公告

我的分类(专题)

日志更新

最新评论

留言板

链接

Blog信息

实验做不通求助!ISCW实验31:配置Auth-Proxy验证代理
suyajuncn11 发表于 2008-7-1 0:13:13

 

实验过程:
第一步  R1、R2、R3的预配置
R1(config)#int e1/0
R1(config-if)#ip add 172.16.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit

R2(config)#int e1/0
R2(config-if)#ip add 172.16.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int e1/1
R2(config-if)#ip add 192.168.1.200 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int e2/0
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit

R3(config)#int e2/0
R3(config-if)#ip add 10.0.0.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#exit

第二步  打开ACS→Interface Configuration→Tacacs+→在New Services中输入auth-proxy,并选中Advanced Tacacs+ Feature

第三步  在Group Setup→在Group选中Default Group,点击Edit Setting,选中auth-proxy ip,并在Custom Attributes输入如图所示

第四步  在R1、R2、R3上配置OSPF
R1(config)#router ospf 64
R1(config-router)#net 0.0.0.0 0.0.0.0 area 0
R1(config-router)#exit

R2(config)#router ospf 64
R2(config-router)#net 0.0.0.0 0.0.0.0 area 0
R2(config-router)#exit

R3(config)#router ospf 64
R3(config-router)#net 0.0.0.0 0.0.0.0 area 0
R3(config-router)#exit

第五步  在R2上配置认证代理
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+
R2(config)#aaa authorization auth-proxy default group tacacs+
R2(config)#tacacs-server host 192.168.1.104 key norvel
R2(config)#ip http server
R2(config)#ip http authentication aaa 
R2(config)#
R2(config)#ip auth-proxy name AP telnet
R2(config)#ip auth-proxy auth-proxy-banner telnet
R2(config)#
R2(config)#int e1/0
R2(config-if)#ip auth-proxy AP

第六步  在R1上进行测试
R1#telnet 10.0.0.3
Trying 10.0.0.3 ... Open

Firewall authentication
Username:norvel
Password:
Firewall authentication Failed.Please Retry
Username:norvel
Password:
Firewall authentication Failed.Please Retry
Username:
[Connection to 10.0.0.3 closed by foreign host]
R1#

