(config)#aaa new-modelR1(config)#tacacs-server host 192.168.1.4R1(config)#tacacs-server key seattle19

2. RADIUS Server dng Radius Server cho qu trnh chng thc ta dng cu lnh radius-server host global mode. xa cu hnh ta thm no trc cu lnh. C php cu lnh nh sau:

R1(config)#radius-server host {hostname | ip-address} [auth-port port-number][acct-port port-number] [timeout seconds] [retransmit retries] [key string][alias{hostname | ip-address}]R1(config)#no radius-server host {hostname | ip-address} [auth-port port-number][acct-port port-number] [timeout seconds] [retransmit retries] [key string]

Hostname: DNS name ca Radius serverIp address: a ch IP ca Radius serverAuth-port: Xc nh port cho kt ni UDP, dng cho kt ni yu cu chng thcAcct-port: Xc nh port request cho kt ni accounting

Ta c th dng Radius Server khc nhau. IOS s tm t trn xung theo th t ta cu hnh. Ta c mt s v d cu hnh nh sau:

- Xc nh host1 l Radius Server v dng cc port mc nh cho qu trnh chng thc v accounting

R1(config)#aaa new-modelR1(config)#radius-server host host1.domain.com

- V d bn di dng port 12 l destination port cho kt ni request authentication v port 16 cho kt ni request accounting vi Radius server c IP l 192.168.1.4

R1(config)#aaa new-modelR1(config)#radius-server host 192.168.1.4 auth-port 12 acct-port 16

- nh ngha key dng cho qu trnh chng thc ta dng cu lnh radius-server key global mode. C php nh sau:

R1(config)#radius-server key keyR1(config)#no radius-server key [key]

- V d bn di ta dng key l Test123 cho qu trnh chng thc vi Radius Server c IP l 192.168.1.4

R1(config)#aaa new-modelR1(config)#radius-server host 192.168.1.4R1(config)#radius-server key Test123

III. Cu hnh Authentication

Vic cu hnh AAA [1] c thc hin theo ba bc nh sau:Bc 1: Bt tnh nng cho php cu hnh AAA trn router. Trong sut qu trnh xc nh AAA, router phi cu hnh sao cho n lun ni chuyn c vi TACACS/RADIUS server.Bc 2: Xc nh ngi no s c xc thc, c cp quyn nh th no, v ci g s gim st c s d liu.Bc 3: Cho php hoc nh ngha phng thc trn giao tip.

Cc phn tip theo s ni mt cch chi tit cch thc bt chc nng AAA (bc 1), cch thc xc nh phng thc xc thc, cp quyn, v tnh cc (bc 2), v cch thc xc nh AAA trn mt interface (bc 3). cho gn v d dng hiu hn, ta c th gp hai bc 2 v 3 li lm mt.Ch rng mt khi AAA c cho php trn router, bt k interface v phng thc kt ni no cng phi nh ngha hoc khng cho php truy cp vo. Do , iu quan trng nht l phi to mt cnh ca hu (back door) hay l cch thc truy cp cc b (local) trong sut qu trnh trin khai ban u bo m rng router lun c th truy cp c nu ta qun nhng g cu hnh trc .

1.Bc 1- Cho php chc nng AAA trn router

cho php AAA trn router, ta s dng cu lnh sau:Router(config)#aaa new-model Mt khi AAA c cho php th router phi ch n a ch source ca AAA server. Vi TACACS server, th cu lnh s l:Router(config)#tacacs-server host host-ip-address [single-connection]Router(config)#tacacs-server key serverkey Tham s host-ip-address xc nh a ch ca TACACS server.Tham s single-connection cho bit router duy tr mt kt ni n trong sut phin lm vic gia router v AAA server.Mt password chung c dng gia access router v AAA server bo mt thng tin. V d, cu lnh cho php thit lp password trn router nh sau:Router(config)#tacacs-server key cisco Password c chn phi ging password cu hnh nh trn AAA server. Password phn bit k t hoa, k t thng.Qu trnh cho php AAA trn RADIUS server cng tng t nh TACACS, ch yu gm cc cu lnh sau:Router(config)#aaa new-modelRouter(config)#radius-server host host-ip-address [single-connection]Router(config)#radius-server key serverkey

