NAS在PAT下的AAA

最新推荐文章于 2021-08-12 08:42:06 发布

??yy

最新推荐文章于 2021-08-12 08:42:06 发布

阅读量721

点赞数

文章标签：数据库

本文链接：https://blog.csdn.net/weixin_33742618/article/details/85093981

版权

1.测试拓扑：

http://www.cisco.com/en/US/docs/ios/12_3/12_3b/feature/guide/gt_siara.html

上面链接有如下文字，说明是在记账是才用的上：

RADIUS servers normally check the source IP address in the IP header of the RADIUS packets to track the source of the RADIUS requests and to maintain security. The NAT or PAT solution satisfies these requirements because only a single source IP address is used even though RADIUS packets come from different NAS routers.

However, when retrieving accounting records from the RADIUS database, some billing systems use RADIUS attribute 4, NAS-IP-Address, in the accounting records. The value of this attribute is recorded on the NAS routers as their own IP addresses. The NAS routers are not aware of the NAT or PAT that runs between them and the RADIUS server; therefore, different RADIUS attribute 4 addresses will be recorded in the accounting records for users from the different NAS routers. These addresses eventually expose different NAS routers to the RADIUS server and to the corresponding billing systems

2.基本配置：
R1：
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.3

R2：
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
interface Loopback0
ip address 2.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.3

R3:
interface Ethernet0/0
ip address 10.1.1.3 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1
ip address 100.1.1.1 255.255.255.0
ip nat outside
no shut
access-list 10 permit 10.1.1.0 0.0.0.255
ip nat inside source list 10 interface Ethernet0/1 overload

ACS:
①添加AAA client：

②添加认证用户：

③开启Radius记账：

3.NAS的Radius配置：
①开启AAA,并做线下保护：
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
②认证：
radius-server host 100.1.1.100 auth-port 1645 acct-port 1646 key cisco
aaa authentication login acs group radius line none
line vty 0 5
login authentication acs
③授权：
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
④记账：
aaa accounting exec default start-stop group radius
aaa accounting exec acs start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
⑤测试：
test aaa group radius ccsp 1234qwer new-code
4.登录测试：
①从R2上telnetR1：
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open

User Access Verification

Username: ccsp
Password:

