Cisco ACS4.1在PIX上的AAA认证

【详细过程】 要求：外网需要TELNET到内网的路由器上，通过ACS做 认证 PIX上的配置如下 interface Ethernet0 nameif inside security-level 100 ip address 172.16.16.1 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 19

【详细过程】
要求：外网需要TELNET到内网的路由器上，通过ACS做认 证

PIX上的配置如下
interface Ethernet0
nameif inside
security-level 100
ip address 172.16.16.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 192.1.1.1 255.255.255.0

access-list 101 extended permit tcp any host 172.16.16.2 eq telnet
access-list outacl extended permit icmp any any
access-list outacl extended permit tcp any host 172.16.16.2 eq 23

aaa-server acs protocol tacacs+
aaa-server acs host 192.168.1.101
key cisco123
aaa authentication match 101 outside acs

telnet 192.168.1.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside

如果要使用虚拟TELNET，加入如下命令：
static (inside,outside) 172.16.16.101 172.16.16.101 netmask 255.255.255.255
virtual telnet 172.16.16.101
aaa authentication match 102 outside acs
access-list 102 extended permit tcp any host 172.16.16.101 eq telnet

TELNET到INSIDE路由器的输出--CCIE115是ACS上面定义的用户，192.1.1.2是外网地址
pixfirewall(config)# sh uau
                          Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'ccie115' at 192.1.1.2, authenticated (idle for 0:00:01)
     absolute   timeout: 0:05:00
     inactivity timeout: 0:00:00

使用虚拟TELNET输出：
wan#telnet 172.16.16.101
Trying 172.16.16.101 ... Open

LOGIN Authentication

Username: ccie115

Password:


Authentication Successful


[Connection to 172.16.16.101 closed by foreign host]
认证成功之后即关闭了虚拟TELNET窗口

在此例中，
删除 access-list outacl extended permit tcp any host 172.16.16.2 eq 23这条命令
添加 access-list 101 extended permit tcp any host 172.16.16.2 eq 23
思想是：不允许OUTSIDE可以直接TELNET到INSIDE，101被AAA调用，通过认证后才可以TELNET到INSIDE

无忧网客联盟专业讨论 网络技术，CCNA CCNP CCIE CCSP

文章转载至http://bbs.net527.cn  无忧网客联盟

无忧网客联 盟主站

无忧linux 时代