2.Bc 2 v bc 3 - Xc thc, cp quyn v tnh cc2.1. Xc thc (authentication)

2.1.1.AAA Authentication

Mt khi cho php AAA trn router, nh qun tr c th xc nh cch thc dng xc thc. Vn ch yu y l nh qun tr c cch thc truy cp vo router nu AAA server b down. Nu khng cung cp cch truy cp d phng th c th dn n mt kt ni vi router v ta c th khng th truy cp vo cng console c. Do ta phi lun cn thn cung cp cch thc cu hnh truy cp cc b cho bt k s ci t AAA no.C php cu hnh AAA trn router c th rt kh nh. Do ta phi phn chia ra nhiu trng hp c th d hiu hn. Ta c th xt cc phng php c th nh login, enable, arap, ... xem xt cch thc xc thc ngi dng trn router.

Cu lnh tng qut cho xc thc l:

aaa authentication service-type {default | list-name} method1 [method2] [method3] [method4] Trong : service-type l mt trong cc cch truy cp nh login, enable, arap ppp, nasi. Tham s tip theo l t kha default hoc tn mt danh sch. Tn danh sch c th l mt t o bt k no ngoi tr t default, v c dng nh l tn ca mt danh sch cc phng php xc thc. Tham s method1, method2, method3, method4 c dng xc nh th t xc thc. Ta c th tham kho cc phng php xc thc trong phn sau.

Cc cch truy cp c xc thc nh sau:

aaa authentication login: cu lnh ny tr li cho cu hi: Ti c th xc thc khi login vo h thng nh th no?aaa authentication enable: cu lnh ny tr li cho cu hi:Ngi dng c th i vo ch thc thi (exec privilege) hay khng?aaa authentication arap: cu lnh ny tr li cho cu hi: C phi ngi dng giao thc ARAP s dng TACACS/RADIUS hay khng?aaa authentication ppp: cu lnh ny tr li cho cu hi: Nu ngi dng n t kt ni PPP th s s dng phng php no?aaa authentication nasi: cu lnh ny tr li cho cu hi: Nu ngi dng n t NASI th s s dng phng php no?

2.1.2.AAA Authentication Login

Phng php xc thc c s dng trong sut tin trnh login l g? Cu hi c gii quyt trong cu lnh sau:aaa authentication login {default | list-name} method1 [method2] [method3] [method4] T kha default cho bit router khng s dng bt k listname no trn interface. Nu c mt listname c xc nh, th login c th theo iu khin trong listname . V d cu lnh sau:aaa authentication ppp myaaa argument1 argument2 argument3 xc nh cch thc list myaaa c chp nhn. Mt interface xc nh l s dng cch xc thc myaa. Cc tham s theo sau c th l:[enable|line|local|none|tacacs+|radius|guest]Mi mt tham s xc nh mt cch xc thc ring nh sau:line: phng php ny xc nh s dng password xc thc vo interface. Cu lnh ny c s dng trong cu lnh login v password trong tng line (console, vty,...)enable: phng php ny xc nh rng s s dng cu lnh enable password xc thc trn interface. Vic xc thc c thc hin bng vic so snh password ngi dng nhp vo vi password trong cu lnh enable password hay enable secret ca router.local: phng php ny xc nh xc thc bng vic s dng cp username yyyy password xxxx trn router.none: phng php ny xc nh rng khng cn s dng phng php xc thc no c.tacacs+: phng php ny xc nh s dng TACACS server xc thc.radius: phng php ny xc nh s dng RADIUS server xc thc.

