Juniper交换机AAA认证.docx

《Juniper交换机AAA认证.docx》由会员分享，可在线阅读，更多相关《Juniper交换机AAA认证.docx（5页珍藏版）》请在第一文库网上搜索。

1、Juniper交换机AAA登录认证配置1 .登录CiSeOACS,添加交换机信息，使用RAD1US(Juniper)认证创建junipeUeS1组，并添加了E401#IeSI主机，输入需要验证的主机IP及验证秘钥然后勾选juniper的radius模板1综IS4redProGV?9Me1wor*Ity1ComNSIIMrfc1f1jAdmihU1utionr0ICorrtrO1CIEXUrMIU3mwPoJtureZJVhd4tion*NV*oriAccs;toPro61e5QId嗡、IOnHn*jIOocuiventMmwa9wEdftAddAAAC1ientAAAC1ientHostnam

2、eAAAC1ientIPAddressSharedSecretNetworkDeviceGroupE401JtSt172.31.4.1IIjUniPer_testJ验证秘胡RADIUSKeyWrapKeyEncryptionKeyMessageAuthenticatorCodeKeyKeyInputFormatAuthenticateUsingCASCHtsHexadecima1juniper模板Sing1eConnectTACACS*AAAC1ient(Recordstopinaccountingonfai1ure)1ogUPdate/WatchdogPacketsfromthisAAAC1

3、ient1ogRADIUSTunne1ingPacketsfromthisAAAC1ientRep1aceRADIUSPortinfowithUsemamefromthisAAAC1ientMatchFramed-IP-AddresswithuserIPaddressforaccountingpacketsfromthisAAAC1ientISubmitISubmit+AddIvICance1I2.在ACS的接口下导入模板，然后点击用户组将需要3A认证的用户加入juniper上相应权限的用户组1111111CISCOI111D11C11DVUII1IKjUICI1IUIIFdiiRADIUS(

4、Juniper)SM,edProfi1eIComponentsNetworkFv=-IInterfaceUserGroup匠R026/2636/001Juniper-1oca1-User-NamePP026/2636/002Juniper-A11ow-CommandsPP026/2636/003Juniper-Deny-Commandsc,9IAdmifistritionIContro1在组里面里面添加Juniper交换机里面配置的超级管理员帐号，这样的目的是把Juniper交换机上具有超级管理员权限的gaine1这个用户的权限关联到GrOUPo这个组中，那么这个组中的用户（关联的域用户以及本

5、地添加进去的本地用户）都具有超管的权限。如果希望某个组（如Gr。UP2）具有只读的权限，那么进入这个组的EditSettings,在Juniper-1oca1-User-Name里面添加IJUniPer里面的只读用户read即可。CISCOGroupSetupe%1AdministrationcICOMrO1IExterna1UrUIDatabasesSharedProfiIeIComponentsoo1POJture.NavorkAccsJ仲叫VWdavOn3 .JuniperAAARadius配置：setsystemauthentication-orderradiussetsystemra

6、dius-server203.171.224.86secretsetsystemradius-server203.171.224.86timeout5setsystemauthentication-orderpassword这条命令如果不删除，在AAA服务器正常通信情况下也能使用本地帐号登录;如果删除，在AAA服务器不能通信的情况下才能使用本地帐号登录。4 .赘录验证TXCW_JuniperJEX45501ogin：bjpPassword：JUNOS12.3R5.7bui1t2013-12-1801:32:43UTCbjp(?TXCV_Juniper_EX4550showsystemusers

7、fpc0:2：01PMup53days,20:13,3users.1oadaverages：0.14,0.14,0.13USERTTVFROM1OGINSID1EUHATrootU020Dec13595days-cshrootP0203.171.224.4212：01PM1c1ibjPp1203.171.224.422：01PM-c1iJuniper交换机TACACS+配置1Juniper交换机上tacacs+配置如下:setgroupsg1oba1systemauthentication-ordertacp1ussetgroupsg1oba1systemtacp1us-serversecre

8、t,setgroupsg1oba1systemtacp1us-server203.171.224.86timeout5setgroupsg1oba1systemtacp1us-server203.171.224.86source-addresssetgroupsg1oba1system1oginuserremoteuid2002setgroupsg1oba1system1oginuserremotec1asssuper-usersetapp1y-groupsg1oba1不需要setsystemauthentication-order这条命令，因为setgroupsg1oba1已经指定了认证类型

9、如果在AAA服务器不能通信的情况下才能使用本地帐号登录则添加如下命令：setgroupsg1oba1systemauthentication-orderpassword或者setsystemauthentication-orderpasswordIGroup&I8Zup2 .ACS设置按照平时开机柜配置即可AAAC1ientSetupforVIP-XNetworkConfigurationSystemAAAC1ientIPAddress=JajIMM似。CQM1gUrN1on1IAdmrestration/IContro1IExterna1UwraIDmbM%PortureVa1idation

10、NeMO巾AccejjProfi1r*IReportsd射IAotiVKUPOn1inejIDgUmeCWjgSharedSecretNetworkDeviceGroupRADIUSKeyWrapKeyEncryptionKeyMessageAuthenticatorCodeKeyKeyInputFormatAuthenticateUsingIooooooooooooooooooooooooooooooooIooooooooooooooooooooooooooooooooooooooooASCIIHexadecima1IITACACS+(CiscoIOS)PSing1eConnectTACAC

11、S+AAAC1ient(Recordstopinaccountingonfai1ure)3 .验证-JUNOS12.3R5.7bui1t2013-12-1801：32：43UTCbjpexcw.JuniperJEX4550IbjP0TXCYY_JUniPeI*_EX4550showsystemusersfpc0:252PMup53days,21:03,3users,1oadaverages：0.23,0.23,0.18USERTTFROM1OGIN(?ID1EWHATrootu020Dec13595days-CSh,jpp0203.1.224.422：52PM-C1inePhQftyMe33t

12、t9e1724.1201581456NobceAug6U5C37TXCY1A1加户450E191M上UJASJ.OGCUTJVtNTUserB6皿con6gratnmocte172314.12O15-814S5NcOccAug8*S332TXCYYJ1rww.EX4S5OmSrtI9134/U_COMMTUseft,request,cafon(cofrtnertnone)172314.12015.W1454Auq8145256TXCYY.Xr*er_EX4S50mj19134JUjeASC_1OCW_EVeNTUstyC*tr1gfV1QurOood17231.4.12015M14S3NottceAg8151.51TXCYY.rwr-X4560ms(16236iU.MMT.UwcYOOrrequestedtown1,09ev60n(Cftmrtnone)