R1>

②下面为debug信息：
-----从debug信息可以看到12.4的IOS默认是带有NAS-IP-Address 的Radius

-----否则从ACS上记录就不是NAS设备的接口地址，而是PAT后的地址

attribute 的:
R1#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
R1#
*Mar 1 01:37:43.731: RADIUS/ENCODE(0000000C): ask "Username: "
*Mar 1 01:37:43.731: RADIUS/ENCODE(0000000C): send packet; GET_USER
R1#
*Mar 1 01:37:45.815: RADIUS/ENCODE(0000000C): ask "Password: "
*Mar 1 01:37:45.815: RADIUS/ENCODE(0000000C): send packet; GET_PASSWORD
R1#
*Mar 1 01:37:48.519: RADIUS/ENCODE(0000000C):Orig. component type = EXEC
*Mar 1 01:37:48.523: RADIUS: AAA Unsupported Attr: interface         [174] 5
*Mar 1 01:37:48.523: RADIUS:   74 74 79                                         [tty]
*Mar 1 01:37:48.523: RADIUS/ENCODE(0000000C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Mar 1 01:37:48.527: RADIUS(0000000C): Config NAS IP: 0.0.0.0
*Mar 1 01:37:48.527: RADIUS/ENCODE(0000000C): acct_session_id: 10
*Mar 1 01:37:48.527: RADIUS(0000000C): sending
*Mar 1 01:37:48.531: RADIUS/ENCODE: Best Local IP-Address 10.1.1.1 for Radius-Server 100.1.1.100
*Mar 1 01:37:48.535: RADIUS(0000000C): Send Access-Request to 100.1.1.100:1645 id 1645/11, len 79
*Mar 1 01:37:48.535: RADIUS: authenticator 23 FF FD 4D FB FF EE 28 - 90 ED 86 BD FE 99 6A 34
*Mar 1 01:37:48.539: RADIUS: User-Name           [1]   6   "ccsp"
*Mar 1 01:37:48.539: RADIUS: User-Password       [2]   18 *
*Mar 1 01:37:48.539: RADIUS: NAS-Port            [5]   6   66
*Mar 1 01:37:48.539: RADIUS: NAS-Port-Id         [87] 7   "tty66"
*Mar 1 01:37:48.543: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
*Mar 1 01:37:48.543: RADIUS: Calling-Station-Id [31] 10 "10.1.1.2"
*Mar 1 01:37:48.543: RADIUS: NAS-IP-Address      [4]   6   10.1.1.1
*Mar 1 01:37:48.615: RADIUS: Received from id 1645/11 100.1.1.100:1645, Access-Accept, len 49
*Mar 1 01:37:48.619: RADIUS: authenticator BC 45 8F DA 54 02 5B B1 - 2E 2F B9 E0 09 03 3B 24
*Mar 1 01:37:48.619: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Mar 1 01:37:48.619: RADIUS: Class               [25] 23
*Mar 1 01:37:48.623: RADIUS:   43 41 43 53 3A 30 2F 35 62 37 2F 61 30 31 30 31 [CACS:0/5b7/a0101]
*Mar 1 01:37:48.623: RADIUS:   30 31 2F 36 36                                   [01/66]
*Mar 1 01:37:48.655: RADIUS(0000000C): Received from id 1645/11
*Mar 1 01:37:48.667: RADIUS/ENCODE(0000000C):Orig. component type = EXEC
*Mar 1 01:37:48.671: RADIUS(0000000C): Config NAS IP: 0.0.0.0
*Mar 1 01:37:48.671: RADIUS(0000000C): sending
*Mar 1 01:37:48.675: RADIUS/ENCODE: Best Local IP-Address 10.1.1.1 for Radius-Server 100.1.1.100
*Mar 1 01:37:48.679: RADIUS(0000000C): Send Accounting-Request to 100.1.1.100:1646 id 1646/9, len 118
*Mar 1 01:37:48.679: RADIUS: authenticator 89 C8 38 B4 FD DF 2D 53 - 30 08 B6 70 30 81 45 41
*Mar 1 01:37:48.679: RADIUS: Acct-Session-Id     [44] 10 "0000000A"
*Mar 1 01:37:48.679: RADIUS: User-Name           [1]   6   "ccsp"
*Mar 1 01:37:48.683: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
*Mar 1 01:37:48.683: RADIUS: Acct-Status-Type    [40] 6   Start                     [1]
*Mar 1 01:37:48.683: RADIUS: NAS-Port            [5]   6   66
*Mar 1 01:37:48.687: RADIUS: NAS-Port-Id         [87] 7   "tty66"
*Mar 1 01:37:48.687: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
*Mar 1 01:37:48.687: RADIUS: Calling-Station-Id [31] 10 "10.1.1.2"
*Mar 1 01:37:48.687: RADIUS: Class               [25] 23
*Mar 1 01:37:48.691: RADIUS:   43 41 43 53 3A 30 2F 35 62 37 2F 61 30 31 30 31 [CACS:0/5b7/a0101]
*Mar 1 01:37:48.691: RADIUS:   30 31 2F 36 36                                   [01/66]
*Mar 1 01:37:48.691: RADIUS: Service-Type        [6]   6   NAS Prompt                [7]
*Mar 1 01:37:48.695: RADIUS: NAS-IP-Address      [4]   6   10.1.1.1
*Mar 1 01:37:48.695: RADIUS: Acct-Delay-Time     [41] 6   0
*Mar 1 01:37:48.783: RADIUS: Received from id 1646/9 100.1.1.100:1646, Accounting-response, len 20
*Mar 1 01:37:48.783: RADIUS: authenticator 99 06 C5 F8 12 E7 D8 60 - EC 21 E8 B4 47 03 98 1C
③查看ACS上面的记账：

5.修改NAS的的Radius配置，设置NAS-IP-Address 属性：
①配置命令：
R1(config)#radius-server attribute 4 1.1.1.1
R2(config)#radius-server attribute 4 2.2.2.2
②重新登录测试，查看ACS上面的记账：