Está en la página 1de 16

I/ Gii thiu CISCO SECURE ACS :

1. Tng quan
Cisco Secure ACS gip xc thc ngi dng bng cch iu khin cch truy cp vo thit b truy cp mng (NAS) nh l access server, Cisco PIX firewall, hoc router. Cisco Secure ACS c xem nh l mt dch v iu khin vic xc thc (authentication), cp quyn (authorization), tnh cc (accounting). Cisco Secure ACS gip tp trung vic iu khin truy cp v tnh cc cho cc access server cng nh firewall trong vic qun l vic truy cp vo router hay switch. Vi Cisco Secure ACS, nh cung cp dch v c th nhanh chng qun tr account, thay i mc yu cu dch v cho ton b cc nhm ngi dng. Cisco Secure ACS h tr cc Cisco NAS nh Cisco router series 2509, 2511, 3620, 3640, AS 5200, AS 5300, AS 5800, Cisco PIX firewall v cc thit b th h th ba c th cu hnh vi TACACS+, RADIUS. C hai phn lin quan n Cisco Secure ACS: Cisco Secure ACS chy trn nn Windows Cisco Secure ACS chy trn nn UNIX Chng ta s tm hiu v hai phn ny trong phn sau.

2. Cc tnh cht chung


Cisco Secure ACS chy trn nn Windows, nh m t trong hnh 3.2, c cc c tnh chung nh sau: H tr ng thi TACACS+ v RADIUS gia Cisco Secure ACS v NAS H tr c s d liu trong Windows NT/2000 Server nh: - Qun l hp nht username/password tch hp vi Windows NT hoc Windows 2000. - Cho php ng nhp vo mng v Windows NT/2000 domain. - Chy c lp vi Windows NT/2000, iu khin tn min, iu khin backup tn min, .... H tr vic dng vi c s d liu bn ngoi ngi dng: -Cc server token card -NDS -ACS database -Cc th khc H tr cc giao thc xc thc sau: ASCII/PAP; CHAP; MS-CHAP; LEAP; EAP-CHAP; EAP-TLS; ARAP H tr c tnh callback ca NAS gia tng tnh bo mt.

3.Cc chc nng chnh.


+ User Setup: Ta c th thm, xa, sa mt account ca ngi dng, v lit k tt cngi dng trong c s d liu. + Group Setup: Ta c th to, sa, i tn nhm v lit k tt c user trong mt nhm. + Shared Profile Components: Pht trin v ti s dng tn, tp tt c cc thnh phn xc thc c th p dng vo mt hoc nhiu ngi dng hay nhm ngi dng v tham chiu bi tn trong tng profile ring bit. Cc component bao gm gii hn truy cp mng (NAR), tp lnh cp quyn, v cc ACL download c. + Network Configuration: Cu hnh v sa cha tham s NAS, thm, xa NAS, cu hnh AAA tham s phn phi cho AAA server. + System Configuration: Khi to v kt thc cc dch v Cisco Secure ACS, cu hnh logging, iu khin vic nhn bn c s d liu, v iu khin vic ng b ha h qun tr c s d liu quan h. Interface Configuration: Cu hnh cc trng do ngi dng nh ngha s c ghi li vo trong file log, cu hnh cc ty chn TACACS+/RADIUS, v iu khin cch thc trnh by ty chn trong giao din ngi dng. + Administration Control: iu khin vic qun tr Cisco Secure ACS t bt k Workstation no trn mng. + External User Databases: cu hnh chnh sch user, cu hnh cc mc phn quyn cho user, cu hnh cc dng c s d liu t bn ngoi. + Reports and Activity: lu li cc thng tin xy ra i vi Cisco Secure ACS nh l mt phn danh sch ca cc loi bo co ph hp vi ta. Ta c th ci t nhng file ny vo trong c s d liu hay ng dng bng tnh. + TACACS+ Accounting Report: cc danh sch cho bi t thng tin khi mt session bt u v kt thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong mi phin. Lab 1- TACACS+ 1

+ RADIUS Accounting Report: danh sch cho bi t thng tin khi mt session bt u v kt thc, ghi li thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong mi phin. - Failed Attemps Report: danh sch xc thc khng thnh cng .- Logged in Users: danh sch tt c ngi dng truy cp gn y. - Disable Accounts: cc account khng cho php hot ng na. - Admin Accounting Report: bn lu li cc trng thi thao tc ca admin + Online Document: ti liu hng dn s dng Cisco Secure ACS nh cch cu hnh, thao tc, v khi nim c lin quan n Cisco Secure ACS.