Sau khi cu hnh authentication, ta c th ch r interface hoc line s c xc thc c th:Router(config)#line con 0Router(config-line)#login authentication myaaa V d:Router(config)#aaa authentication login myaaa tacacs+ radius localRouter(config)#aaa authentication login default tacacs+Router(config)#line vty 0 4 Router(config-line)#login authentication myaaa Cu lnh u tin xc nh mt listname tn l myaaa s dng TACACS+ v sau l RADIUS v cui cng l username/password lu cc b trong router xc thc. Cu lnh th t xc nh line vty t 0 n 4 xc thc s dng trong list myaaa. Ch rng nu mt ngi mun truy cp vo port console, h c th xc thc ch bng TACACS+ bi v l mc nh (default) khng c cu lnh xc thc login no c th trn port console. v d trn ta thy th t xc thc l iu rt quan trng: nu user tht bi trong vic xc thc vi TACACS+, th user s b t chi truy cp. Nu router tht bi trong vic truy cp vi TACACS+, th router s c gng th tip xc vi RADIUS server. Vn chnh y l phng php th hai ch c s dng nu phng php th nht khng ph hp trn router.Nu TACACS+ l ty chn duy nht xc thc th khi dch v TACACS+ b down, khng ai c th login vo h thng. Nu cc phng thc xc thc l TACACS+ v local th username/password lu cc b trn router c th thay th s dng nhm trnh trng hp khng th login vo router.Th t phng php la chn login vo l rt quan trng. Thng thng th local nn c dng lm phng php cui cng cho php truy cp vo router t nht cng l bng mt cp username/password cc b trn router.

2.1.3.AAA Authentication Enable

C cu hi t ra l: Phng thc g c s dng nu mt user c th truy cp vo privileged mode trn router? Nu khng c phng thc AAA c thit lp, user phi c enable password. Password ny c i hi bi Cisco IOS. Nu AAA c dng v khng thit lp ch mc nh th ngi dng c th cn enable password truy cp vo ch privileged mode.Cu trc ca AAA tng t nh trong cu lnh login authentication:aaa authentication enable {default | list-name} method1 [method2] [method3] [method4] Trong cc tham s c ngha tng t nh trong cu lnh aaa authentication login.

Cc phng php dng cho cu lnh trn l:

enable: phng php ny xc nh rng s s dng cu lnh enable password xc thc trn interface. Vic xc thc c thc hin bng vic so snh password ngi dng nhp vo vi password trong cu lnh enable password hay enable secret ca router.line: phng php ny xc nh s dng password xc thc vo interface. Cu lnh ny c s dng trong cu lnh login v password trong tng line (console, vty,...)none: phng php ny xc nh rng khng cn s dng phng php xc thc no c.tacacs+: phng php ny xc nh s dng TACACS server xc thc.radius: phng php ny xc nh s dng RADIUS server xc thc.

V d:Router(config)#aaa authentication enable myaaa tacacs+ enable Cu lnh trn xc nh vic truy cp tr li vo ch privilege mode. Trong , TACACS+ s c kim tra u tin, v ch khi TACACS+ tr v li (error) hoc trng thi khng ph hp (unavailable) th lc mi kim tra enable password. Khi nhiu phng php c thit lp cho AAA, th phng php th hai ch c dng nu phng php trc tr v mt li (error) hoc khng ph hp (unavailable). Nu n tr v thng ip tht bi (fail) th router s khng th xc thc thm phng php tip theo trong listname na.

2.1.4. AAA Authentication ARAP

Cu lnh aaa authentication arapc s dng kt hp vi lnh arap authentication trong vic cu hnh line. N m t cch thc m ARAP user ang th truy cp vo router. C php cu lnh nh sau:aaa authentication arap {default | list-name} method1 [method2] [method3] [method4] Cc phng php c dng trong cu lnh ny:line: phng php ny xc nh s dng password xc thc vo interface. Cu lnh ny c s dng trong cu lnh login v password trong tng line (console, vty,...)local: phng php ny xc nh xc thc bng vic s dng cp username yyyy password xxxx trn router.tacacs+: phng php ny xc nh s dng TACACS server xc thc.guest: phng php ny cho php login vo nu username l guest. Ty chn ny ch ph hp vi ARAP.auth-guest: phng php ny cho php khch ch c login vo nu user login vo ch EXEC trn router v ang khi to tin trnh ARAP.Ch rng mc nh th khch ving thm khng th login thng qua ARAP khi ta khi to AAA. Cu lnh aaa authentication arapvi hai t kha guest hoc auth-guest s cn thit khch truy cp khi s dng AAA.V d:Router(config)#aaa authentication arap myaaa tacacs+ localRouter(config)#line 1 12Router(config-line)#arap authentication myaaa v d trn, cu lnh u tin xc nh rng dng xc thc TACACS+ trc tin, sau mi dng username/password cc b trn router nu TACACS+ tr v mt li (error) hoc khng ph hp (unavailable). T line 1 n line 12 s s dng xc thc trong listname va to.1.1.1.AAA Authentication PPP

