Está en la página 1de 24

M n M ng m y t nh n ng ca o:

---- ---- --- --- ---------- --- --- -












Ging vin hng dn : Ths Nguyn c Quang
Sinh vin t hc hin : Nguyn Tr ung Ni m
Lp : 09DTHM
M SSV : 0951020186
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

z
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM


I . M Hnh Lab :


I I . M t yu cu:
a. Cu hnh nh m hnh : Cl i ent t el net vo R1. R1 s dng gi ao t hc chc t hc Tacacs+.
b. Ci t ACS ser ver
c. Cu hnh ACS ser ver ( dng t acacs+)
d. Cu hnh ACS Cl i ent t r n R1 kch hot dch v AAA
e. Tr ong ACS ser ver t o ba gr oup Admi n v M od v Guest .
i . Group Admin telnet vo R1 c s dng t t c cc l nh
i i . Gr oup M od telnet vo R1 c s dng cc l nh trong danh sch quy nh.(show i p
r out e, pi ng)
i i i . Gr oup Guest ch telnet c vo R1
f . Bt cc thng ip ca gi ao t hc TACACS+ bng Wi r eshar k
I I I . Chun b:
-Tr ong bi l ab ny s dng cc chng t r nh:
VM w ar e Wor kst at i on
Ci sco Secur e ACS
Sol ar Wi nds Engi neer ' s Tool set
GNS3
-Cl i ent ci h iu hnh XP, Server ci t h iu hnh Wi ndow Ser ver 2003


Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

)
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM


I V. Gii t hiu Cisco Secure ACS:
Ci sco Secur e ACS chy t r n nn Wi ndow s l mt phn mm ng dng bo mt mng cho php
ta iu khi n cch t r uy cp mng, cc cuc gi vo, v t r uy cp Int er net . Ci sco Secur e ACS hot
ng gi ng nh mt dch v ca Windows NT/2000 iu khi n vi c xc t hc, cp quyn, v
tnh cc ngi dng t r uy cp vo mng.
Ci sco Secur e ACS cung cp dch v AAA cho cc t hi t b t r uy cp mng c chc nng nh AAA
cl i ent , r out er , NAS, PIX f i r ew al l v VPN 3000 Concent r at or . M t AAA cl i ent c t h l mt t hi t
b bt k cung cp chc nng AAA client v s dng mt t r ong cc gi ao t hc AAA h t r bi
Ci sco Secur e ACS. Ci sco Secur e ACS xem t t c t hi t b nh vy l AAA cl i ent . Ci sco Secur e ACS
s dng gi ao t hc TACACS+/RADIUS cung cp dch v AAA nhm bo m mt mi trng
an t on t uyt i .
Ci sco Secur e ACS gi p t p t r ung vi c iu khi n t r uy cp v tnh cc, thm vo l qun l
vi c t r uy cp vo r out er v sw i t ch. Vi Ci sco Secur e ACS, cc nh qun t r mng c t h nhanh
chng qun l t i khon v thay i t on b mc yu cu dch v cho t on b cc nhm
ngi dng.
Ci sco Secur e ACS d s dng bi t nh d ci t v qun t r . N thng chy t r n nn
Wi ndow s NT Ser ver hoc Wi ndow s Ser ver . Ci sco Secur e ACS cho php xc t hc user name v
password lu trong c s d l i u ca Wi ndow s NT/ 2000, ca chnh c s d l i u t r ong Ci sco
Secure ACS, c s d l i u t bn ngoi ,..
Cc mc bo mt khc nhau c t h dng vi Ci sco Secur e ACS vi cc yu cu khc nhau.
M c bo mt ngi dng-mng l PAP. M c d n khng t r nh by dng bo mt cao nht
ca t nh cht m ha b mt, PAP em li nhi u s t i n l i v n gin cho khch hng. Xc
t hc PAP c t h xc t hc vi c s d l i u t r ong Wi ndow s NT/ 2000. Xc t h c CHAP cho php
mt mc cao hn v t nh bo mt cho cc passw or d m ha khi gi ao t i p t khch hng
cho n t hi t b t r uy cp mng (NAS). M i cr osof t CHAP (M S-CHAP) l mt phi n bn ca CHAP
c a ra bi Microsoft l m vi c gn gi, d dng hn trong h iu hnh M i cr osof t
Wi ndow s.
o Cc chc nng chnh.
o User Set up: Ta c t h t hm, xa, sa mt account ca ngi dng, v l i t k t t c ngi dng
trong c s d l i u.
o Gr oup Set up: Ta c t h to, sa, i tn nhm v l i t k t t c user trong mt nhm.
Shar ed Pr of i l e Component s: Pht t r i n v t i s dng tn, t p tt c cc thnh phn xc thc
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang


SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

c t h p dng vo mt hoc nhiu ngi dng hay nhm ngi dng v t ham chi u bi tn
t r ong t ng profile ring bi t. Cc component bao gm gii hn truy cp mng (NAR), tp lnh
cp quyn, v cc ACL download c.
o Net w or k Conf i gur at i on: Cu hnh v sa cha tham s NAS, thm, xa NAS, cu hnh AAA
t ham s phn phi cho AAA server.
o Syst em Conf i gur at i on: Khi to v kt thc cc dch v Cisco Secure ACS, cu hnh l oggi ng,
iu khin vic nhn bn c s d liu, v iu khin vic ng b ha h qun tr c s d
l i u quan h.
o Int er f ace Conf i gur at i on: Cu hnh cc t r ng do ngi dng nh ngha s c ghi li vo
t r ong f i l e l og, cu hnh cc t y chn TACACS+/RADIUS, v iu khin cch thc trnh by t y
chn trong gi ao di n ngi dng.
o Administration Control: iu khin vic qun tr Cisco Secure ACS t bt k Wor kst at i on no
t r n mng.
o Ext er nal User Dat abases: cu hnh chnh sch user , cu hnh cc mc phn quyn cho user,
cu hnh cc dng c s d liu t bn ngoi .
o Reports and Activity: lu li cc thng tin xy ra i vi Cisco Secure ACS nh l mt phn
danh sch ca cc loi bo co ph hp vi ta. Ta c th ci t nhng file ny vo trong c s
d liu hay ng dng bng tnh.
o TACACS+ Account i ng Repor t : cc danh sch cho bi t thng tin khi mt session bt u v kt
t hc, ghi l i thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi trong
mi phin.
o RADI US Account i ng Repor t : danh sch cho bi t thng tin khi mt session bt u v k t
t hc, ghi l i thng ip ca NAS vi username, cung cp thng tin CLID v cc bn ghi
t r ong mi phin.
- Fai l ed At t emps Repor t : danh sch xc t hc khng thnh cng.
- Logged i n User s: danh sch t t c ngi dng t r uy cp gn y.
- Di sabl e Account s: cc account k hng cho php hot ng na.
- Admi n Account i ng Repor t : bn lu li cc trng thi thao tc ca admin.
o Onl i ne Document : t i l i u hng dn s dng Cisco Secure ACS nh cch cu hnh, t hao
t c, v k hi ni m c lin quan n Cisco Secure ACS.
V. Trin khai m hnh:
-Cu hnh cc Rout er :
>Cu hnh rout er R1:
!* R1.CiscoConfig
!* IP Address : 192.168.2.86
!* Community : niem.org
!* Downloaded 2/21/2012 2:22:17 AM by SolarWinds Config Transfer Engine Version 5.5.0

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang


SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.87 255.255.255.0
duplex auto
speed auto
!
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

6
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

interface Serial0/0
ip address 192.168.2.86 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 192.168.1.0
network 192.168.2.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
tacacs-server host 192.168.4.87
tacacs-server directed-request
tacacs-server key trungniem
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
webvpn context Default_context
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