//  测试不成功,用户名和密码就是在ACS中Default Group下的User的用户名和密码肯定没有问题。

//  看测试时R2上的debug消息
R2#debug ip auth-proxy detail
AUTH-PROXY Detailed debugging is on
R2#debug tacacs authentication
TACACS+ authentication debugging is on
R2#debug tacacs authorization
TACACS+ authorization debugging is on
R2#
*Mar  1 00:48:09.987: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:09.987:  SYN SEQ 2471773804 LEN 0
*Mar  1 00:48:09.987: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:09.987: AUTH-PROXY:auth_proxy_half_open_count++ 1
*Mar  1 00:48:10.039: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.039:  ACK 3005507697 SEQ 2471773805 LEN 0
*Mar  1 00:48:10.039: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.039: clientport 60953 state 0
*Mar  1 00:48:10.043: AUTH-PROXY:incremented proxy_proc_count=1
*Mar  1 00:48:10.055: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.055:  PSH ACK 3005507697 SEQ 2471773805 LEN 9
*Mar  1 00:48:10.055: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.055: clientport 60953 state 0
*Mar  1 00:48:10.055: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.055:  ACK 3005507697 SEQ 2471773814 LEN 0
*Mar  1 00:48:10.0
R2#55: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.055: clientport 60953 state 0
*Mar  1 00:48:10.067: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.067:  PSH ACK 3005507742 SEQ 2471773814 LEN 3
*Mar  1 00:48:10.067: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.067: clientport 60953 state 0
*Mar  1 00:48:10.067: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.067:  PSH ACK 3005507742 SEQ 2471773817 LEN 3
*Mar  1 00:48:10.067: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.067: clientport 60953 state 0
*Mar  1 00:48:10.071: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.071:  PSH ACK 3005507745 SEQ 2471773820 LEN 3
*Mar  1 00:48:10.071: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.071: clientport 60953 state 0
*Mar  1 00:48:10.287: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:10.287:  AC
R2#K 3005507751 SEQ 2471773823 LEN 0
*Mar  1 00:48:10.287: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:10.287: clientport 60953 state 0
*Mar  1 00:48:11.243: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:11.243:  PSH ACK 3005507751 SEQ 2471773823 LEN 1
*Mar  1 00:48:11.243: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.243: clientport 60953 state 0
*Mar  1 00:48:11.403: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:11.403:  PSH ACK 3005507752 SEQ 2471773824 LEN 1
*Mar  1 00:48:11.403: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.403: clientport 60953 state 0
*Mar  1 00:48:11.491: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:11.491:  PSH ACK 3005507753 SEQ 2471773825 LEN 1
*Mar  1 00:48:11.491: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.491: clientport 60953 state 0
*Mar  1 00:48:11.707: AUTH-PROXY:pro
R2#to_flag=2, dstport_index=2
*Mar  1 00:48:11.707:  ACK 3005507754 SEQ 2471773826 LEN 0
*Mar  1 00:48:11.707: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.707: clientport 60953 state 0
*Mar  1 00:48:11.755: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:11.755:  PSH ACK 3005507754 SEQ 2471773826 LEN 1
*Mar  1 00:48:11.755: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.755: clientport 60953 state 0
*Mar  1 00:48:11.923: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:11.923:  PSH ACK 3005507755 SEQ 2471773827 LEN 1
*Mar  1 00:48:11.923: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.923: clientport 60953 state 0
*Mar  1 00:48:11.991: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:11.991:  PSH ACK 3005507756 SEQ 2471773828 LEN 1
*Mar  1 00:48:11.991: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:11.991: clientpor
R2#t 60953 state 0
*Mar  1 00:48:12.235: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:12.235:  ACK 3005507757 SEQ 2471773829 LEN 0
*Mar  1 00:48:12.235: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:12.235: clientport 60953 state 0
*Mar  1 00:48:12.239: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:12.239:  PSH ACK 3005507757 SEQ 2471773829 LEN 2
*Mar  1 00:48:12.239: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:12.239: clientport 60953 state 0
*Mar  1 00:48:12.459: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:12.459:  ACK 3005507768 SEQ 2471773831 LEN 0
*Mar  1 00:48:12.459: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:12.459: clientport 60953 state 0
*Mar  1 00:48:12.531: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:12.531:  PSH ACK 3005507768 SEQ 2471773831 LEN 1
*Mar  1 00:48:12.531: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 2
R2#3 src_port 60953
*Mar  1 00:48:12.531: clientport 60953 state 0
*Mar  1 00:48:12.759: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:12.759:  PSH ACK 3005507768 SEQ 2471773832 LEN 1
*Mar  1 00:48:12.759: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:12.759: clientport 60953 state 0
*Mar  1 00:48:12.835: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:12.835:  PSH ACK 3005507768 SEQ 2471773833 LEN 1
*Mar  1 00:48:12.835: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:12.839: clientport 60953 state 0
*Mar  1 00:48:13.079: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:13.079:  PSH ACK 3005507768 SEQ 2471773834 LEN 1
*Mar  1 00:48:13.079: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:13.079: clientport 60953 state 0
*Mar  1 00:48:13.259: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:13.259:  PSH ACK 3005507768 SEQ 2471773835 LEN 1
*Mar  1 00:48
R2#:13.259: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:13.259: clientport 60953 state 0
*Mar  1 00:48:13.407: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:13.407:  PSH ACK 3005507768 SEQ 2471773836 LEN 1
*Mar  1 00:48:13.407: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:13.407: clientport 60953 state 0
*Mar  1 00:48:13.655: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:13.655:  PSH ACK 3005507768 SEQ 2471773837 LEN 2
*Mar  1 00:48:13.655: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:13.655: clientport 60953 state 0
*Mar  1 00:48:13.659: AUTH-PROXY:Authenticating user norvel
*Mar  1 00:48:13.659: AUTH-PROXY:Session state is INIT.Not updating stats
*Mar  1 00:48:13.659: AUTH-PROXY:Session state is INIT.Not updating stats
*Mar  1 00:48:13.663: AUTH-PROXY:Sent AAA request successfully
*Mar  1 00:48:13.663: TPLUS: Queuing AAA Authentication request 16 for pr
R2#ocessing
*Mar  1 00:48:13.663: TPLUS: processing authentication start request id 16
*Mar  1 00:48:13.667: TPLUS: Authentication start packet created for 16(norvel)
*Mar  1 00:48:13.667: TPLUS: Using server 192.168.1.104
*Mar  1 00:48:13.671: TPLUS(00000010)/0/NB_WAIT/636DE240: Started 5 sec timeout
*Mar  1 00:48:13.679: TPLUS(00000010)/0/NB_WAIT: socket event 2
*Mar  1 00:48:13.679: TPLUS(00000010)/0/NB_WAIT: wrote entire 26 bytes request
*Mar  1 00:48:13.679: TPLUS(00000010)/0/READ: socket event 1
*Mar  1 00:48:13.679: TPLUS(00000010)/0/READ: Would block while reading
*Mar  1 00:48:13.791: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:13.791:  ACK 3005507770 SEQ 2471773839 LEN 0
*Mar  1 00:48:13.791: dst_addr 10.0.0.3 src_addr 172.16.0.1 dst_port 23 src_port 60953
*Mar  1 00:48:13.791: clientport 60953 state 0
*Mar  1 00:48:13.895: TPLUS(00000010)/0/READ: socket event 1
*Mar  1 00:48:13.895: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6 bytes da
R2#ta)
*Mar  1 00:48:13.895: TPLUS(00000010)/0/READ: socket event 1
*Mar  1 00:48:13.895: TPLUS(00000010)/0/READ: read entire 18 bytes response
*Mar  1 00:48:13.899: TPLUS(00000010)/0/636DE240: Processing the reply packet
*Mar  1 00:48:13.899: TPLUS: received bad AUTHEN packet: length = 6, expected 43586
*Mar  1 00:48:13.899: TPLUS: Invalid AUTHEN packet (check keys).
*Mar  1 00:48:13.899: TPLUS(00000010)/0/REQ_WAIT/636DE240: timed out
*Mar  1 00:48:13.899: TPLUS: Authentication start packet created for 16(norvel)
*Mar  1 00:48:13.903: TPLUS(00000010)/0/REQ_WAIT/636DE240: timed out, clean up
*Mar  1 00:48:13.903: TPLUS(00000010)/0/636DE240: Processing the reply packet
*Mar  1 00:48:13.907: AUTH-PROXY:bkgd:AAA returned FAIL
*Mar  1 00:48:13.911: AUTH-PROXY:wait complete on watched boolean stat=1
*Mar  1 00:48:14.259: AUTH-PROXY:proto_flag=2, dstport_index=2
*Mar  1 00:48:14.259:  ACK 3005507824 SEQ 2471773839 LEN 0

//  问题出在这块了,请指点怎么排错
*Mar  1 00:48:14.259: dst_addr 10.0.0.3 src_addr 172.16.0.1
R2#dst_port 23 src_port 60953
*Mar  1 00:48:14.259: clientport 60953 state 0
R2#

 


阅读全文 | 回复(0) | 引用通告 | 编辑
 


发表评论:

    昵称:
    密码:
    主页:
    标题:


Powered by Oblog.