Cu lnh aaa authentication pppc s dng kt hp vi lnh ppp authentication trong vic cu hnh line m t phng thc c s dng khi mt user s dng PPP mun truy cp vo router. C php cu lnh nh sau:

aaa authentication ppp {default | list-name} method1 [method2] [method3] [method4] Cc phng php c dng trong cu lnh ny:local: phng php ny xc nh xc thc bng vic s dng cp username yyyy password xxxx trn router.none: phng php ny xc nh rng khng cn s dng phng php xc thc no c.tacacs+: phng php ny xc nh s dng TACACS server xc thc.radius: phng php ny xc nh s dng RADIUS server xc thc.krb5: phng php ny dng Kerberos 5 ch ph hp cho thao tc (operation) PPP v cc lin lc vi mt Kerberos server c thit lp. Xc thc login s dng Kerberos ch lm vic vi giao thc PPP PAP.if-needed: phng php ny ngng xc thc nu mt user c xc thc trc trn line tty.V d:

Router(config)#aaa authentication ppp myaaa tacacs+ localRouter(config)#line 1 12Router(config-line)#ppp authentication myaaa Cng mt dng c php c s dng thng qua nhiu cu lnh AAA. Vi cu lnh ppp c thit lp, th cu lnh trn interface l ppp authentication option(s) vi option(s) l cc ty chn pap, chap, pap chap, chap pap, ms-chap. Thm vo , cc phng php trong AAA c th s dng. v d trn th TACACS+ s c kim tra trc tin, sau username/password cc b trn my s c s dng nu TACACS+ khng ph hp hay tr v mt li (error).

1.1.2.AAA Authentication ANSI

Cu lnh aaa authentication ansic s dng kt hp vi lnh ansi authentication trong vic cu hnh line m t phng thc c s dng khi mt NASI user mun truy cp vo router.C php cu lnh nh sau:aaa authentication nasi {default | list-name} method1 [method2] [method3] [method4] Cc phng php c dng trong cu lnh ny:local: phng php ny xc nh xc thc bng vic s dng cp username yyyy password xxxx trn router.enable: phng php ny xc nh rng s s dng cu lnh enable password xc thc trn interface. Vic xc thc c thc hin bng vic so snh password ngi dng nhp vo vi password trong cu lnh enable password hay enable secret ca router.line: phng php ny xc nh s dng password xc thc vo interface. Cu lnh ny c s dng trong cu lnh login v password trong tng line (console, vty,...)none: phng php ny xc nh rng khng cn s dng phng php xc thc no c.tacacs+: phng php ny xc nh s dng TACACS server xc thc.

Khi AAA c cho php, tt c cc line v port trn router u s dng AAA, v th default group nn cu hnh cho bt k s truy cp no m router nhn thy c.

V d:

Router(config)#aaa authentication ansi myaaa tacacs+ localRouter(config)#line 1 12Router(config-line)#ansi authentication myaaa Vi cc phng php truy cp khc, khi mt user s dng NASI th s b yu cu xc thc TACACS+ trc tin v sau s s dng username/password cc b nu TACACS+ b li hay khng thch hp.

