网络安全 当前位置:首页 > 计算机学习 > 网络知识 > 网络安全>正文

交换机访问控制推荐

【网络安全】 2018-01-26本文已影响
通过本实验了解CISCO交换机的验证方法,防止非法用户访问交换机<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />?初始配置SwitchConf tInt f 0/1No swIp ad 10.1.1.2 255.255.255.0End??RouterConf tInt e 0Ip ad 10.1.1.1 255.255.255.0No shut??Server IP address 10.1.2.1/24测试sw1#ping 10.1.1.1?Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 12/52/116 ms?1,? RouterTELNET 命令,访问Switch?SwitchConf tNo service password-recoveyEnable secret ccieLine vty 0 15LoginPassword ccieEndRouter上校验R1#telnet 10.1.1.2Trying 10.1.1.2 ... Open??User Access Verification?Password: 被隐藏sw1>enPassword: 被隐藏sw1#?????????? 进入交换机特权模式sw1#quit?[Connection to 10.1.1.2 closed by foreign host]R1#?????????? 回到Router??2,? 配置usernamepassword这个配置使username password存储在本地交换机中,在switch上配置Conf tUsername cisco password ccieLine vty 0 15Login localEndRouter上校验R1#telnet 10.1.1.2Trying 10.1.1.2 ... Open??User Access Verification?Username: ciscoPassword: 被隐藏sw1>enPassword: 被隐藏sw1#quit?[Connection to 10.1.1.2 closed by foreign host]R1#??3,? 配置多种特权等级在交换机上配置用户,并对用户单独进行授权Conf tUsername cisco privilege 2 password 0 ccieRouter上校验R1#telnet 10.1.1.2Trying 10.1.1.2 ... Open??User Access Verification?Username: ciscoPassword: sw1#conf t?????? ^% Invalid input detected at '^' marker.为什么会出错呢?因为我们没有对此用户的访问进行授权,现在交换机上进一步配置Privilege exec level 2 conf tPrivilege configure level 2 interfacePrivilege interface level 2 no switchportPrivilege interface level 2 ip addressPrivilege interface level 2 no shutRouter上校验sw1#conf tEnter configuration commands, one per line.? End with CNTL/Z.sw1(config)#int f 0/2sw1(config-if)#no swsw1(config-if)#ip ad 10.1.2.2 255.255.255.0sw1(config-if)#shutsw1(config-if)#no shutsw1(config-if)#^Zsw1#quit?[Connection to 10.1.1.2 closed by foreign host]R1#??4,? 在交换机上配置本地AuthenticationAuthorization服务,在本地交换机上AAA验证Conf tAaa new-modelAaa authentication login default localAaa authorization exec default localAaa authorization network default localUsername cisco password ccie?Router上校验Username: ciscoPassword: ?sw1>enPassword: sw1#config tEnter configuration commands, one per line.? End with CNTL/Z.sw1(config)#^Zsw1#quit?[Connection to 10.1.1.2 closed by foreign host]R1#?下面来讨论TACACS+ SERVERRADIUS SERVER的验证授权和统计。1,? 配置TACACS+ SERVER?Conf tTacacs-server host 10.1.2.1 Aaa new-modelAaa group server tacacs+ group ciscoServer 10.1.2.1Exit?2,? 配置TACACS+登录验证aaa authentication login default group tacacs+Line vty 0 15Login authentication defaultexit?3,? 配置TACACS+EXEC访问和network授权aaa authorization exec defaut group tacacs+ aaa authorization network defaut group tacacs+?4,? 配置TACACS+的统计Aaa accounting network default start-stop group tacacs+Aaa accounting exec default start-stop group tacacs+???1,? 配置RADIUS SERVERConf tRadius-server host 10.1.2.1Aaa new-modelAaa group server radius group ciscoServer 10.1.2.1Exit?2,? 配置RADIUS登录验证Aaa authentication login default group radiusLine vtp 0 15Login authentication defaultExit?3,配置RADIUSEXEC访问和network授权Aaa authorization network default group radiusAaa authorization exec default group radius?3,? 配置RADIUS的统计Aaa accounting network default start-stop group radiusAaa accounting exec default start-stop group radius?4,? 配置RADIUS服务器Radius-server key ccieRedius-server retransmit 3Radius-server tiomout 60Radius-server deadtime 10?版权声明:原创作品,谢绝转载。否则将追究法律责任

本站所有资源均来自于68学习网蜘蛛爬取结果,如您发现侵权、违法、存在不和谐内容,告知本站一律删除

本站不以盈利为目的,全站资源仅供学习爱好使用。本站站长邮箱:luo689up@foxmail.com

备案号:闽ICP备15018334号-2

©68学习网  2016-2017版权所有     站点地图

回到顶部