2011ǯ06

ƥ:

PPPǧڤRADIUSФȤҲ𤷤ޤ

R2R1(12.12.12.1)R3(23.23.23.3)³ƤޤR3PPP饤ȡR1RADIUSФȤѤޤ

R2(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.2      YES manual up                    up
Serial1/2                  23.23.23.2      YES manual up                    up
Loopback0                  17.17.2.2       YES NVRAM  up                    up

ޤR1RADIUSФԤޤ

R1(config)#aaa new-model
R1(config)#radius-server local
R1(config-radsrv)#nas 17.17.2.2 key CISCO
R1(config-radsrv)#user cisco password cisco
R1#debug radius local-server packets

R2PPPǧڤꤷޤ

R2(config)#aaa new-model
R2(config)#aaa authentication ppp MYPPP group radius

R2(config)#int s1/2
R2(config-if)#en ppp
R2(config-if)#ppp authentication pap MYPPP

R2RADIUS(R1)ꤷޤ

R2(config)#radius-server host 17.17.1.1 auth-port 1812 acct-port 1813 key CISCO
R2(config)#ip radius source-interface loopback 0
R2#debug radius authentication
R2#debug ppp authentication

R3PAPԤޤϥ󥿡եdownƤޤ˥󥿡եͭˤǧڤupȤʤޤ

R3(config)#int s1/3
R3(config-if)#do sh ip int b | i Serial1/3
Serial1/3                  23.23.23.3      YES manual up                    down
R3(config-if)#sh
R3(config-if)#ppp pap sent-username cisco password cisco
R3(config-if)#do deb ppp authen
R3(config-if)#no sh

Jun 29 06:31:04.711: Se1/3 PAP: Using hostname from interface PAP
Jun 29 06:31:04.711: Se1/3 PAP: Using password from interface PAP
Jun 29 06:31:04.715: Se1/3 PAP: O AUTH-REQ id 10 len 16 from "cisco"
Jun 29 06:31:04.871: Se1/3 PAP: I AUTH-ACK id 10 len 5
Jun 29 06:31:05.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/3, changed state to up
Jun 29 06:31:05.891: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 23.23.23.2 (Serial1/3) is up: new adjacency

R2ǤϤΤ褦ɽޤ

Jun 29 06:31:01.799: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Jun 29 06:31:01.799: RADIUS:  User-Name           [1]   7   "cisco"
Jun 29 06:31:01.799: RADIUS:  User-Password       [2]   18  *
Jun 29 06:31:01.799: RADIUS:  NAS-Port            [5]   6   10002
Jun 29 06:31:01.803: RADIUS:  NAS-Port-Id         [87]  11  "Serial1/2"
Jun 29 06:31:01.803: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
Jun 29 06:31:01.803: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jun 29 06:31:01.803: RADIUS:  NAS-IP-Address      [4]   6   17.17.2.2
Jun 29 06:31:01.923: RADIUS: Received from id 1645/1 17.17.1.1:1812, Access-Accept, len 88
ά
Jun 29 06:31:01.927: Se1/2 PPP: Received LOGIN Response PASS
Jun 29 06:31:01.931: Se1/2 PAP: O AUTH-ACK id 10 len 5
Jun 29 06:31:02.919: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 23.23.23.3 (Serial1/2) is up: new adjacency
Jun 29 06:31:02.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/2, changed state to up

R1RADIUSǧڷ̤ɽƤޤ

R1#show radius local-server statistics | b Username
Username                  Successes  Failures  Blocks
cisco                             1         0       0

Τ褦RADIUSȤȤǡPPPǧڤ층뤳Ȥޤ

ƥ:

IOSǥ󥿡ե򤹤ξǤޤ󥿡եΤߤɽˤshow run³ƥ󥿡ե̾ꤷޤ

R1#show running-config interface f0/1
Building configuration...

Current configuration : 115 bytes
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip ospf priority 0
speed 100
full-duplex
end

λlinenumɲäȹֹ椬ɽޤ

R1#show running-config interface f0/1 linenum
Building configuration...

Current configuration : 115 bytes
     1 : !
     2 : interface FastEthernet0/1
     3 :  ip address 192.168.0.1 255.255.255.0
     4 :  ip ospf priority 0
     5 :  speed 100
     6 :  full-duplex
     7 : end

Υ󥿡եõˤdefault interfaceޥɤѤޤ

R1(config)#default interface fastEthernet 0/1
Building configuration...

Interface FastEthernet0/1 set to default configuration

R1(config)#do sh run int f0/1
Building configuration...