1.2.Cp quyn (Authorization)

Mt khi user c xc thc, th ta cn gii hn nhng quyn m h c php s dng. iu c thc hin thng qua cu lnh aaa authorization. Nhng gii hn c th p t vo hot ng hay dch v c yu cu bi router. Vi vic cp thm quyn, AAA thit lp mt subadministrator cho php truy cp vo ch configuration mode, nhng vi kh nng l ch c th s dng mt tp nh cc lnh c php. Mc d c th, vic cu hnh router s b hn ch.C php dng cp quyn kh n gin, n xc nh hot ng hay dch v (network, exec, command level, config-command, reverse-access) c s dng cho user. Dng tng qut ca cu lnh cp thm quyn l:aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] Cu lnh trn c ngha nh sau:aaa authorization do-what? check-how? Mnh do-what? c th l:network: tham s ny dng phng php check-how? cp quyn v thit lp cc yu cu dch v c lin quan n mng nh l SLIP, PPP.exec: tham s ny dng phng php check-how? cp quyn nu user c php to hoc chy trong ch EXEC shell. Nu TACACS+ hoc RADIUS c s dng, th c th c s d liu s tr v mt thng tin vi cu lnh t ng cho ngi dng.command level: tham s ny dng phng php check-how? cp quyn cho cc lnh ti mc phn quyn xc nh trc. Mc phn quyn (privilege) c gi tr t 1 n 15.reverse-access: tham s ny dng phng php check-how? cp quyn cho php thc thi reverse telnet.

Mnh check-how? ging nh cc phng php dng trong vic xc thc. check-how? ch n gin ch ra xc thc nn tin hnh u. Tham s check-how? c th thuc bt k loi no trong cc dng sau:tacacs+: trong tham s ny, thm quyn TACACS+ s c tin hnh trc bng cp gi tr thuc tnh AV (attribute-value) n tng user ring bit. Khi mt user mun lm mt do-what? th c s d liu TACACS s c kim tra.if-authenticated: vi tham s ny, nu mt user c xc thc ri, th h c php thit lp chc nng. Ch rng y khng kim tra thm quyn m ch cn user c trong c s d liu l ph hp.none: vi tham s ny, router khng i hi thng tin thm quyn cho do-what?. Thm quyn khng c thit lp v mt cu truy vn s c gi n c s d liu.local: vi tham s ny, router hoc access server s kim tra username/password c cu hnh ch configure mode lu cc b trong router.radius: vi tham s ny, thm quyn RADIUS s c thc hin bng vic gn cc thuc tnh cho username trn RADIUS server. Mi username cng vi thuc tnh c lu tr bn trong RADIUS database.krb5-instance: vi tham s ny, router s truy vn n Kerberos server yu cu cp thm quyn. Thm quyn s c lu trong Kerberos server.Nhn chung, thm quyn c th ci t theo nhiu cch. Vn l tm kim xem th trong database hay ti nguyn no c cp AV hay thuc tnh cung cp cho router cu tr li khi c yu cu cp thm quyn.

V d:

Router(config)#aaa new-modelRouter(config)#aaa authentication login myaaa tacacs+ localRouter(config)#aaa authorization exec tacacs+ local Router(config)#aaa authorization command 1 tacacs+ localRouter(config)#aaa authorization command 15 tacacs+ local Trong v d trn, AAA c cho php vi cu lnh aaa new-model, phng thc xc thc c xc nh vi tn l myaaa. Dng th 3 xc nh rng nu mt user login vo ri th c th truy cp trc tip vo EXEC mode. TACACS+ s c xt xem th user c c php thit lp chc nng hay khng?Hai dng cui tng t nhau. Nu user login vo ri s c kim tra trong TACACS database xem xt mc phn quyn ca user . Cc mc phn quyn c th c trn router l t 1 15.

1.3.Tnh cc (Accounting)

