Configure Cut-Through Telnet

  预配 ASA: interface Ethernet0/0  nameif outside  no shut  security-level 0  ip address 202.100.1.10 255.255.255.0

interface Ethernet0/1

 nameif inside  no shut  security-level 100  ip address 192.168.1.10 255.255.255.0 interface Ethernet0/2  nameif dmz  no shut  security-level 50  ip address 172.16.1.10 255.255.255.0

Outside:

interface FastEthernet0/0  no shut  ip address 202.100.1.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 202.100.1.10 line vty 0 4  no login

Inside:

interface FastEthernet0/0  no shut  ip address 192.168.1.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.1.10

步骤一、配置AAA

aaa-server 3AT protocol tacacs+ aaa-server 3AT (dmz) host 172.16.1.241  key cisco123注：如不指明接口，默认为Inside。

步骤二、配置认证流量 access-list auth-telnet  permit tcp 192.168.1.0 255.255.255.0 any eq telnet 步骤三、配置CUT-Through aaa authentication match auth-telnet inside 3AT注：从Inside方向发起去ACS服务器上match ACL的流量做认证。 步骤四、AAA添加NAS，创建用户名   ASA-AAA# test aaa authentication 3AT Server IP Address or name: 172.16.1.241 Username: test Password: ***** INFO: Attempting Authentication test to IP address <172.16.1.241> (timeout: 12 seconds) INFO: Authentication Successful

测试

Inside#telnet 202.100.1.1 Trying 202.100.1.1 ... Open Username: test Password: Outside>

ASA(config)# sh uauth

                        Current    Most Seen Authenticated Users       1          1 Authen In Progress        1          1 user 'test' at 192.168.1.1, authenticated (idle for 0:00:15)    absolute   timeout: 0:05:00    inactivity timeout: 0:00:00

ASA(config)# clear uauth

配置banner

auth-prompt prompt Please enter username and password auth-prompt accept Welcome to cisco auth-prompt reject Please quit

Inside#telnet 202.100.1.1

Trying 202.100.1.1 ... % Connection reset by user Inside#telnet 202.100.1.1 Trying 202.100.1.1 ... Open Please enter username and password Username: test Password: Please quit Please enter username and password Username: test Password: Welcome to cisco

步骤五、配置Virtual Telnet

ASA(config)# virtual telnet 202.100.1.100注：virtual telnet 配置一个全局的没有被使用的IP。用于匹配非标准流量。

ASA(config)# access-list auth-telnet permit tcp host 202.100.1.100 any eq 3032 ASA(config)# access-list auth-telnet permit tcp host 202.100.1.100 any eq telnet

测试：

Inside#telnet 202.100.1.100 Trying 202.100.1.100 ... Open LOGIN Authentication Please enter username and password Username: test Password: Welcome to cisco Authentication Successful

Inside#telnet 202.100.1.1 3032

Trying 202.100.1.1, 3032 ... Open Outside>

Inside#telnet 202.100.1.100   Trying 202.100.1.100 ... Open LOGOUT Authentication Please enter username and password Username: test Password: Welcome to cisco Logout Successful

ASA(config)# aaa authorization match auth_telnet inside 3AT

Inside#telnet 202.100.1.100 Trying 202.100.1.100 ... Open LOGIN Authentication Please enter username and password Username: test Password: Welcome to cisco Error:  Authorization Denied

 

Inside#telnet 202.100.1.100 Trying 202.100.1.100 ... Open LOGIN Authentication Please enter username and password Username: test

Password:

Welcome to cisco Authentication Successful [Connection to 202.100.1.100 closed by foreign host] Inside#tel Inside#telnet 202.100.1.1 Trying 202.100.1.1 ... Open

Outside>

ASA(config)# sh uauth                         Current    Most Seen Authenticated Users       1          1 Authen In Progress        0          1 user 'test' at 192.168.1.1, authorized to: (idle for 0:00:38)    port 202.100.1.100/telnet    202.100.1.1/telnet     absolute   timeout: 0:05:00    inactivity timeout: 0:00:00

RADIUS认证与授权 步骤一、配置AAA服务器 aaa-server 3RA protocol radius aaa-server 3RA (dmz) host 172.16.1.241  key cisco123

步骤二、ACS添加NAS 客户端与创建用户

  由于图片太大，无法上传 ASA(config)# test aaa authentication 3RA Server IP Address or name: 172.16.1.241 Username: user1 Password: ***** INFO: Attempting Authentication test to IP address <172.16.1.241> (timeout: 12 seconds) INFO: Authentication Successful

步骤三、配置virtual telnet

ASA(config)# virtual telnet 202.100.1.100 步骤四、配置预认证流量 ASA(config)# access-list auth_in permit tcp any host 202.100.1.100 eq 23 ASA(config)# access-group auth_in in interface inside per-user-override 步骤五、配置认证与授权流量 ASA(config)# access-list auth_telnet permit tcp any host 202.100.1.100 eq 23 ASA(config)# aaa authentication match auth_telnet inside 3RA 步骤六、ACS配置DownLoad  由于图片太大，无法上传 Inside#telnet 202.100.1.100 Trying 202.100.1.100 ... Open LOGIN Authentication Username: user1 Password: Authentication Successful [Connection to 202.100.1.100 closed by foreign host] Inside#202.100.1.1 Trying 202.100.1.1 ... Open

Outside>

ASA(config)# sh uauth                         Current    Most Seen Authenticated Users       1          1 Authen In Progress        0          1 user 'user1' at 192.168.1.1, authenticated (idle for 0:00:22)    access-list #ACSACL#-IP-user1-4e234282 (*)    absolute   timeout: 0:05:00    inactivity timeout: 0:00:00 access-list #ACSACL#-IP-user1-4e234282; 2 elements (dynamic) access-list #ACSACL#-IP-user1-4e234282 line 1 extended permit tcp any host 202.100.1.1 eq telnet (hitcnt=1) 0xa4ec1da0 access-list #ACSACL#-IP-user1-4e234282 line 2 extended permit tcp any host 202.100.1.100 eq telnet (hitcnt=1) 0x84eecaf8