)
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

ssl authenticate verify all
!
no inservice
!
!
end


>Cu hnh router R2:
!* R2.CiscoConfig
!* IP Address : 192.168.2.87
!* Community : niem.org
!* Downloaded 2/21/2012 2:07:34 AM by SolarWinds Config Transfer Engine Version 5.5.0

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

8
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.87 255.255.255.0
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.2.87 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 192.168.3.86 255.255.255.0
clock rate 2000000
!
router rip
version 2
network 192.168.2.0
network 192.168.3.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

g
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
end

Cu hnh router R3:
!* R3.CiscoConfig
!* IP Address : 192.168.3.87
!* Community : niem.org
!* Downloaded 2/21/2012 2:09:12 AM by SolarWinds Config Transfer Engine Version 5.5.0

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

o
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.4.86 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.3.87 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 192.168.3.0
network 192.168.4.0
!
!
!
no ip http server
no ip http secure-server
!
snmp-server community niem.org RW
!
!
!
!
!
!
control-plane
!
!
!
!
!
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang


SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
end



VI . Trin khai ACS Server:
a. Giao din ACS Server:
Sau khi ci t Ci sco Secur e ACS, khi ng chng trnh . y l giao din chch ca Ci sco
Secur e ACS:



Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

z
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM


b. To Group User:
Chng t o ba Gr oup l Admi n ,M od v Guest
B1:To Group Admin:
Vo Menu Group Setup .

-Chn 1 t r ong bt k Gr oup t r ong l i st hnh t r n. Cl i ck chn Edi t Set t i ng.
- Check vo shel l (exec).
- Check vo Privilege levels v nhp vo s 15.
-Chn submi t +r est ar t .


Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

)
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM




Ti p t heo r ename cho Gr oup 1 t hnh Admi n.
Chn Gr oup set up -> Chn Gr oup 1-> Cl i ck Rename Gr oup
in t n mun i vo Gr oup
Cl i ck Submi t




-Nh vy chng ta hon t hnh vi c t o Admi n v phn quyn cho n.
B2:To Group M od:
-Tng t nh to gr oup admi n , nhng khc Group Admin l Kt hp Pr i vi lege Level s v Command
Aut hor i zat i on.
-Trc t i n chng t o Command Aut hor i zat i on.
Vo menu Shar ed Pr of i l e Component s


Chn Shel l command Aut hor i zat i on Set s

Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang


SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM



Chn Add . Lc ny giao din Shell Command Authorization Set hin ra.
o Name : Tn ca file cu hnh.
o Description : M t v file cu hnh ny.
o Unmatched command : Ch nh cch m server s thc hin vi nhng
lnh m bn khng nhp bn di. ( 2 tu chn l Permit v Deny ).
o Permit Unmatched Args: Cho php cc args m bn ko nhp vo. Nu bn
khng check vo th my t hiu l Deny.
o Add Command: Thm vo mt lnh mi. thm vo mt lnh th bn
nhp vo v sau nhn Add Command. Tip theo l bn s nhp thm
nhng Args ca lnh vi cu trc : permit/Deny arg. nhp thm mt
Arg th bn nhn enter xung dng.





Trong mu trn c ngha nh sau : Group no c add file cu hnh ny vo th
d c privilage level 15 cng ch c thc hin lnh show ip route.
o Unmatched Command Deny : T chi tt c cc lnh.
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang


SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

o Khng check vo Permit Unmatched Args : Deny tt c cc lnh khng
c trong bn di.
o Permit ip route : Cho php lnh show thc hin show ip route.
o Cu hnh xong chn Submit.

