Está en la página 1de 14

SV: Trn Cng Vnh Hng

B GIO DC V O TO TRNG I HC K THUT CNG NGH TP.HCM KHOA CAO NG THC HNH -----------0o0----------BO CO TI MN QUN TR MNG

LAB 7
GV: Thy Nguyn c Quang SV: Trn Cng Vnh Hng Lp: C11QM16 MSSV: 1122060423

SV: Trn Cng Vnh Hng


Mc Lc:

I. L thuyt ............................................................. 3
1. Tacas ...................................................................................... 3 2. Verson number ....................................................................... 4

II. Tin hnh bi LAB .............................................. 6


1. Privilege Levels ....................................................................... 6 2. M t yu cu .......................................................................... 6 3. Thit b.................................................................................... 6 4. M hnh ................................................................................... 7

A. Cu hnh trn TACACS+ Server ..................................................... 8 B. Kim tra hot ng: ........................................................................ 13
III. Cu hnh router ................................................ 15

SV: Trn Cng Vnh Hng


I. L Thuyt
1.TACACS (Terminal Access Controller Access Control System) TACACS l giao thc c chun ha s dng giao thc hng kt ni (connectionoriented) l TCP trn port 49.Bn thn TACACS+ l mt giao thc non-standard, hay chnh xc hn, proprietary protocol, pht trin da trn hai giao thc TACACS v enhance TACACS. TACACS c cc u im sau : Vi kh nng nhn gi reset (RST) trong TCP, mt thit b c th lp tc bo cho u cui khc bit rng c hng hc trong qu trnh truyn. TCP l giao thc m rng v c kh nng xy dng c ch phc hi li. N c th tng thch pht trin cng nh lm tc nghn mng vi vic s dng sequence number truyn li. Ton b payload c m ha vi TACACS+ bng cch s dng mt kha b mt chung (shared secret key). TACACS+ nh du mt trng trong header xc nh xem th c m ha hay khng. TACACS+ m ha ton b gi bng vic s dng kha b mt chung nhng b qua header TACACS chun. Cng vi header l mt trng xc nh body c c m ha hay khng. TACACS+ c chia lm ba phn: xc thc (authentication), cp quyn (authorization) v tnh cc (accounting). Vi cch tip cn theo module, ta c th s dng cc dng khc ca xc thc v vn s dng TACACS+ cp quyn v tnh cc. TACACS+ h tr nhiu giao thc. Vi TACACS+, ta c th dng hai phng php iu khin vic cp quyn thc thi cc dng lnh ca mt user hay mt nhm nhiu user : +Phng php th nht l to mt mc phn quyn (privilege) vi mt s cu lnh gii hn v user xc thc bi router v TACACS server ri th s c cp cho mc c quyn xc nh ni trn. +Phng php th hai l to mt danh sch cc dng lnh xc nh trn TACACS+ server cho php mt user hay mt nhm s dng. Tng t nh mt c s d liu bo mt ni b, tr TACACS+ h tr ba tnh nng yu cu ca mt h thng bo mt tt: Chng thc. Cc giao thc TACACS+ chuyn tip nhiu loi tn ngi dng v thng tin mt khu.Thng tin ny c m ha trn mng vi MD5. C uy n. TACACS cung cp mt c ch mt my ch truy cp m danh sch ngi dng c truy cp c kt ni n c ng s dng.TACACS server v v tr ca cc tn ngi dng v thng tin mt khu xc nh danh sch truy cp thng qua ngi dng s c lc.Danh sch truy cp nm trn my ch truy cp.Cc my ch TACACS s p

SV: Trn Cng Vnh Hng


ng cho tn ngi dng vi mt thng bo chp nhn v s danh sch truy cp vi l do m danh sch c p dng. T nh c c. TACACS cung cp thng tin tnh cc cho c s d liu thng qua giao thc TCP m bo mt bn ghi tnh cc an ton hn v y .Phn tnh cc ca giao thc TACACS+ cha cc a ch mng ca ngi s dng, tn ngi s dng, cc dch v nh k m, giao thc c s dng, thi gian v ngy thng.Cc thng tin thanh ton bao gm thi gian kt ni, D ngi s dng, v tr kt ni, thi gian bt u, v kt th c.N xc nh cc giao thc m ngi dng ang s dng v c th cha cc lnh c chy nu ngi s dng c kt ni thng qua Telnet.Cc thng tin kim ton m n bao gm cc lnh v i s c s dng v cc kt ni, cc lnh n t u. iao thc ny cung cp thng tin c mt my ch c thpht hin k t nhp, bo co thng k, s lng cc gi d liu, v s lng byte. Cu tr c gi tin Tacacs+ :