Current configuration : 73 bytes
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
end

ꥢ륱֥Ѥˤɤ餬DCEDTEǧˤϡshow controllersޥɤѤޤ

R3#show controllers serial 1/3
ά
line state: up
cable type : V.11 (X.21) DCE cable, received clockrate 2015232

base0 registers=0x3D000000, base1 registers=0x3D002000
mxt_ds=0x6737EC68, rx ring entries=78, tx ring entries=128
ά

Τ褦includeʻѤȸ䤹ʤǤ礦

R3#show controllers serial 1/3 | include DCE|DTE
cable type : V.11 (X.21) DCE cable, received clockrate 2015232

󥿡ե¿ȤΩĤΤdescriptionޥɤǤǤդʸϿǤΤǡѤʬ䤹ʤޤ

R3(config-if)#description PPP to R2
R3(config-if)#do sh int s1/3
Serial1/3 is up, line protocol is up
  Hardware is M4T
  Description: PPP to R2
  Internet address is 23.23.23.3/24
ά

ƥ:

IOSǤθΨŪ˽פʤΤǽ(history)ޤLinuxʤɤǻȤäƤbashӤȸꤷޤѤʤϤޤ

ͤǤϲ20¸ޤ

R3#show terminal | include History
History is enabled, history size is 20.

ɽˤshow historyޥɤѤޤ

R3#show history
  show terminal
  show history

bashǤֹ椫饳ޥɤκƼ¹Ԥλ꤬ǽǤIOSǤCtro-p, Ctrl-n(Ǥ)ȤäƺɽƤ顢¹ԤΤߤȤʤޤ

ͤ20ǤϤޤŪǤϤޤΤǡ100Ѥޤ

R3#terminal history size 100
R3#show terminal | include History
History is enabled, history size is 100.

¿Υ롼䥹åꤹ(CCIE LabλȤ)տޤʤ롼򤷤ƤޤΤϤ꤬ʥߥǤΤ褦ʻǽѤ뤳ȤǡɤΥ롼줿Τñ˳ǧǤ褦ˤʤޤ

ƥ:

RADIUSФȤ桼ǧڤԤޤradius-server hostޥɤȤʤˡ⤢ޤ

R2R1(12.12.12.1)R3(23.23.23.3)³ƤޤR1TELNET饤ȡR3ƱˡRADIUSФȤѤޤ

R2(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.2      YES manual up                    up
Serial1/2                  23.23.23.2      YES manual up                    up
Loopback0                  17.17.2.2       YES NVRAM  up                    up

ޤR3RADIUSФԤޤ

R3(config)#aaa new-model
R3(config)#radius-server local
R3(config-radsrv)#nas 17.17.2.2 key CISCO
R3(config-radsrv)#user cisco password cisco

R2TELNETǤǧԤޤradius-server hostޥɤǤϤʤaaa group serverޥɤѤR3Lo0(17.17.3.3)򤷤ޤserver-privateޥɤѤݡݡֹꤷʤȼưŪauth-port 1645acct-port 1646ȤʤΤդɬפǤ

R2(config)#aaa new-model
R2(config)#aaa authentication login RADIUS_TELNET group TELNET
R2(config)#aaa group server radius TELNET
R2(config-sg-radius)#?
RADIUS Server-group commands:
  accounting      Specify a RADIUS attribute filter for accounting
  attribute       Customize selected radius attributes
  authorization   Specify a RADIUS attribute filter for authorization
  backoff         Retry backoff pattern (Default is retransmits with constant
                  delay)
  deadtime        Specify time in minutes to ignore an unresponsive server
  default         Set a command to its defaults
  exit            Exit from RADIUS server-group configuration mode
  ip              Internet Protocol config commands
  load-balance    Server group load-balancing options.
  no              Negate a command or set its defaults
  server          Specify a RADIUS server
  server-private  Define a private RADIUS server (per group)

R2(config-sg-radius)#server-private 17.17.3.3 auth-port 1812 acct-port 1813 key CISCO
R2(config-sg-radius)#ip radius source-interface loopback 0

R2(config-sg-radius)#line vty 0 15
R2(config-line)#login authentication RADIUS_TELNET
R2(config-line)#do deb radius auth

塢R1R2ʤ³Ǥ뤳Ȥʬޤ

R1(config)#do telnet 17.17.2.2
Trying 17.17.2.2 ... Open

User Access Verification

Username: cisco
Password:

R2>sh user
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:02:48   
* 98 vty 0     cisco      idle                 00:00:00 12.12.12.1