II/ M hnh lab:

Yu cu: Xy dng ACS server trn Server (Win 2k3) cp quyn cho Client (Win 7) truy cp vo R2.

Lab 1- TACACS+

III/ Cu hnh IP:


Cu hnh IP cho Client, Server v Router trn GNS3 nh m hnh trn. + Client (My tht Win 7): cu hnh IP trn card Loopback. + Server (My o Win 2k3): dng VMware to my o Win 2k3, cu hnh IP trn card VMware 1.

+ R1: Cu hnh IP, nh tuyn RIP


!* R1.CiscoConfig !* IP Address : 10.0.0.36 !* Community : private !* Downloaded 2/22/2012 9:48:46 PM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

interface FastEthernet0/0
no ip address shutdown duplex half !

interface FastEthernet1/0
ip address 10.0.0.36 255.255.255.0 duplex auto speed auto !

interface FastEthernet1/1
no ip address shutdown duplex auto speed auto !

interface Serial2/0
ip address 192.168.1.30 255.255.255.0 serial restart-delay 0 !

Lab 1- TACACS+

interface Serial2/1
no ip address shutdown serial restart-delay 0 !

interface Serial2/2
no ip address shutdown serial restart-delay 0 !

interface Serial2/3
no ip address shutdown serial restart-delay 0 !

interface Serial2/4
no ip address shutdown serial restart-delay 0 !

network 192.168.1.0 ! ! no ip http server no ip http secure-server ! ! snmp-server community public RO snmp-server community private RW ! ! ! ! control-plane ! ! ! ! ! !

interface Serial2/5
no ip address shutdown serial restart-delay 0 !

gatekeeper
shutdown ! !

line con 0
exec-timeout 0 0 logging synchronous stopbits 1

interface Serial2/6
no ip address shutdown serial restart-delay 0 !

line aux 0
stopbits 1 line vty 0 4 ! ! end

interface Serial2/7
no ip address shutdown serial restart-delay 0 !

router rip
network 10.0.0.0

+ R2: Cu hnh IP, nh tuyn RIP


!* R2.CiscoConfig !* IP Address : 192.168.2.30 !* Community : private !* Downloaded 2/22/2012 9:56:01 PM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! aaa session-id common ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! !

Lab 1- TACACS+ 4

! ! ! ! ! ! ! ! ! ! ! ! ! !

no ip address shutdown serial restart-delay 0 !

interface Serial1/7
no ip address shutdown serial restart-delay 0 !

router rip
network 192.168.1.0 network 192.168.2.0 ! ! no ip http server no ip http secure-server ! ! snmp-server community public RO snmp-server community private RW ! ! tacacs-server host 20.0.0.36 tacacs-server key 123456 ! ! control-plane ! ! ! ! ! !

interface FastEthernet0/0
no ip address shutdown duplex half !

interface Serial1/0
ip address 192.168.1.36 255.255.255.0 serial restart-delay 0 !

interface Serial1/1
ip address 192.168.2.30 255.255.255.0 serial restart-delay 0 !

interface Serial1/2
no ip address shutdown serial restart-delay 0 !

interface Serial1/3
no ip address shutdown serial restart-delay 0 !

gatekeeper
shutdown ! !

interface Serial1/4
no ip address shutdown serial restart-delay 0 !

line con 0
exec-timeout 0 0 logging synchronous stopbits 1

line aux 0
stopbits 1 line vty 0 4 ! ! end

interface Serial1/5
no ip address shutdown serial restart-delay 0 !

interface Serial1/6

+ R3: Cu hnh IP, nh tuyn RIP


!* R3.CiscoConfig !* IP Address : 192.168.2.36 !* Community : private !* Downloaded 2/22/2012 9:58:28 PM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef

Lab 1- TACACS+ 5

no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

interface Serial2/4
no ip address shutdown serial restart-delay 0 !

interface Serial2/5
no ip address shutdown serial restart-delay 0 !

interface Serial2/6
no ip address shutdown serial restart-delay 0 !

interface Serial2/7
no ip address shutdown serial restart-delay 0 !

router rip
network 20.0.0.0 network 192.168.2.0 ! ! no ip http server no ip http secure-server ! ! snmp-server community public RO snmp-server community private RW ! ! ! ! control-plane ! ! ! ! ! !

interface FastEthernet0/0
no ip address shutdown duplex half !

interface FastEthernet1/0
ip address 20.0.0.30 255.255.255.0 duplex auto speed auto !

interface FastEthernet1/1
no ip address shutdown duplex auto speed auto !

interface Serial2/0
ip address 192.168.2.36 255.255.255.0 serial restart-delay 0 !

gatekeeper
shutdown ! !

interface Serial2/1
no ip address shutdown serial restart-delay 0 !

line con 0
exec-timeout 0 0 logging synchronous stopbits 1

interface Serial2/2
no ip address shutdown serial restart-delay 0 !

line aux 0
stopbits 1 line vty 0 4 ! ! end

interface Serial2/3
no ip address shutdown serial restart-delay 0 !

