交換路由CCIE之路――AAA實驗

1、實驗 AAA技術(shù)一實驗拓?fù)銩CS服務(wù)器二實驗要求公司希望對公司所有設(shè)備執(zhí)行集中化的用戶認(rèn)證，根據(jù)不同級別的管理員，授予不同的資源訪問。Ø 1.屬于admin組的成員擁有最高執(zhí)行權(quán)力Ø 2.屬于guest組的成員只能使用show 進(jìn)行簡單查看三實驗內(nèi)容客服端為R6，用戶用R5。配置r5(config#int s0r5(config-if#clock rate 64000r5(config-if#no shur6interface Serial0Type escape sequence to abort.!Success rate is 100 percent (5/5, ro

2、und-trip min/avg/max = 32/32/32 msR6為開啟AAAR6>R6>en% No password set發(fā)現(xiàn)只能進(jìn)入用戶模式，這時做如下配置R6(config#lin vty 0 4R6(config-line#privilege level 15再次登錄R6#發(fā)現(xiàn)可以直接進(jìn)特權(quán)模式了。R6開啟AAA,并在服務(wù)器建立2個用戶名user1， user2密碼均為cisco,不做任何其他設(shè)置。R6配置如下：R6(config#aaa new-model /開啟AAAR6(config#aaa authentication login bluefox grou

3、p tacacs+ local /登錄時采用tacacs+,若失效則采用本地數(shù)據(jù)庫R6(config#username user1 password cisco /建立本地數(shù)據(jù)庫R6(config#lin vty 0 4R6(config-line# login authentication bluefox /在遠(yuǎn)程登錄時運(yùn)用認(rèn)證R5再次遠(yuǎn)程登錄Username: user1Password: R6# Username: user2Password: R6#說明只要有正確的用戶名正確的密碼就能登錄現(xiàn)在為了實現(xiàn)實驗要求，我建立2個組，user1 ，user2 為admin組，user3 user

4、4為guest組，在admin組我不做任何設(shè)置，在guest組設(shè)置命名只有show的內(nèi)容允許。R6做如下配置R6(config#aaa authorization commands 0 bluefox group tacacs+ R6(config#aaa authorization commands 1 bluefox group tacacs+ R6(config#aaa authorization commands 2 bluefox group tacacs+ R6(config#aaa authorization commands 3 bluefox group tacacs+ R6

5、(config#aaa authorization commands 4 bluefox group tacacs+ R6(config#aaa authorization commands 5 bluefox group tacacs+ R6(config#aaa authorization commands 6 bluefox group tacacs+ R6(config#aaa authorization commands 7 bluefox group tacacs+ R6(config#aaa authorization commands 8 bluefox group tacac

6、s+ R6(config#aaa authorization commands 9 bluefox group tacacs+ R6(config#aaa authorization commands 10 bluefox group tacacs+ R6(config#aaa authorization commands 11 bluefox group tacacs+ R6(config#aaa authorization commands 12 bluefox group tacacs+ R6(config#aaa authorization commands 13 bluefox gr

7、oup tacacs+ R6(config#aaa authorization commands 14 bluefox group tacacs+ R6(config#aaa authorization commands 15 bluefox group tacacs+R6(config-line#authorization commands 0 bluefox R6(config-line#authorization commands 1 bluefox R6(config-line#authorization commands 2 bluefox R6(config-line#author

8、ization commands 3 bluefox R6(config-line#authorization commands 4 bluefox R6(config-line#authorization commands 5 bluefox R6(config-line#authorization commands 6 bluefox R6(config-line#authorization commands 7 bluefox R6(config-line#authorization commands 8 bluefox R6(config-line#authorization comm

9、ands 9 bluefox R6(config-line#authorization commands 10 bluefox R6(config-line#authorization commands 11 bluefox R6(config-line#authorization commands 12 bluefox R6(config-line#authorization commands 13 bluefox R6(config-line#authorization commands 14 bluefox R6(config-line#authorization commands 15

10、 bluefox現(xiàn)在再次登錄Username: user1Password: R6#R6#show runCommand authorization failed.發(fā)現(xiàn)用沒做任何設(shè)置的用戶組成員，什么都不能干，不滿足要求。查看原因，因為R6啟用了命令授權(quán)，但組admin默認(rèn)授權(quán)命令是全部拒絕，所以要改為全允許才行，這時候再試一次User Access VerificationUsername: user1Password: R6#show runBuilding configuration.用guest組成員登錄User Access VerificationUsername: user3Password: R6#show privilege Current privilege level is 15R6#show runBuilding config