Cisco ACS4.1在PIX上的AAA认证
【详细过程】 要求:外网需要TELNET到内网的路由器上,通过ACS做 认证 PIX上的配置如下 interface Ethernet0 nameif inside security-level 100 ip address 172.16.16.1 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 19
【详细过程】
要求:外网需要TELNET到内网的路由器上,通过ACS做认
证
PIX上的配置如下
interface Ethernet0
nameif inside
security-level 100
ip address 172.16.16.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 192.1.1.1 255.255.255.0
access-list 101 extended permit tcp any host
172.16.16.2 eq telnet
access-list outacl extended permit icmp any any
access-list outacl extended permit tcp any host 172.16.16.2 eq 23
aaa-server acs protocol tacacs+
aaa-server acs host 192.168.1.101
key cisco123
aaa authentication match 101 outside acs
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside
如果要使用虚拟TELNET,加入如下命令:
static (inside,outside) 172.16.16.101 172.16.16.101 netmask
255.255.255.255
virtual telnet 172.16.16.101
aaa authentication match 102 outside acs
access-list 102 extended permit tcp any host 172.16.16.101 eq telnet
TELNET到INSIDE路由器的输出--CCIE115是ACS上面定义的用户,192.1.1.2是外网地址
pixfirewall(config)# sh uau
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'ccie115' at 192.1.1.2, authenticated (idle for 0:00:01)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
使用虚拟TELNET输出:
wan#telnet 172.16.16.101
Trying 172.16.16.101 ... Open
LOGIN Authentication
Username: ccie115
Password:
Authentication Successful
[Connection to 172.16.16.101 closed by foreign host]
认证成功之后即关闭了虚拟TELNET窗口
在此例中,
删除 access-list outacl extended permit tcp any host 172.16.16.2 eq 23这条命令
添加 access-list 101 extended permit tcp any host 172.16.16.2 eq 23
思想是:不允许OUTSIDE可以直接TELNET到INSIDE,101被AAA调用,通过认证后才可以TELNET到INSIDE