aaa new-model
aaa authentication login noacs line none 线下保护策略
lin console 0
login authentication noacs
lin aux 0
login authentication noacs
tacacs-server host 1.1.1.100 key cisco 指定服务器和密码
test aaa group tacacs+ benet cisco new-code 测试AAA服务器
登录认证:
aaa authentication login denglu group tacacs+
aaa authentication login denglu group tacacs+ local 本地认证
server(config)#lin vty 0 15
server(config-line)#login authentication denglu
授权:
aaa authorization exec shouquan group tacacs+ 指定命令需要授权
server(config-line)#authorization exec shouquan 指定远程用户需要授权 (exec=shell)
show privilege
审计:
aaa accouting exec shenji start-stop group tacacs+
lin vty 0 15
accouting exec shenji
对命令进行审计:
aaa accouting commands 0 mingling start-stop group tacacs+
aaa accouting commands 1 mingling start-stop group tacacs+
aaa accouting commands 15 mingling start-stop group tacacs+
调用:
lin vty 0 15
accounting commands 0 mingling
accounting commands 1 mingling
accounting commands 15 mingling
pppoe server端:
en
conf t
ho pppoe-server
in f0/0
no ip add
no shut
pppoe enable
exit
inter loo 0
ip add 1.1.1.1 255.255.255.0
exit
vpndn enable
vpdn group 1
access dialin
pro pppoe
virtual-template 1
end
conf t
int virtual-template 1
ip unnumbered lo 0
enc ppp
ppp auth pap
peer default ip add pool ippool
conf t
username cisco pass cisco
ip local pool ippool 123.1.1.100 123.1.1.200
client端:
en
conf t
ho client
in f0/0
pppoe enable
pppoe-client dial-pool-number 1
exit
in dialer 1
ip add nego
en ppp
ppp auth pap callin
ppp pap sent-username cisco pass cisco
mtu 1492
dialer pool 1
exit
conf t
in lo 0
ip add 2.2.2.2 255.255.255.0
exit
access-list 1 per 2.2.2.0 0.0.0.255
ip nat ins sou list 1 inter dialer 1 overload
in lo 0
ip nat inside
in dialer 1
ip nat out
exit
ip route 0.0.0.0 0.0.0.0 dialer 1 permanent
end
AAA配置
aaa new
aaa authen login noacs lin none
lin con 0
login authen no acs
lin aux
login authen no acs
lin vty 0 15
login authen no acs
tacacs-server host 1.1.1.100 key cisco
test aaa group tacacs+ benet cisco new-code
认证:
aaa authenti ppp sss group tacacs+
in virtual-template 1
ppp authenti pap sss
审计:
aaa accouting network bbb start-stop group tacacs+
in virtual-template 1
ppp accouting bbb
授权:
aaa authorizition network sss group tacacs+
in virtual-template 1
ppp authorizition sss
(拒绝ppp lcp ppp ip,需要明确授权)
作控制:
access-list 101 permit tcp any any eq 23