PIX AAA ACS
试验预配置
INSIDE
interface FastEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.254
DMZ
interface FastEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254
OUTSIDE
interface FastEthernet0/0
!
line aux 0
line vty 0 4
!
首先配置AAA 本地认证
PIX上的配置
telnet配置,只可以让内部telnet
username zhang3 password 123
telnet 172.16.1.1 255.255.255.255 inside
aaa authentication telnet console LOCAL
SSH配置,可以让任何授权用户登陆
pixfirewall(config)# crypto key generate rsa general-keys
username zhang3 password 123
ssh 100.100.100.1 255.255.255.255 outside
ssh 172.16.1.1 255.255.255.255 inside
aaa authentication ssh console LOCAL
TACS+ ACS
首先要有个ACS服务器,创建好ACS客户端,和用户。然后再PIX上指定服务器
然后再PIX上配置TACS服务器地址:100.100.100.100
pixfirewall(config)#aaa-server AAATEST
pixfirewall(config)# aaa-server AAATEST (outside) host 100.100.100.100
pixfirewall(config-aaa-server-host)# key cisco
测试与AAA服务的联通性
pixfirewall(config)# test aaa-server authentication AAATEST host 100.100.100.100 username cisco password abc123,
INFO: Attempting Authentication test to IP address
<100.100.100.100> (timeout: 12
seconds)
INFO: Authentication Successful
然后就可以用AAA服务器的用户进行认证
pixfirewall(config)# crypto key generate rsa general-keys
username zhang3 password 123
ssh 100.100.100.1 255.255.255.255 outside
ssh 172.16.1.1 255.255.255.255 inside
aaa authentication telnet console AAATEST LOCAL
aaa authentication ssh console AAATEST LOCAL
ssh 100.100.100.100 255.255.255.255 outside
ssh 100.100.100.1 255.255.255.255 outside
ssh 172.16.1.1 255.255.255.255 inside
telnet 172.16.1.1 255.255.255.255 inside
测试
INSIDE#telnet 172.16.1.254
Trying 172.16.1.254 ... Open
User Access Verification
Username: cisco
Password: *******
Type help or '?' for a list of available commands.
pixfirewall>
在ACS上