AAA accounting c th cung cp thng tin lin quan n hot ng ca user v ghi vo database. y l mt khi nim rt hu dng vi cc dch v Internet. Ngy nay n cng ph bin hn cho khi cc ISP thit lp cho khch hng thi gian truy cp khng hn ch. Tuy nhin, iu ny khng lm hn ch kh nng nh qun tr gim st cc mc phn quyn khng c cp pht trc cng nh tnh an ton cho ti nguyn h thng. Thm vo , accounting c th gim st vic s dng ti nguyn c th cp pht cho h thng tt hn.Accounting thng c s dng cho vic tnh cc v lu thng tin hot ng ca khch hng. C php tng qut ca cu lnh aaa accounting l:aaa accounting event-type {default | list-name} {start-stop | wait-start | stop-only | none} method1 [method2] Cu lnh trn c dng:aaa accounting what-to-track how-to-track where-to-send-the-information Tham s what-to-track nh sau:network: vi tham s ny, accounting mng s ghi li thng tin v PPP, SLIP, ARAP session. Thng tin accounting cung cp thi gian truy cp v s dng ti nguyn mng tnh theo gi hay theo byte.connection: vi tham s ny, connection accounting s log li thng tin v kt ni bn ngoi c to ra t router hay RAS, gm c phin Telnet hay rlogin. Vn chnh l t bn ngoi; n cho php theo di kt ni c to ra t RAS cng nh ni to ra kt ni.exec: vi tham s ny, EXEC accounting s log thng tin cho bit khi no th mt user to ra mt EXEC terminal session trn router. Thng tin gm a ch IP, s in thoi (nu l user gi vo), thi gian v ngy gi truy cp. Thng tin c th c ch trong vic theo di nhng truy cp n RAS m khng c xc thc.command: vi tham s ny, command accounting s log nhng thng tin v cc cu lnh thc thi trn router. Accounting cha danh sch cc lnh thc thi trong sut EXEC session, cng vi thi gian thc thi.system: vi tham s ny, system accounting s log nhng thng tin v h thng nh thay i cu hnh hay reload li h thng.

Nh ta thy, lng thng tin c gim st l rt c gi tr. iu quan trng l nh qun tr phi bit theo di nhng thng tin c ch, khng nn bm st nhng thng tin khng cn thit v iu c th to ra mt lng overhead rt ln ca ti nguyn mng.Tham s how-to-track c th gm:

start-stop: ty chn ny gi cc accounting record khi tin trnh khi to. iu ny c gi i nh l mt tin trnh nn tng v yu cu ngi dng c khi to m khng c bt k tr no. Khi tin trnh ca user hon tt, thi gian kt thc v thng tin s c gi n AAA database. Ty chn ny l cn thit khi c yu cu cho bit thi gian m user dng cng nh thi gian cn li m user c php s dng.stop-only: ty chn ny gi thng tin c tp hp li da trn tham s what-to-track khi tin trnh ca user kt thc. Ty chn ny s dng ch khi thng tin what-to-track l cn thit.wait-start: ty chn ny khng cho php tin trnh ngi dng khi to trc khi mt ACK c nhn t accounting database ca RAS. Tham s ny thng quan trng khi s kin gim st c th b mt kt ni vi accounting database.

Phn cui cng ca thng tin cn thit cho RAS hay router l ni m thng tin c gim st gi n. Tham s where-to-send-the-information c th l:tacacs+: khi ty chn ny c s dng, thng tin c gi n TACACS+ server.radius: khi ty chn ny c s dng th thng tin c gi n RADIUS server database. Vic ci t hin ti khng h tr c tnh ny.

V d:

Router(config)#aaa accounting command 15 start-stop tacacs+Router(config)#aaa accounting connection start-stop tacacs+Router(config)#aaa accounting system wait-start tacacs+ dng u tin, accounting c kch hot cho php s dng tt c cc cu lnh vi user c mc phn quyn l 15. Dng th hai s log c s d liu khi mt kt ni ca user bt u hay kt thc. Dng cui cho thy bt c s kin no trong h thng nh l thay i cu hnh hay reload li u c gim st bi thi gian bt u v kt thc.

Tham s wait-start m bo rng ch khi h thng c bo nhn ACK th s kin mi khi to. Vn chnh y l nu s kin l thao tc reload li router, th cn ch rng s kin c log v c xc nhn ACK trc khi router reload li. Nu thng ip b mt trong khi truyn, s kin s c ghi li.Vn c bn ca accounting l accounting record c gi n TACACS+ server hoc RADIUS server. Thm vo , cc record c gim st nn c ghi li vo router vi cu lnh AAA accounting.

Accounting c tc dng rt mnh qun l ti nguyn mng; tuy nhin, n cng l mt con dao hai li. Cng thng k nhiu, cng nhiu ti nguyn c s dng. Tham s stop-only ch nn s dng khi thi gian kt thc l khng cn thit.

Ngun: vnpro.orgathena.edu.vn