-Add Shel l command Aut hor i zat i on v Gr oup M od:
Chn Gr oup Set up->Chn Gr oup M od-> Chn Edi t Set t i ng
Chn Shel l (exec)
Pr i vi l ege l evel in s 15
Phn Sel l Command Aut hor i zat i on Set , check Assi gn a Shel l Commad Aut hor i zi at i on Set
of any net w or k devi ece-> Chn M od
Submi t +r eset


B3:To group Guest :
Tng t nh group Admin nhng vi Pr i vi l ege l eve 0

Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

6
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

c. To User v add user vo Group:
To User admi n 1 v mod1, guest 1 :
-Vo menu User Set up:

-in t n user vo User . Chng t a nhp t n user l Admi n1 , cl i ck chn Add/ Edi t :


- Passw or d aut hent i cat i on: ACS int ernet dat abase, passw or d cho user admin1 l l ongt hanc
- Chn gr oup user ny l Admin. / chn Submi t .
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

)
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

-Lm tng t cho user Guest 1 v M od1


Sau khi hon t hnh:


d. Cu hnh ACS server:
Vo M enu Net w or k Conf i gur at i on:
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

8
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM





-Cu hnh ACS server:
o to mt AAA Server Ti mc AAA Server chn Add Entry
o AAA Server Name : Tn Server (t ty ).
o AAA Server IP Address : IP ca my ci ACS Server.
o Key : Kha trao i vi Client (Ging vi kha ca Client).
o AAA Server Type : TACACS +
o Trafic Type : Inboud/Outbound
o Cu hnh xong chn Submit + Apply


e. Cu hnh ACS server
to mt AAA Client ti mc AAA Client Chn Add Entry.
o AAA Client Host Name : Tn Router mun truy cp ti.
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

g
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

o AAA Client IP Address : IP ca Router mun truy cp ti.
o Shared Secret : kha trao i vi Server ( Kha ny phi ging nhau Client v Server v s
c yu cu khi cu hnh router ).
o Authenticate Using chn TACACS + (CISCO IOS).
o Cu hnh xong chn Submit + Apply













VI I . Cu hnh ACS Client trn R1:
-Sau y l nhng l nh cu hnh c bn: ch l nhng l nh ny c dng cho IOS ci sco
12.05 t r v sau.
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

zo
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM






VI I I . Kim tra kt qu sau khi cu hnh:
- cl i ent dng l nh t elnet 192. 168. 2. 86 ki m t r a.
-Logi n bng user Admi n1:




Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

z
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

-Logi n bng user guest 1:

-Logi n bng user mod1:



->Ch s dng c l nh pi ng v show i p r out e.




Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

zz
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

I X. Xem Report s TACACS+ Accounting
s dng chc nng ny chng ta cn cu hnh AAA Account i ng.
Vo menu Repor t s and act i vi t y-> chn TACACS+ Account i ng


Chn file log cn xem mc Select a TACACS+ Accounting file v d chn file: TACACS+
Accounting active.csv


X. Cc gi t in ca Tacacs+:
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

z)
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM





- Thnh phn gi tin :
+ Major version : TACACS+ (Phin bn chnh, y l phin bn TACACS+)
+ Minor version : 0 (phin bn nh, y mun ni l phin bn nh ca TACACS+ c s hiu
phin bn l 0).
+ Type : Authoziration (2) (loi gi tin, y l gi Authoziration c th hiu s hiu m ha l
2).
Bo co bi Lab 1 Gi ng Vi n: Nguyn c Quang

z
SV: Nguyn Trung Nim - M SSV:0951020186 - Lp:09DTHM

+ Sequence number : 2 (s th t ca gi tin thuc loi gi tin Type c gi, y ch s th
t ca gi Authoziration bt c l gi u tin c gi).
+ Flags : 0x00 (Encrypted payload, multiple connection) (cc c dng m ha cc gi tin v
ng truyn, gi tr not set cho thy n cha c ci t).
+ Session ID : 4196086279
(ID cho phin lm vic vi TACACS+, y l 4196086279).
+ Paclet Length : 19 (chiu di gi tin, khng bao gm c cc Header).