Lab 1- TACACS+ 6

IV/ Cu hnh ACS server trn Server:


Bc 1- Ci t ACS server trn my Server:
Ci t bn ACS Server 4.0 tr ln, yu cu server phi c web browser IE 6.0 tr ln, hoc Firefox, Chrome bn mi c h tr Java.

Bc 2 Cu hnh AAA client v AAA server:


- Vo Network Configuration cu hnh AAA + Cu hnh AAA client : Trong mc AAA client chn Add Entry cu hnh nh sau: Hostname: R2; IP: 192.168.2.30; Shared Secret (trng vi key server):123456; Authenticate Using (giao thc xc thc): TACACS+
Tn Router mun truy cp n
IP ca Router Kha trao i vi server Chn TACACS+

Chn submit+apply

+ Cu hnh AAA server: Trong mc AAA server chn Add Entry cu hnh nh sau Server Name: MangNC; IP: 20.0.0.36; Key:123456; AAA server Type (loi giao thc s dng): TACACS+
t tn cho AAA server (Ty ) IP ca my ci Server

Kha trng vi Client

Chn Submit + Apply

Type: TACACS+

Lab 1- TACACS+ 7

+ Hon tt vic cu hnh AAA

Bc 3 - To v phn quyn cho Group:


Privilege level 0: t s dng. Gm 5 lnh: disable, enable, exit, help v log out Privilege level 1: non-privilege. Tng ng router> Privilege level 15: privilege tng ng bn vo ch enable ( router#) Levels t 2-14 khng c cu hnh mc nh nhng ta c th cu hnh chuyn i nhng lnh gia cc levels vi nhau. bit ang truy cp router level no, ta g lnh show privilege. bit nhng lnh c th s dng trong level tng ng th ta g ? khi ang truy cp level cn xc nh

1. To Group: Vo Group User Chn Group Chn Rename Group i tn Group Submit. Ln lt to 3 Group: Admin, Guest, Test. 2. Phn quyn Group: Chn Group Edit Settings. + Phn quyn Group Admin: Phn quyn level 15 cho Admin, l mc cao nht khng gii hn quyn.
Chn TACACS+

Tick Shell

Level 15

Chn Submit + Restart

+ Phn quyn Group Guest: tng t nh Group Admin, nhng cho level 0, mc quyn thp nht. + Phn quyn Group Test : tng t nh Group Admin level 15, nhng s gii hn lnh Command cho nhng user thuc Group ny. y l s kt hp ca Privilege level v Command Authorization. Thc hin ++ Cch ty chnh phn quyn bng Command Authorization: Vo Shared Profile Components Shell Command Authorization Sets Add Cu hnh nh sau:

Lab 1- TACACS+ 8

t tn file Command

M t file

Chn Deny

show

Chn Submit

Permit ip route

* Ch thch:

Name : Tn ca file cu hnh. (file DuyCuong) Description : M t v file cu hnh ny. Unmatched command : Ch nh cch m server s thc hin vi nhng lnh m bn khng nhp bn di. ( 2 tu chn l Permit v Deny). Permit Unmatched Args: Cho php cc args m bn ko nhp vo. Nu bn khng check vo th my t hiu l Deny. Add Command: Thm vo mt lnh mi.

Tip theo vo Edit Setting ca Group Test, chn file DuyCuong mc Assign a Shell Command Authorization Set for any network device .

