基于cisco ACS的MAC地址访问控制和telnet,ssh的访问控制
实验环境:两台pc机,一台做测试pc,一台做acs服务器
实验说明:实现mac地址绑定认证,从而有效保护交换机访问安全。实现telnet和ssh访问验证
同样是对交换机的安全设置。本实验采用的是cisco的AAA认证acs来实现的。
绑定端口mac值认证:
[Quidway]mac-authentication
[Quidway]int e1/0/3
[Quidway-Ethernet1/0/3]mac-authentication
MAC-authentication is enabled on port Ethernet1/0/3
[Quidway-Ethernet1/0/3]quit
[Quidway]radius scheme xxx
New Radius scheme
[Quidway-radius-xxx]primary ?
accounting Specify IP address of primary accounting RADIUS server
authentication Specify IP address of primary authentication RADIUS server
[Quidway-radius-xxx]primary authentication 192.168.20.3
[Quidway-radius-xxx]server-type standard
[Quidway-radius-xxx]accounting optional
[Quidway-radius-xxx]key authentication 123456
[Quidway-radius-xxx]user
[Quidway-radius-xxx]user-name-format without-domain
[Quidway-radius-xxx]quit
[Quidway]domain system
[Quidway-isp-system]radius-scheme xxx
[Quidway-isp-system]accounting optional
[Quidway-isp-system]quit
[Quidway]mac-authentication authmode ?
usernameasmacaddress Specify username and password both equal to the MAC
address being authenticated
usernamefixed Username and password are fixed
[Quidway]mac-authentication authmode usernameasmacaddress ?
usernameformat Username format
<cr>
[Quidway]mac-authentication authmode usernameasmacaddress usernameformat ?
with-hyphen MAC address with '-', just like XX-XX-XX-XX-XX-XX
without-hyphen MAC address without '-', just like XXXXXXXXXXXX
[Quidway]mac-authentication authmode usernameasmacaddress usernameformat without-hyphen
交换机配置完成
在acs服务器上设置用户名和密码都为pc机的mac地址; www.it165.net
然后pc机ping交换机:
做telnet控制访问:
先在acs服务器上做一个用户user2密码也为user2
然后交换机上配置:
[Quidway]user-interface vty 0 4
[Quidway-ui-vty0-4]authentication-mode scheme
[Quidway-ui-vty0-4]user privilege level 3
测试:
做ssh连接访问控制:
[Quidway]rsa local-key-pair create
The local-key-pair will be created.
[Quidway]ssh authentication-type default ?
all All authentication
password Password authentication
password-publickey Password and Publickey authentication
rsa RSA authentication
[Quidway]ssh authentication-type default all ?
<cr>
[Quidway]ssh authentication-type default all
测试:
测试成功!