AAA feature Deployment and testing----unicorn open-source Bastion machine feature chapter II

AAA server in the network management is mainly used for server, network equipment certification, such as our common Cisco ACS system, through the AAA server can be the login device account unified to the AAA system for management!

Another AAA system can also authorize accounting, the TACACS protocol can limit the user to log on to the device level, executable commands, but the RADIUS protocol can only limit the level of user logon, RADIUS protocol does not have a cmd attribute, cannot limit the command.

Fortress machine is also called small 4 A, is a set of certification, authorization, audit, analysis and integration of security equipment, I have tested a number of manufacturers of Fort Machine part of the Bastion machine has 3 a function, the advantage is that the network equipment accounts centralized management up.

Kirin open-Source Fortress Machine 3 A test has a problem, does not support TACACS, so the command can not be limited, but this problem may be identified by the command list of the Fortress machine.

My online steps are as follows:

1. Establish Radius account ,radius account for authentication account when network device is logged in, created in menu resource management - Asset Management -radius user

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/7E/89/wKiom1cDhhOitHQgAADHbUOf-uA503.jpg "title=" 1.jpg " alt= "Wkiom1cdhhoithqgaadhbuof-ua503.jpg"/>

2. Click the Create button to pop up the new RADIUS account menu, where key parts such as user name password must be added

Cisco licensing level, which is the Enable level for logging on to a Cisco device , from 0 to any group in the class

The Divine Code switch level, which is the enable level when logging on to the Divine Code switch , and is directly to the Enable level if you check the login ID switch

Huawei licensing level for Huawei, H3C device with level 4 permissions at logon

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/7E/86/wKioL1cDhuWQj_D6AAFLZdojhHw105.jpg "title=" 2.jpg " alt= "Wkiol1cdhuwqj_d6aaflzdojhhw105.jpg"/>

3. Once the RADIUS account has been created , you will also need to bind the account to the appropriate network device assets, otherwise the radius account is not available and the account is bound to which asset device it can use to log on to which asset device

in the resource management - Asset Management - Device Management menu, locate the appropriate network device, point the User menu, and pop up the user management interface

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/7E/89/wKiom1cDhljgvXZ-AADXRc_ELJQ662.jpg "title=" 3.jpg " alt= "Wkiom1cdhljgvxz-aadxrc_eljq662.jpg"/>

After entering the user edit interface, click the Add New User button, you can pop up the new user interface

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/7E/86/wKioL1cDhx7xkpGYAADl_rY-XEs419.jpg "title=" 4.jpg " alt= "Wkiol1cdhx7xkpgyaadl_ry-xes419.jpg"/>

On The new user's interface tick Radius user authentication Check, in the above select, you can pull out all the radius accounts added in the first step of this document

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/7E/86/wKioL1cDhzmBht7gAAEafrlVlQ4455.jpg "title=" 5.jpg " alt= "Wkiol1cdhzmbht7gaaeafrlvlq4455.jpg"/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/7E/89/wKiom1cDhqOB7_0QAADGc8GuBUk442.jpg "title=" 6.jpg " alt= "Wkiom1cdhqob7_0qaadgc8gubuk442.jpg"/>

Select the appropriate account, choose a good sign-in method, click the Save Modify button, that is, the completion of the binding, this RADIUS users can log on to this device.

If import is required, the The list of EXCEL users of the bastion machine is set to Yes, other items do not need to be modified

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/7E/89/wKiom1cDhsHy6E44AADy2DKlhx0084.jpg "title=" 7.jpg " alt= "Wkiom1cdhshy6e44aady2dklhx0084.jpg"/>

the Radius communication string defaults to freesvr, which can be logged in to the background for modification, and the configuration file is:

/opt/freesvr/auth/etc/raddb/clients.conf

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/7E/86/wKioL1cDh4awCO_XAAA5idv267o547.jpg "title=" 8.jpg " alt= "Wkiol1cdh4awco_xaaa5idv267o547.jpg"/>

Network Device configuration Template:

H3C configuration Template ( old machine):

1. Create a radius scheme, where bris is the scheme name and can be arbitrarily set

RADIUS scheme Bris

Server-type Standard (non-authorized mode, Extended mode authorization)

Primary authentication 118.186.17.101

Accounting optional

Keyauthentication Freesvr

User-name-format Without-domain// Fortress machine login needs to be configured as User-name-formatwith-domain

#

2. Create a domain, where bris is the domain name, you can write at will and bind the above Bris template with this domain

Domain Bris

Scheme Radius-scheme Bris

Domain system

3. setting vty allow telnet login

User-interface vty 0 4

Authentication-mode scheme

4. Note thatthe H3C switch must use the [email protected] mode when logging in, where username is the user name established in the 3 a system, Domain is configured for step 2, for example, I set up a test on the 3 a server user, in this case, using [email protected] to sign in

H3C ( new Machine)

Specify which domains the user authenticates (this last configuration)

Domain default Enable Radius

Configuration view

RADIUS scheme H3C

Primary authentication 10.68.1.217

Primary accounting 10.68.1.217

Keyauthentication Freesvr

Keyaccounting Freesvr

User-name-format Without-domain

Configure the authentication domain to be aware that the domain name is the same as the first line

Domain radius

Authentication login Radius-scheme H3C Local

Access-limit Disable

State Active

Idle-cut Disable

Self-service-url Disable

Cisco Device Configuration Templates

1. Create a user

Username Test Password Test

set up a local user (must be established, otherwise, when radius fails, it will not log on to the device via local authentication)

2 Configuring 3 a server

AAA New-model

AAA Authentication login Default Groupradius Local

AAA Authorization exec Default Group radiuslocal

AAA Accounting exec Default Start-stopgroup radius

IP radius source-interface loopback0

Radius-server host 118.186.17.101 auth-port1812 acct-port 1813 key Freesvr

Huawei Configuration Templates

Build Local User (if the user already has a can not build , otherwise RADIUS hangs local login not)

Aaa

Local-user Huawei Password cipherhuawei.123

Local-user Huawei Service-type SSH ( here, if telnet) local-user Huawei Service-type Telnet

to create a configuration template, you need to modify the radius IP:

Radius-server template Cisco

Radius-server Shared-key Freesvr

Radius-server Authentication 199.1.20.41812

Radius-server Authentication 199.1.20.51812 Secondary

Radius-server Accounting 199.1.20.4 1813

Radius-server Accounting 199.1.20.5 1813secondary

Radius-server retransmit 2

Undo Radius-server User-namedomain-included

Establish an authentication view

Authentication-scheme Aaarenzheng

Authentication-mode radius Local

Create an accounting view

Accounting-scheme aaaacounting

Accounting-mode radius

Accounting Start-fail Online

binding the authentication view to the default_admin domain

Domain Default_admin

Authentication-scheme Aaarenzheng

Radius-server Cisco

AAA feature Deployment and testing----unicorn open-source Bastion machine feature chapter II