Chn file Command

3. Hon tt to v phn quyn Group: Lab 1- TACACS+ 9

Bc 4 - To User :
- User l thnh vin ca group no, th s c hng quyn m group c c. Chng ta s to user Hutech trong group Admin, user DuyCuong trong group Test, user Quang B c trong group Guest. - Tin hnh: Vo User Setup Nhp tn User Chn Add/Edit

- Add User vo Group: bng cch chn trong Group to which the user is assigned Submit

Lab 1- TACACS+ 10

V/ Cu hnh AAA client trn R2:


G lnh sao cu hnh: R2(config)#aaa new-model R2(config)#aaa authentication login default group tacacs+ R2(config)#aaa authorization exec default group tacacs+ R2(config)#tacacs-server host 20.0.0.36 //IP ca TACACS+ server R2(config)#tacacs-server key123456 //key ng nhp trn server

VI/ Kim sot hot ng truy cp vo Router:


Ln lt truy cp vo Router 2 thng qua cc user Hutech, DuyCuong, QuangBac bng cch: M CMD (ca client) nhp telnet 192.168.2.30 (IP ca AAA client R2) + User Hutech thuc group Admin c Privilege level 15 nn c th vo config cu hnh cho R2.

+ User QuangBac thuc group Guest c Privilege level 0 nn khng th enable R2.

Lab 1- TACACS+ 11

+ User DuyCuong thuc group Test Privilege level 15, nhng ch thc hin c lnh show ip route.

VII/ Bt lu lng TACACS+ bng Wireshark:


A/ Cu trc TACACS+:
- major version: s phin bn ca Tacacs+ - minor version: s phin bn ph ca Tacacs+ trng ny c thit k cho php sa i cc giao thc TACACS + trong khi duy tr tnh tng thch ngc. - Type (1 bit): cho bit loi gi tin, c cc gi tr sau - Seq-no(1 bit): s th t ca cc gi tin hin ti trong phin lm vic - Flags:(1 bit): + UNENCR PTED FLAG: nu c ny c thit lp, gi tin s khng c m ho, ngc li gi tin s c m ho t phn data tr i + SINGLE CONNECT FLAG: nu NAS bt c ny, n s h tr a phin Tacacs+ trn 1 kt ni TCP duy nht - Session ID: ID ca phin lm vic, n c cp ngu nhin v khng thay i trong sut phin lm vic. - Length: chiu di gi tin Tacacs+ (khng bao gm phn header) - Data: cha thng tin lin lc gia Tacacs+ client (Network Access Server) v Tacacs+ Server(AAA server)

Lab 1- TACACS+ 12

B/ Kt qu bt TACACS+:

Lab 1- TACACS+ 13

C/ M t chi tit ho t ng:

Hnh m t qu trnh hot ng ca Tacacs+ khi ngi dng truy cp vo mng thng qua NAS Tng ng vi kt qu Hot ng: Theo th t Chng thc Phn quyn Tnh cc, mi qu trnh c mt kt ni ring, trc mi qu trnh c cc TCP kt ni (mang c S N) c client v server gi cho nhau thit lp kt ni, sau mi qu trnh s c cc TCP kt thc (mang c FIN) c client v server gi cho nhau kt thc kt ni. i chiu vi Wireshark:

1. Chng thc (Authentication): Bc 1 & 2


1.My client Telnet ti router tng ng vi vic client truyn gi tin request n server, Server chp nhn gi gi reply yu cu client cung cp username:

2.Client cung cp Username (gi gi request), Server chp nhn gi yu cu Password (gi gi reply:

3. Client cung cp Password (gi gi request), Server chp nhn(gi gi reply) :

* Cu trc gi Authentication Request: chiu di 11 bit

Lab 1- TACACS+ 14

*Cu trc gi Authentication reply: chiu di 6 bit

2. Phn quy n (Authorization): Bc 3,4


Sau khi log on vo c router, client s yu cu (gi request) server cp quyn, server nhn v cp quyn (gi reply) cho client.

*Cu trc gi Authorization request: c chiu di 48 bit

*Cu trc gi Authorization reply: c chiu di 17 bit

3. Tnh cc (Accounting):
Bc 5: Client gi gi tin request bo cho bit ngi dng c bt u ng nhp vo mng. Bc 6: server gi tip gi tin reply cho bit qu trnh tnh cc c ghi nhn thnh cng

Lab 1- TACACS+ 15

Cu trc gi Accounting request: c chiu di 102 bit

Cu trc gi Accouting reply: c chiu di 5 bit

Bc 7:

hi ngi dng logoff th client s g i gi tin request vi cc thng tin sau :

Thi gian bt u; Thi gian kt th c Thi gian qua, thi gian hon thnh phin lm vic M i gi Tng s byte m ngi dng gi v nhn S byte ngi dng nhn; S byte ngi dng gi Tng s gi tin m ngi dng gi v nhn S gi tin ngi dng nhn; S gi tin ngi dng gi L do ngi dng ngt kt ni Bc 8: server s gi gi tin Reply cho bit qu trnh tnh cc c ghi nhn thnh cng

Lab 1- TACACS+ 16