IAS implements Secure Communication

Use the AAA Server to bind mac addresses to clients for secure communication

AAA knowledge introduction:

AAA is a simplified Authentication, Authorization, and Accounting (Authentication, Authorization, and billing)

It provides a consistency framework for configuring authentication, authorization, and billing security features. It is a management of network security.

Here network security mainly refers to access control, including:

Which users can access the network server?

What services can a user with access permissions obtain?

How do I charge users who are using network resources?

AAA can complete the following services:

Authentication: Verify that the user has access permissions.

Authorization: Which services can be used by authorized users.

Billing: records the usage of network resources.

Advantages of AAA (1) flexible and easy to control.

(2) standardized authentication methods.

(3) multiple backup systems

AAA configuration process:

Basic configurations of AAA include: Enable AAA configuration authentication, configuration authorization, and configuration billing.

Advanced configurations of AAA include: Configuring the local user database, configuring the local IP address pool, and assigning IP addresses to PPP users.

Case: verify the customer information (mac address) on the AAA Server in the vlan.

Experimental Equipment: Virtual Machine windows server 2003 server, a Huawei layer-3 Switch S2000, and a Huawei router R2621.

The topology is as follows:

 

Tutorial steps:

Configure the AAA server in windows server 2003 and create a user with the mac address of the switch.

You also need to create a scope:

Next, the layer-3 Switch configuration:

[Quidway] int Vlan-interface 1 # Enter vlan 1 and add an ip address #

[Quidway-Vlan-interface1] ip add 192.168.30.10?

INTEGER <0-32> IP mask length

X. x ip mask

 

[Quidway-Vlan-interface1] ip add 192.168.30.10 24

The [Quidway-Vlan-interface1] ping 192.168.30.201

Ping 192.168.30.201 # Now the pingAAA server can communicate with each other #

PING 192.168.30.201: 56 data bytes, press CTRL_C to break

Reply from 192.168.30.201: bytes = 56 Sequence = 1 ttl = 128 time = 21 MS

Reply from 192.168.30.201: bytes = 56 Sequence = 2 ttl = 128 time = 4 MS

Reply from 192.168.30.201: bytes = 56 Sequence = 3 ttl = 128 time = 4 MS

Reply from 192.168.30.201: bytes = 56 Sequence = 4 ttl = 128 time = 4 MS

Reply from 192.168.30.201: bytes = 56 Sequence = 5 ttl = 128 time = 4 MS

 

--- 192.168.30.201 ping statistics ---

5 packet (s) transmitted

5 packet (s) received

0.00% packet loss

Round-trip min/avg/max = 4/7/21 MS

[Quidway] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen

# Set authentication method #

[Quidway] int e1/0/24

[Quidway-Ethernet1/0/24] mac-authentication # Set port 24 to mac authentication port #

[Quidway] radius scheme xxx

[Quidway-radius-xxx] key authentication 123456 # Set the verification password to 123456 #

[Quidway-radius-xxx] acc

[Quidway-radius-xxx] accounting op

[Quidway-radius-xxx] accounting optional

[Quidway-radius-xxx] ser

[Quidway-radius-xxx] server-type stan

[Quidway-radius-xxx] server-type standard # Set an authorized customer service mode as a general service mode #

[Quidway-radius-xxx] user-name-format without-domain # user-name-format verification is not performed #

[Quidway] domain system

[Quidway-isp-system] radius-

[Quidway-isp-system] radius-scheme xxx # create an authorization method list for the Radius server xxx #

[Quidway-isp-system] acc

[Quidway-isp-system] access-limiten

[Quidway-isp-system] access-limit ena

[Quidway-isp-system] access-limit enable 10 # Here we can limit the number of users simultaneously verified #

[Quidway-isp-system] accounting optional # the billing method is not set, but the billing method must be specified #

[Quidway-isp-system] q

[Quidway]

 

 

Specific Configurations of the 24 ports:

[Quidway] dis mac-authentication int e1/0/24 # view the mac authentication information set on port 24 #

Ethernet1/0/24 is link-down

MAC address authentication is Enabled

Authenticate success: 0, failed: 1

Current online user number is 0

Mac addr Authenticate state AuthIndex

Verify the machine with a vro:

Configure only one ip: [R3-Ethernet0] ip add 192.168.30.2 24

Ping the ip address on the vswitch. Use the AAA service on the Virtual Machine to verify the mac address.

The [R3-Ethernet0] ping 192.168.30.10

PING 192.168.30.10: 56 data bytes, press CTRL_C to break

Reply from 192.168.30.10: bytes = 56 Sequence = 0 ttl = 255 time = 1 MS

Reply from 192.168.30.10: bytes = 56 Sequence = 1 ttl = 255 time = 1 MS

Reply from 192.168.30.10: bytes = 56 Sequence = 2 ttl = 255 time = 1 MS

Reply from 192.168.30.10: bytes = 56 Sequence = 3 ttl = 255 time = 1 MS

Reply from 192.168.30.10: bytes = 56 Sequence = 4 ttl = 255 time = 1 MS

 

--- 192.168.30.10 ping statistics ---

5 packets transmitted

5 packets received

0.00% packet loss

Round-trip min/avg/max = 1/1/1 MS

IAS authentication is successful, achieving secure communication bound to mac