Ağ güvenliği tanımlamasında kimlik doğrulama, yetkilendirme ve muhasebe terimlerinin ilklerini tanımlayan ve ağdan gelen bilgi paketlerini bazı modellere göre dikkatlice inceleyen ve kötü niyetli faaliyetleri bilgilendiren bir sistemdir.
Authentication: sunucu, anahtar veya yönlendirici kullanırken cihazın veya kullanıcının doğrulanması.
Authorization: Kullanıcıya veya kullanıcılara sisteme, programa ve ağa erişim izni verme.
Accounting: herhangi bir kullanıcı ne yapar, kullanıcı işlemleri, kullanıcı veri bağlantıları ve kullanıcı sistem kayıtları
aaaa
- Cihaz isimleri ve ip address verme.
[Huawei]sysname Router11111
[Router1]interface GigabitEthernet 0/0/0
[Router1-GigabitEthernet0/0/0]ip address 119.84.111.1 24
[Huawei]sysname Router3
[Router3]interface GigabitEthernet 0/0/0
[Router3-GigabitEthernet0/0/0]ip address 119.84.111.3 24
Router1 ve Router3 arasındaki bağlantıyı kontrol edelim.
ping 119.84.111.3
PING 119.84.111.3: 56 data bytes, press CTRL_C to break
Reply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=140 ms
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=60 ms
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=60 ms
— 119.84.111.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/76/140 ms - Router1 cihazı için AAA konfigürasyonunu yapılandırma.
Router1 routeri için authentication-schame ve authorization-schame konfigurasyonlarını tamamlayalım ve aynı ayarları Router3 içinde yapalım.
[Router1]aaa
[Router1-aaa]authentication-scheme auth1
Info: Create a new authentication scheme.
[Router1-aaa-authen-auth1]authentication-mode local
[Router1-aaa-authen-auth1]quit
[Router1-aaa]authorization-scheme auth2
Info: Create a new authorization scheme.
[Router1-aaa-author-auth2]authorization-mode local
[Router1-aaa-author-auth2]quit
Router1’in domaini huawei olarak yapılandıralım, daha sonra oluşturduğumuz kullanıcılarda buna uygun olarak yapılandıralım.
[Router1-aaa]domain huawei
Info: Success to create a new domain.
[Router1-aaa-domain-huawei]authentication-scheme auth1
[Router1-aaa-domain-huawei]authorization-scheme auth2
[Router1-aaa-domain-huawei]quit
[Router1-aaa]local-user user1@huawei password cipher huawei
Info: Add a new user.
[Router1-aaa]local-user user1@huawei service-type telnet
[Router1-aaa]local-user user1@huawei privilege level 0
Router1 cihazında AAA authentication modda telnet serverı etkinleştirelim.
[Router1]user-interface vty 0 4
[Router1-ui-vty0-4]authentication-mode aaa
Router1 cihazında telnet hizmetinin başarıyla kurulup kurulmadığını kontrol edelim.
telnet 119.84.111.1
Trying 119.84.111.1 …
Press CTRL+K to abort
Connected to 119.84.111.1 …
Login authentication
Username:user1@huawei
Password:
sys
system-view
^
Error: Unrecognized command found at ‘^’ position.
quit - Router3 cihazı için AAA konfigürasyonunu yapılandırma.
[Router3]aaa
[Router3-aaa]authentication-scheme auth1
Info: Create a new authentication scheme.
[Router3-aaa-authen-auth1]authentication-mode local
[Router3-aaa-authen-auth1]quit
[Router3-aaa]authorization-scheme auth2
Info: Create a new authorization scheme.
[Router3-aaa-author-auth2]authorization-mode local
[Router3-aaa-author-auth2]quit
Router3’in domaini huawei olarak yapılandıralım, daha önce oluşturduğumuz kullanıcılara uygun olsun.
[Router3-aaa]domain huawei
[Router3-aaa-domain-huawei]authentication-scheme auth1
[Router3-aaa-domain-huawei]authorization-scheme auth2
[Router3-aaa-domain-huawei]quit
[Router3-aaa]local-user user3@huawei password cipher huawei
Info: Add a new user.
[Router3-aaa]local-user user3@huawei service-type telnet
[Router3-aaa]local-user user3@huawei privilege level 0
Router1 cihazında AAA authentication modda telnet serverı etkinleştirelim.
[Router3]user-interface vty 0 4
[Router3-ui-vty0-4]authentication-mode aaa
Router3 cihazında telnet hizmetinin başarıyla kurulup kurulmadığını kontrol edelim.
telnet 119.84.111.3
Trying 119.84.111.3 …
Press CTRL+K to abort
Connected to 119.84.111.3 …
Login authentication
Username:user3@huawei
Password:
system-view
^
Error: Unrecognized command found at ‘^’ position.
- AAA konfigürasyonunun sonuçları.
display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : auth1
Accounting-scheme-name : default
Authorization-scheme-name : auth2
Service-scheme-name : –
RADIUS-server-template : –
HWTACACS-server-template : –
User-group : –
display local-user username user1@huawei
The contents of local user(s):
Password : **
State : active
Service-type-mask : T
Privilege level : 0
Ftp-directory : –
Access-limit : –
Accessed-num : 0
Idle-timeout : –
User-group : –
display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : auth1
Accounting-scheme-name : default
Authorization-scheme-name : auth2
Service-scheme-name : –
RADIUS-server-template : –
HWTACACS-server-template : –
User-group : –
display local-user username user3@huawei
The contents of local user(s):
Password : **
State : active
Service-type-mask : T
Privilege level : 0
Ftp-directory : –
Access-limit : –
Accessed-num : 0
Idle-timeout : –
User-group : –
Sonuç…
display current-configuration
#
sysname Router1
#
aaa
authentication-scheme default
authentication-scheme auth1
authorization-scheme default
authorization-scheme auth2
accounting-scheme default
domain default
domain default_admin
domain huawei
authentication-scheme auth1
authorization-scheme auth2
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
local-user user1@huawei password cipher ,fM\8+wUb#3@9_G-B0Y2lf”#
local-user user1@huawei privilege level 0
local-user user1@huawei service-type telnet
#
interface GigabitEthernet0/0/0
ip address 119.84.111.1 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
Return
display current-configuration
#
sysname Router3
#
aaa
authentication-scheme default
authentication-scheme auth1
authorization-scheme default
authorization-scheme auth2
accounting-scheme default
domain default
domain default_admin
domain huawei
authentication-scheme auth1
authorization-scheme auth2
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
local-user user3@huawei password cipher gQ+ZJr.h/939O4.`(ZGxU:#
local-user user3@huawei privilege level 0
local-user user3@huawei service-type telnet
#
interface GigabitEthernet0/0/0
ip address 119.84.111.3 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
Return