AAA на примере FreeRadius — различия между версиями
Moiseevvi (обсуждение | вклад) (→default config) |
Moiseevvi (обсуждение | вклад) (→SSH) |
||
Строка 124: | Строка 124: | ||
== SSH == | == SSH == | ||
+ | |||
+ | <code> | ||
+ | ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> | ||
+ | ;; global options: +cmd | ||
+ | ;; Got answer: | ||
+ | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20183 | ||
+ | ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 | ||
+ | |||
+ | ;; QUESTION SECTION: | ||
+ | ;. IN NS | ||
+ | |||
+ | ;; ANSWER SECTION: | ||
+ | . 326320 IN NS f.root-servers.net. | ||
+ | . 326320 IN NS j.root-servers.net. | ||
+ | . 326320 IN NS m.root-servers.net. | ||
+ | . 326320 IN NS c.root-servers.net. | ||
+ | . 326320 IN NS e.root-servers.net. | ||
+ | . 326320 IN NS g.root-servers.net. | ||
+ | . 326320 IN NS i.root-servers.net. | ||
+ | . 326320 IN NS a.root-servers.net. | ||
+ | . 326320 IN NS b.root-servers.net. | ||
+ | . 326320 IN NS k.root-servers.net. | ||
+ | . 326320 IN NS l.root-servers.net. | ||
+ | . 326320 IN NS d.root-servers.net. | ||
+ | . 326320 IN NS h.root-servers.net. | ||
+ | |||
+ | ;; Query time: 0 msec | ||
+ | ;; SERVER: 212.192.64.218#53(212.192.64.218) | ||
+ | ;; WHEN: Thu Mar 13 11:21:20 2014 | ||
+ | ;; MSG SIZE rcvd: 228 | ||
+ | |||
+ | </code> | ||
[[категория:Лекции]] | [[категория:Лекции]] |
Версия 05:21, 13 марта 2014
Содержание
AAA на примере FreeRadius
AAA
A
A
A
local LDAP Kerberos RADIUS TACACS+ SSO
RADIUS-server <---> NAS <---> user
freeradius
apt-get install freeradius
NAS:
/etc/freeradius/clients.conf
client 10.13.0.2 {
ipaddr = 10.13.0.2 secret = testing123
}
Пользователи:
/etc/freeradius/users
cisco Cleartext-Password := "ciscocisco"
service freeradius stop freeradius -X
Проверка:
root@model-net-ctrl-1:~# radtest cisco ciscocisco 127.0.0.1 0 testing123
Sending Access-Request of id 118 to 127.0.0.1 port 1812
User-Name = "cisco"
User-Password = "ciscocisco"
NAS-IP-Address = 212.192.64.218
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=118, length=20
Cisco IOS
default config
Начальная конфигурация коммутатора для работы выглядит так
!
service timestamps log datetime msec localtime show-timezone year
!
enable secret 5 $1$eII1$tBNEV9R6Gzy2cr/9rAaxk1
!
username cisco1 secret 5 $1$d08J$pSSW3WfregkPKjYJAWjyX0
no aaa new-model
clock timezone GMT+6 6 0
!
vlan internal allocation policy ascending
!
vlan 88
!
interface range FastEthernet0/1 - 24
switchport access vlan 88
switchport mode access
spanning-tree portfast
!
interface Vlan88
ip address 212.192.88.150 255.255.255.0
no shut
!
ip default-gateway 212.192.88.1
!
line vty 0 15
logging synchronous
login local
!
ntp server 212.192.64.2
AAA new-model
aaa new-model
!
radius-server host 212.192.64.174 auth-port 1812 acct-port 1813 timeout 2 retransmit 1 key superciscosecret
!
aaa group server radius RAD-GROUP
server 212.192.64.174 auth-port 1812 acct-port 1813
!
aaa authentication login ADMINUSERS group RAD-GROUP local
! new login auth-list “ADMINUSERS” with local fallback
!
aaa authentication enable default enable
! use enable password to enter enable mode in default auth-list
!
!
line vty 0 15
login authentication ADMINUSERS
!
term mon debug radius test aaa group RAD-GROUP cisco ciscocisco port 1 new-code un all term no mon
При выключенном сервере коммутатор после 4 попыток перейдет на локальную аутентификацию. Т.е. без радиус-сервера мы по прежнему можем попасть на коммутатор под локальным пользователем.
freeradius
client switch150 {
ipaddr = 212.192.88.150
secret = superciscosecret
}
SSH
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20183
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 326320 IN NS f.root-servers.net.
. 326320 IN NS j.root-servers.net.
. 326320 IN NS m.root-servers.net.
. 326320 IN NS c.root-servers.net.
. 326320 IN NS e.root-servers.net.
. 326320 IN NS g.root-servers.net.
. 326320 IN NS i.root-servers.net.
. 326320 IN NS a.root-servers.net.
. 326320 IN NS b.root-servers.net.
. 326320 IN NS k.root-servers.net.
. 326320 IN NS l.root-servers.net.
. 326320 IN NS d.root-servers.net.
. 326320 IN NS h.root-servers.net.
;; Query time: 0 msec
;; SERVER: 212.192.64.218#53(212.192.64.218)
;; WHEN: Thu Mar 13 11:21:20 2014
;; MSG SIZE rcvd: 228