2.Version number (1 bit): bao gm n n n n h n n c T c c n n h n n h c T c c t ng n y c thit k cho php sa i cc giao thc TACACS + trong khi duy tr tnh tng thch ngc.Type ( bit): cho bit g tn c c cg t u Seq-no(1 bit): s th t ca cc gi tin hin ti trong phin lm vic Flags:(1 bit): TAC P S N NCR PT D A : nu c ny c thit lp, gi tin s khng c m ho, ngc li gi tin s c m ho t phn data tr i TAC P S S N C NN CT A : nu NAS bt c ny, n s h tr a phin Tacacs+ trn 1 kt ni TCP duy nht Session D: D ca phin lm vic, n c cp ngu nhin v khng thay i trong sut phin lm vic. ength: chiu di gi tin Tacacs+ (khng bao gm phn header) Data: cha thng tin lin lc gia Tacacs+ client (Net ork Access Server) v Tacacs+ Server(AAA server) C ch hot ng: nh bn di m t qu trnh hot ng ca Tacacs+ khi ngi dng truy cp vo mng thng qua NAS

SV: Trn Cng Vnh Hng

NAS (Net ork Access Server) c c thng tin v username pass t ngi dngv gi gi tin Authentication(start) n Tacacs+ server 2. hi user v pass hp l v Server khng cn bit thm thng tin g na th n s tr li vi gi tin 'Reply(finnished)' 3. NAS yu cu mt s thng tin xc thc t ngi dng v gi tip gi tin Authorization(request) n Server 4. Server s tr li vi gi tin Response(Pass) m n bao gm cc thng tin yu cu phn quyn (timeout, allowed idletime, etc) 5. NAS gi gi tin Accounting(start) bo cho bit ngi dng c bt u ng nhp vo mng. 6. TACACS+ server gi tip gi tin Reply(Success) cho bit qu trnh tnh cc c ghi nhn thnh cng 7. hi ngi dng logo th NAS s gi gi tin Accounting(Stop) vi cc thng tin sau : - Thi gian bt u - Thi gian kt th c - Thi gian qua, thi gian hon thnh phin lm vic - M i gi - T ng s byte m ngi dng gi v nhn - S byte ngi dng nhn - S byte ngi dng gi - T ng s gi tin m ngi dng gi v nhn - S gi tin ngi dng nhn - S gi tin ngi dng gi do ngi dng ngt kt ni
1.

SV: Trn Cng Vnh Hng


TACACS+ server s gi gi tin Reply(Success) cho bit qu trnh tnh cc c ghi nhn thnh cng
8.

_TACACS+ v RADIUS server cung cp cho bn kh nng qun l. truy cp cc thit b trong mng mt cch tp trung vi nhiu tnh nng bo mt ti u. privilege levels trong router Cisco l s phn cp v quyn ca tng user i vi thit b. Bi bo co ny da vo tng kt hp hai yu t trn cung cp mt gii php qun l. mm do v nng cao tnh an ton cho h thng mng. C TACACS+ v RADIUS u l hai giao thc c chc nng tng t nhau.Vy cu hi t ra l ti sao ti li chn TACACS+? tr li cu hi th ta hy xem u im ca TACACS+ trong vn qun l. router : _RADIUS khng cho php kim sot nhng lnh m user c v khng c php s dng trn router. TACACS+ t ra mm do v hu dng hn trong vn qun l. router nh vo vic cung cp 2 phng thc kim sot vic u quyn (authentication) c trn phng din user v group: + Gn nhng cu lnh c th thc thi vo privilege levels v thng qua TACACS+ server p s phn cp v quyn ny n user truy cp vo. + Xc nh nhng lnh m c th thc thi trn router ln user hoc group thng qua nhng cu hnh trn TACACS+ server.

