1. background for Cisco devices and Microsoft Systems Integration:
Within the company there are a number of clients, in order to achieve harmonization, in the management of the internal deployment of domain architecture, so that through Group Policy to the client
make batch management, improve the efficiency of management. the same company has a certain number of network equipment (switches, routers, firewalls, etc.),
in remote management, it is through Telnet mode.
In this case, you want users to remotely manage network devices by authenticating to Microsoft's DC (domain controller), which enables
The single of authentication avoids maintaining multiple sets of authentication architectures, greatly simplifying the company Management of it.
2. Building a simulation environment:
The core of the environment is shown, a DC domain controller (domain management of the network), a RADIUS server (which provides Cisco device authentication and Microsoft environment-compatible integration), a switch, a router, a PC client.
(this experiment involves Cisco and Microsoft Integrated Lab Series: Environment Building steps in the integration of Cisco emulator GNS3 and virtual machine vmware
1) First build the environment in the GNS3 Simulator: The location of the switch we use the cloud to replace, according to one of the series of the way the cloud with our
the virtual machine nic VMnet1 bridged. (see details of the steps Integration of Cisco emulator GNS3 and virtual machine VMware )
2) open three virtual machines in VMware : a) 03server1;b) 03server2;c) XP1, respectively, simulate a) DC domain controller;
b) RADIUS server;c) Alice client. Mezzanine Bridge Three nets to the VMnet1 to connect them with the clouds in GNS3,
Build the environment that we want to set up successfully. (see the integration of Cisco emulator GNS3 and virtual machine VMware for specific steps.) )
3) Configure the IP address and mask of the f0/0 interface in router R1 :
R1 (config) #int f0/0
R1 (config-if) #ip add 10.0.0.11 255.255.255.0
R1 (config-if) #no shutdown
4) Configure IP address in three virtual machines : 10.0.0.x, Subnet mask: 255.255.255.0, default gateway: 10.0.0.11,
Preferred DNS server: 10.0.0.2, where the DNS server is the DC domain controller.
5) if the XP1 10.0.0.100 is always pinging when the ping is detected, the firewall function on the XP1 is turned off,
Ping again.
3. specific implementation steps:
1th Step: to promote the 03server1 server to a DC domain controller:
a) start -and-run input dcpromo--> OK
b) Enter the active Directory Installation Wizard:
c) always click Next until it appears --Create a new domain and enter the domain name: for example ilync.cn--> next
d) always click Next until you enter the password for the configuration--Next
e) always click Next -Wait for the installation Wizard to finish-click Finish-click Restart Computer--Wait for restart
2nd Step: Create user Aliceon 03server1 :
a) start -up management tools-->active directory Users and Computers-click
"Create a new organizational unit in the current container" button --Enter new object-Organizational Unit dialog box
b) Enter the name of the organizational unit you want to create: such assales (Sale)--OK
c) appear in active Directory users and Computers sales--> click "Sales"-click
"Create a new user in the current container" button --Enter new Object-user dialog box
d) Enter the name of the user you want to add: Like Alice--Next
e) Enter the password for the user login and tick the information in the red box-- -next to finish
f) Alice user appears in active Directory Users and Computers and click "Create a new group in the current container"
Button -to-input group name--and a new Telnet group that was created in Active Directory Users and Computers
g) Add the Alice user to the Telnet group--double-click the Telnet Group--Enter the Telnet Properties dialog box--
on the Members tab , add- on to the Select Users, Contacts, or Computers dialog box, enter the name of the user to join the reorganization,
like Alice--click on the " Location" button--select ilync.cn--> OK--ok
3rd Step: 03server2 and XP1 join the 03server1 created domain ilync:
a) in 03server2 and XP1 right-click My Computer--properties--Tap Computer Name tab--Change
The Computer Name Changes dialog box appears.
b) in the dialog box, click Domain Options --Enter the domain name you want to join in the box--and the Computer Name Change dialog box appears.
c) Enter the account name and password to join the domain in the dialog box and click on the "Welcome to join Ilync Domain" dialog box
-- OK--The Restart Computer dialog box appears--and the original System Properties dialog box clicks OK--
Restart your computer --yes
(Note: Operate on 03server2)
Operating on the XP1
d) reboot the computer and log in to the domain environment --click "Options"--Login to: Dropdown box select "Ilync"
--Enter the user name--Enter the password--ok
4th step: Add the RADIUS component service on 03server2 :
a) start -up Control Panel-Add or Remove Programs-add/Remove Windows Components (a)--
go to the Windows Components Wizard dialog box , Network Service, and more information
b) go to the Network Services dialog-->internet Verify service---OK--next---finish
c) start -up management tools-->internet Authentication Service-Right-click Internet Authentication Service (local)--
Click "Register Server in Active Directory "- -OK
d) right -click the RADIUS client and tap new RADIUS Client--The New RADIUS Client dialog box appears
e) in the new RADIUS Client dialog box, enter the added client name and IP address, such as: R1 router in our environment
and it's IP--Next
f) enter the key in the configuration AAA authentication, i.e. the password to be entered when logging in to R1.
g) Right-click Remote Access Policies --New remote access policy--next--Select Set custom policy,
and fill out the policy name --Next
h) Add --select Windows-group Type--add
i) in the Group dialog box, click Add -Go to the Select Group dialog and click "Location"-Select ilync.cn-->
Enter the name of the object to add ---sure--Next
j) Select "Grant remote access permission" in Permissions and next--Edit the profile---Authentication Tab--
Tick the Routing and Remote Access dialog box that appears with unencrypted authentication- -------and then close the
Next --Finish
5th step: On the R1 , configure AAA authentication on the RADIUS server:
R1 (config) #aaa New-model
R1 (config) #radius-server host 10.0.0.3 key 123.com
R1 (config) #aaa Authentication login Telnet Group radius
R1 (config) #aaa authentication enable default None
R1 (config) #line vty 0 4
R1 (config-line) #login authentication Telnet
6th step: Verify that the host XP1 remote access R1:
a) on XP1 , click Start -and-run input cmd-->telnet 10.0.0.11
b) enter telnet --Enter user name: (domain name username) mode--Enter the AAA certified password configured on R1
you can see the result: XP1 remote access R1 failed!
c) View the reason for the failure in the Event Viewer on 03server2 : In 03server2, click Start--Administration tools--
Event Viewer - system --double-click on the warning entry generated in the event on the right to the Event Properties dialog box
-You can see that the user is denied access to the information
d) Workaround: set user allowed access on 03server1: Open the Active Directory Users and Computers dialog box in 03server1
--double-click Alice Users-the User Properties dialog box appears--on the Dial-in tab, check Allow access--OK
e) telnet R1 Verify remote access on XP1 again :
you can see the result: XP1 remote access R1 successful!
f) view in Event Viewer on 03server2 : No warning message appears in event entry, double-click the top-most information to view-
You can see that the user is granted access
Unified management of Cisco network devices using domain accounts