ƥ:

IOSRADIUSФȤäǧڤԤޤTELNETǤΥ桼ǧڤǧڤǤʤRADIUSǹԤäƤߤޤ

R2R1(12.12.12.1)R3(23.23.23.3)³ƤޤR1TELNET饤ȡR3RADIUSФȤԤޤ

R2(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.2      YES manual up                    up
Serial1/2                  23.23.23.2      YES manual up                    up
Loopback0                  17.17.2.2       YES NVRAM  up                    up

AAA(Authentication Authorization Accounting)ͭˤTELNETȤ̾radiusϿޤ

R2(config)#aaa new-model
R2(config)#aaa authentication login TELNET group radius

RADIUSФꤷޤݡȤդޤä˻򤷤ʤ16451646ѤȤʤޤǤR3Lo0Ǥ17.17.3.3ǥФꤷƤޤ

R2(config)#radius-server host 17.17.3.3 key CISCO
R2(config)#do sh run | i radius-server
radius-server host 17.17.3.3 auth-port 1645 acct-port 1646 key CISCO

ߡ̾RADISФǤϰŪ18121813Ȥᡢ褯ǧꤷޤ

$ grep radius /etc/services
datametrics     1645/tcp        old-radius      # datametrics / old radius entry
datametrics     1645/udp        old-radius      # datametrics / old radius entry
radius          1812/tcp                        # Radius
radius          1812/udp                        # Radius
radius-acct     1813/tcp        radacct         # Radius Accounting
radius-acct     1813/udp        radacct         # Radius Accounting
ά

R2(config)#no radius-server host 17.17.3.3 key CISCO

R2(config)#radius-server host 17.17.3.3 auth-port 1812 acct-port 1813 key CISCO
R2#show aaa servers | i host
RADIUS: id 8, priority 1, host 17.17.3.3, auth-port 1812, acct-port 1813

line vtyaaaTELNETꤷdebugͭˤޤ

R2(config)#line vty 0 15
R2(config-line)#login authentication TELNET
R2#debug radius authentication

R1³ƤߤޤޤRADIUSФʤΤǤ

R1#telnet 12.12.12.2
Trying 12.12.12.2 ... Open

User Access Verification

Username: cisco
Password:

% Authentication failed

R2
Jun  1 06:11:48.899: RADIUS: No response from (17.17.3.3:1812,1813) for id 1645/1
Jun  1 06:11:48.899: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jun  1 06:11:48.899: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

RADIUSФLinuxʤɤǤۤǤޤIOSRADIUSФȤѤǤޤͤǤR3ľ³Ƥ륤󥿡ե(23.23.23.2)ѤNAS(network access server)ǤR2ǧڤ׵ᤷޤ

R3(config)#aaa new-model
R3(config)#radius-server local
R3(config-radsrv)#nas 23.23.23.2 key CISCO
R3(config-radsrv)#user cisco password cisco

塢R1³ʤޤ

R2
Jun  1 06:19:32.759: RADIUS:  Calling-Station-Id  [31]  12  "12.12.12.1"
Jun  1 06:19:32.759: RADIUS:  NAS-IP-Address      [4]   6   23.23.23.2
Jun  1 06:19:32.771: RADIUS: Received from id 1645/2 17.17.3.3:1812, Access-Accept, len 88

R3#sh radius local-server statistics
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 0           Invalid packet from NAS: 0

NAS : 23.23.23.2
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Corrupted packet       : 0           Unknown RADIUS message : 0
No username attribute  : 0           Missing auth attribute : 0
Shared key mismatch    : 0           Invalid state attribute: 0
Unknown EAP message    : 0           Unknown EAP auth type  : 0
Auto provision success : 0           Auto provision failure : 0
PAC refresh            : 0           Invalid PAC received   : 0

Username                  Successes  Failures  Blocks
cisco                             1         0       0

R2ѤNASͤLo0(17.17.2.2)ѹǤ

R3(config-radsrv)#no nas 23.23.23.2 key CISCO
R3(config-radsrv)#nas 17.17.2.2 key CISCO
R3#show radius local-server statistics | i NAS :
NAS : 17.17.2.2

R2(config)#ip radius source-interface lo0

Jun  1 06:43:30.135: RADIUS:  NAS-IP-Address      [4]   6   17.17.2.2
Jun  1 06:43:30.143: RADIUS: Received from id 1645/10 17.17.3.3:1812, Access-Accept, len 88

RADIUS NAS-IP-Address Attribute Configurability

ΥڡΥȥåץ

Ф