华为设备安全之AAA认证
AAA系统的简称:认证(Authentication):验证用户的身份与可使用的网络服务;
授权:依据认证结果开放网络服务给用户;
计费系统。
AAA-----身份验证(Authentication)、授权 (Authorization)和统计 (Accounting)Cisco开发的一个提供网络安全的系统。参见authentication。authorization和accounting
实验目的:实现dhcp动态获取地址 和telnet交换机需要AAA认证
实验拓扑:
实验设备:华为s2000交换机 h3c防火墙实验过程:服务器端配置:
交换机配置:dis cu#sysname SW1#dot1xdot1x authentication-method pap#radius scheme systemradius scheme xxxserver-type standardprimary authentication 192.168.30.1accounting optionalkey authentication 123456user-name-format without-domain#domain systemdomain testscheme radius-scheme xxxaccess-limit enable 10accounting optional#vlan 1#vlan 10#vlan 20 # vlan 30 # interface Vlan-interface1 ip address 192.168.1.24 255.255.255.0 #
interface Ethernet1/0/10 port access vlan 10 dot1x#interface Ethernet1/0/20 port access vlan 20 dot1x # interface Ethernet1/0/23 port access vlan 30 # interface Ethernet1/0/24 port link-type trunk port trunk permit vlan all # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 preference 60# user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return防火墙配置:dis cu#sysname R1#firewall packet-filter enablefirewall packet-filter default permit#undo insulate#firewall statistic system enable#radius scheme systemserver-type extended#domain system#interface Aux0async mode flow#interface Ethernet0/0ip address 192.168.1.1 255.255.255.0dhcp select relay#interface Ethernet0/0.1ip address 192.168.10.254 255.255.255.0ip relay address 192.168.30.1 dhcp select relay vlan-type dot1q vid 10 # interface Ethernet0/0.2 ip address 192.168.20.254 255.255.255.0ip relay address 192.168.30.1 dhcp select relay vlan-type dot1q vid 20 # interface Ethernet0/0.3 ip address 192.168.30.254 255.255.255.0dhcp select relay vlan-type dot1q vid 30 # interface Ethernet0/4 dhcp select relay # interface Encrypt1/0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust add interface Ethernet0/0 add interface Ethernet0/0.1 add interface Ethernet0/0.2 add interface Ethernet0/0.3 set priority 85 # firewall zone untrust set priority 5 # firewall zone DMZ set priority 50 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return实验验证:
打破老婆终身制,实行小姨股份制。引入小姐竞争制,推广情人合同制。 看帖回帖是美德!:lol 勃起不是万能的,但不能勃起却是万万都不能的! 如果恐龙是人,那人是什么? 内练一口气,外练一口屁。 写的真的很不错
页:
[1]