基于（cisco）ACS的mac地址访问控制和telnet，ssh的访问控制

 

基于ACS的mac地址访问控制和telnet，ssh的访问控制

实验环境：两台pc机，一台做测试pc，一台做acs服务器

实验说明：实现mac地址绑定认证，从而有效保护交换机访问安全。实现telnet和ssh访问验证

同样是对交换机的安全设置。本实验采用的是cisco的AAA认证acs来实现的。

 

绑定端口mac值认证：

[Quidway]mac-authentication

[Quidway]int e1/0/3

[Quidway-Ethernet1/0/3]mac-authentication

 MAC-authentication is enabled on port Ethernet1/0/3

[Quidway-Ethernet1/0/3]quit

[Quidway]radius scheme xxx

New Radius scheme

[Quidway-radius-xxx]primary ?

 accounting       Specify IP address of primary accounting RADIUS server

 authentication Specify IP address of primary authentication RADIUS server

[Quidway-radius-xxx]primary authentication 192.168.20.3

[Quidway-radius-xxx]server-type standard

[Quidway-radius-xxx]accounting optional

[Quidway-radius-xxx]key authentication 123456

[Quidway-radius-xxx]user     

[Quidway-radius-xxx]user-name-format without-domain

[Quidway-radius-xxx]quit

[Quidway]domain system

[Quidway-isp-system]radius-scheme xxx

[Quidway-isp-system]accounting optional

[Quidway-isp-system]quit

[Quidway]mac-authentication authmode ?

 usernameasmacaddress Specify username and password both equal to the MAC

                        address being authenticated

 usernamefixed          Username and password are fixed

      

[Quidway]mac-authentication authmode usernameasmacaddress ?

 usernameformat Username format

 <cr>            

 

[Quidway]mac-authentication authmode usernameasmacaddress usernameformat ?

 with-hyphen      MAC address with '-', just like XX-XX-XX-XX-XX-XX

 without-hyphen MAC address without '-', just like XXXXXXXXXXXX

[Quidway]mac-authentication authmode usernameasmacaddress usernameformat without-hyphen

 

交换机配置完成

在acs服务器上设置用户名和密码都为pc机的mac地址；

 

 

 

 

然后pc机ping交换机：

 

 

 

做telnet控制访问：

先在acs服务器上做一个用户user2密码也为user2

 

然后交换机上配置：

[Quidway]user-interface vty 0 4

[Quidway-ui-vty0-4]authentication-mode scheme

[Quidway-ui-vty0-4]user privilege level 3

测试：

 

做ssh连接访问控制：

[Quidway]rsa local-key-pair create

The local-key-pair will be created.

[Quidway]ssh authentication-type default ?

 all                  All authentication

 password             Password authentication

 password-publickey Password and Publickey authentication

 rsa                  RSA authentication

 

[Quidway]ssh authentication-type default all ?

 <cr> 

 

[Quidway]ssh authentication-type default all

 

测试：

 

测试成功！

 

转载于:https://blog.51cto.com/liufan0321/1076551