Use a domain account to centrally manage cisco network devices and cisco network devices
1. Background of integration of Cisco devices and Microsoft Systems:
There are a certain number of clients in the company. In order to achieve unification, a domain architecture is deployed in the management, so that the client can be batch managed through group policies, improving the management efficiency.
In the same way, the company has a certain number of internal network devices (switches, routers, firewalls, etc.), which are remotely managed through Telnet.
In this case, it is hoped that the user can remotely manage the network device and perform identity verification on the Microsoft DC (Domain Controller). This simplifies the authentication, avoid maintaining the architecture of multiple authentication sets, greatly simplifying the company's IT management.
2. Build a simulated environment:
The core of the environment is as follows: a DC Domain Controller (domain management of the network) and a RADIUS server (cisco device authentication and Microsoft environment compatibility integration) A vswitch, a router, and a PC client.(This experiment involvesIntegration of cisco simulator GNS3 and Virtual Machine VMwareEnvironment setup steps in)
1) First, build an environment in the GNS3 simulator: we use the cloud to replace the switch location, and bridge the cloud with our virtual machine network card vmnet1.(For detailed steps, seeCiscoSimulator GNS3And Virtual Machine VMwareIntegration)
1) enable three VMS in VMware: a) 03Server1; B) 03Server2; c) XP1, which simulates a) DC Domain Controller, B) RADIUS server, and c) alice client. Connect the three NICs to VMnet1 so that they can connect to the cloud in GNS3 and build the environment we want to build.(For detailed steps, seeCiscoSimulator GNS3And Virtual Machine VMwareIntegration)
2) configure the IP address and mask of the f0/0 interface in Router R1:
R1 (config) # int f0/0
R1 (config-if) # ip add 10.0.0.11 255.255.255.0
R1 (config-if) # no shutdown
3) configure the IP address 10.0.0.x, subnet mask: 255.255.255.0, Default Gateway: 10.0.0.11, and preferred DNS server: 10.0.0.2. the DNS server is the DC Domain Controller.
4) if the ping command of XP1 finds that 10.0.0.100 of XP1 cannot be pinged, disable the firewall function of XP1 and ping it again.
3. Specific steps:
Step 1: Upgrade the 03Server1 server to a DC Domain Controller:
A) start --> Run --> enter dcpromo --> OK
B) Go to the Active Directory Installation Wizard:
C) Keep clicking Next until you see --> Create a new domain and enter the domain name, for example, ilync.cn --> next
D) Keep clicking Next until --> enter the configured password --> next
E) Keep clicking Next --> wait for the Installation Wizard to complete --> click Finish --> click Restart computer --> wait for the reboot
Step 2: create user Alice on 03Server1:
A) start --> Administrative Tools --> Active Directory users and computers --> click the "Create a new organizational unit in the current container" button --> enter the create object-organizational unit dialog box
B) enter the name of the organization to be created, for example, sales department --> OK
C) In the Active Directory user and computer, sales appears --> click "sales" --> click "Create a new user in the current container" button --> enter the create object-user dialog box
D) enter the name of the user to be added, for example, Alice --> next step.
E) enter the user's logon password and check the information in the red box --> next --> complete
F) alice user appears in Active Directory users and computers --> click "Create a new group in current container" button --> enter group name --> OK --> in Active Directory users and computers A new telnet group is created.
G) add Alice to the telnet group --> double-click the telnet group --> enter the telnet Properties dialog box --> under the members tab --> Add --> enter the Select User, contact, or computer dialog box --> enter name of the user to be added to the reorganization, for example, Alice --> click the "location" button --> select ilync.cn --> OK
Step 2: Add 03Server2 and XP1 to the ilync domain created by 03Server1:
A) In 03Server2 and XP1, right-click my computer --> properties --> click the computer name tab --> change --> the change computer name dialog box is displayed.
B) in the dialog box, click domain Options> enter the name of the domain to be added in the Box> OK> the "change computer name" dialog box appears.
C) in the dialog box, enter the account name and password for adding the domain --> OK --> the "welcome to join ilync domain" dialog box is displayed --> OK --> the "Restart computer" dialog box is displayed --> OK --> in the original system Properties dialog box, click OK --> Restart computer --> Yes
D) restart the computer and log on to the domain environment. Click "options". log on to the "ILYNC" menu, and enter the user name. Enter the password. Click OK.
Step 2: add the RADIUS component service on 03Server2:
A) start --> control panel --> add or delete programs --> Add/delete windows Components (A) --> enter the "windows component wizard" dialog box --> network services --> details
B) enter the network service dialog box --> Internet authentication service --> OK --> next --> complete
C) start --> Administrative Tools --> Internet authentication service --> right-click Internet Authentication Service (Local) --> click "Register Server in Active Directory" --> OK
D) Right-click the RADIUS client and choose create RADIUS client. The new RADIUS client dialog box is displayed.
E) In the new RADIUS client dialog box, enter the added client name and IP address, for example, R1 router and its IP address in our environment --> next
F) enter the key in AAA authentication configuration, that is, the password to be entered when you log on to R1 --> complete
G) Right-click "Remote Access Policy" --> Create Remote Access Policy --> next --> select "set custom policy" and enter the Policy Name --> next
H) add --> select Windows-Group type --> Add
I) in the group dialog box, click Add> enter select group Dialog Box> click "location"> select ilync.cn> enter the name of the object to be added --> OK --> next
J) in the permission list, select "authorize Remote Access" --> next --> edit configuration file --> under the authentication tab --> check unencrypted authentication --> OK --> yes --> close the "Routing and Remote Access dialog box" --> next --> complete
Step 2: Configure AAA authentication on R1 to the radius Server:
R1 (config) # aaa new-model
R1 (config) # radius-server host 10.0.0.3 key 123.com
R1 (config) # aaa authentication login telnet group radius
R1 (config) # aaa authentication enable default none
R1 (config) # line vty 0 4
R1 (config-line) # login authentication telnet
Step 2: Verify remote access to R1 by host XP1:
A) On XP1, click Start --> Run --> Enter cmd --> telnet 10.0.0.11
B) Go to telnet --> enter the user name (Domain Name \ User Name) mode --> enter the AAA authentication password configured on R1
We can see the result: XP1 remote access to R1 failed!
C) Check the cause of failure in the Event Viewer on 03Server2: choose Start> Management Tools> Event Viewer> system> event on 03Server2. Double-click the alert entries generated in the event on the right and click the event Properties dialog box. The user is displayed. access denied
D) solution: Set User Access on 03Server1: in 03Server1, open the Active Directory user and computer dialog box --> double-click Alice user --> User Properties dialog box --> under the dial-in tab --> select allow access --> OK
E) telnet R1 on XP1 again to verify remote access:
The result is displayed: XP1 remote access to R1 is successful!
F) view in the Event Viewer on 03Server2: no warning information is displayed in the event entry. Double-click the top information to view --> you can see that the user has been granted access
This completes the experiment !!
You can configure R1 on XP1 !!