II. Tin hnh bi LAB

1. Privilege Levels
_Mc nh trn router c sn 3 previlege levels: .Privilege level 0: t s dng. Gm 5 lnh: disable, enable, exit, help v log out .Privilege level 1: non-privilege. Tng ng router> .Privilege level 15: privilege tng ng bn vo ch enable ( router#) _Levels t 2-14 khng c cu hinh mc nh nhng ta c th cu hnh chuyn i nhng lnh gia cc levels vi nhau. bit ang truy cp router level n o, ta g lnh show privilege. bit nhng lnh c th s dng trong level tng ng th ta g ? khi ang truy cp level cn xc nh.

2. M t yu cu
_Ci t, cu hnh chng thc v u quyn cho user da vo privilege levels trn TACACS+ server _Cu hnh AAA service trn router _Dng client vi chng trnh terminal kim tra kt qu.

3. Thit b
_Router Cisco 2691 _Mt PC ci Windows XP lm client _1 my tnh Windows Server 2003 ci chng trnh Cisco Secure ACS

SV: Trn Cng Vnh Hng


4. M hnh:

y l hnh khi ng ca Cisco Secure ACS

A. Cu hnh trn TACACS+ Server:


Bc 1: Cu hnh AAA server v Client: Vo menu Network Configuration. Tr c tin ta cu hnh AAA client. Click vo Add Entry trong phn AAA Client

SV: Trn Cng Vnh Hng

Trong ca s tip theo ta cn nhp cc thng s sau: +AAA Client hostname: hostname ca router (center) +AAA IP address: a ch ca router 20.0.0.23 v 192.168.1.24 +Key: kho thng lng gia router v server ( ta chn tu v cn phi khp vi gi tr s nhp khi cu hnh router) +Authentication Using: Tt nhin l chn TACACS+ Sau ta chn Submit + Apply Bc 2: Tip theo ta s cu hnh cho AAA Server: Chn Add Entry trong phn AAA server:

SV: Trn Cng Vnh Hng

Nhp vo cc gi tr sau: + AAA server name: t ty + AAA server IP: a ch IP ca my ci TACACS+ + Key: kho giao trc ( trng vi kho lc ny l 123456) + AAA server type: Chn TACACS+ Chn vo Submit + Apply

V ta c nh sau:

SV: Trn Cng Vnh Hng

Bc 3: To group y chng ta s to ra 1 nhm l Administrator c quyn privilege level 15.. Vo Menu Group Setup: Ta rename 1 group bt k thnh Administrator

Chn Group l Administrator ri sau chn Edit Settings

Trong ca s Group Setup tip theo ta lm ln lt nh sau; . Chn TACACS+ trong mc Jumpto . Check vo Shell (exec)

SV: Trn Cng Vnh Hng


. Check vo Privilege Level v nhp vo thng s 15 . Chn Submit + Restart Bc 4: To user v add user vo group Chng ta s to user mang tn balcony thuc group Aministrator v user mang tn Guest thuc nhm Guest Vo menu User, nhp vo tn balcony, chn Add/Edit

Trong mn hnh User Setup tip theo ta cn nhp cc thng s sau: + Password authentication: ACS internet Database + Password cho user balcony

SV: Trn Cng Vnh Hng


+ Chn nhm cho user ny l Administrator.

B. Kim tra hot ng:


S dng mt client chy Windows XP v dng command line telnet vo router Center kim tra cu hnh bng hai ti khon balcony (admin) Trn client ta vo CMD v g lnh telnet 192.168.1.10 . Thng bo yu cu nhp username v password s hin ln. Ta nhp vo balcony v password tng ng nh cu hnh:

SV: Trn Cng Vnh Hng

Kt qu thng qua Wireshark:

III. Cu hnh router


Current configuration : 790 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname center ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ aaa session-id common ip subnet-zero ip cef ! ! ! ip audit po max-events 100 ! ! ! ! ! ! ! ! !

SV: Trn Cng Vnh Hng


! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.10 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 20.0.0.23 255.255.255.0 duplex auto speed auto ! ip classless ! ip http server no ip http secure-server ! ! ! ! tacacs-server host 20.0.0.24 tacacs-server directed-request tacacs-server key 123456 ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! end