CISCO IPSEC ×××+CLIENT远程访问×××+Radius认证配置
网络拓扑:
![]()
PC0上安装CISCO ××× CLIENT,配置GroupName为***group ,密码12345678,主机地址201.1.1.1
Server0上创建用户user1,密码123456,允许拨入
Server0安装IAS,新建客户端,名称***,客户端地址10.1.1.1.254,radius standard,预共享密钥12345678
Server0的IAS,新建远程访问策略***0,访问方式×××,其他随便;编辑该配置文件,设置身份验证方式中选中PAP。-------------(为啥?看访问的日志记录。)
R1配置:
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 201.1.1.2 255.255.255.0 duplex auto speed auto !
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
---------------------------------------------------------------------------------------------
R2配置
!
aaa new-model ! ! aaa authentication login userauth group radius local aaa authorization network groupauth local ! username jxs password 0 jxs ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp fragmentation ! crypto isakmp client configuration group ***group key 12345678 dns 61.153.177.196 domain test.com pool ×××DHCP ! crypto ipsec transform-set ***-tfs esp-3des esp-md5-hmac ! crypto dynamic-map dy*** 10 set transform-set ***-tfs reverse-route ! crypto map ***12 client authentication list userauth crypto map ***12 isakmp authorization list groupauth crypto map ***12 client configuration address respond crypto map ***12 10 ipsec-isakmp dynamic dy*** ! ! ! interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 201.1.1.1 255.255.255.0 duplex auto speed auto crypto map ***12 !
ip local pool ×××DHCP 192.168.2.10 192.168.2.20
ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! ! no ip http server no ip http secure-server ! radius-server attribute 6 on-for-login-auth radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 key 12345678 |
转载于:https://blog.51cto.com/xpvista/339015