17.3.27 30일차 (NTP & AAA, ACS)

@NTP
- UDP 123

@R1
R1
show clock

conf t
!
ntp server 203.248.240.140
end

show clock
show clock detail
show ntp status

conf t
!
clock timezone KST +9(+하고 숫자를 붙여야 함)
end

show clock

conf t
!
ntp master 3 - 하루에 동기화 3번

@SW1, SW2, SW3
conf t
!
ntp server 192.168.100.254
end

show clock
show ntp status
show ntp ass(협정) 라우터으로부터 시간을 동기화 하겠다

conf t
!
clock timezone KST +9

conf t
clock summer-time TEST recurring first mon mar 10:00
--------------------------------------------------------------------------------------------------------
R1[f0/0]-----------------------------------------R4[f0/0]
192.168.100.254                                     192.168.100.101

en
conf t
hostname R1
!
no ip domain-lookup
!
enable secret cisco
!
line con 0
 logg syn
 exec-timeout 0 0
 password ciscocon
 login
!
line vty 0 4
 password ciscovty
 login
!

en
conf t
hostname R4
!
no ip domain-lookup
!
enable secret cisco
!
line con 0
 logg syn
 exec-timeout 0 0
 password ciscocon
 login
!
line vty 0 4
 password ciscovty
 login
!
@R1
show user ---> 누가 접속햇는지  *별이 붙으면 자기자신

clear user 66 ---> 접속해제

ctrl+shift+6 다떼고 x 리버스 텔넷 됨

show seeion--->내가 현재 접속한것..... * 별이 최근
4#show sessions
Conn Host                Address             Byte  Idle Conn Name
*  1 192.168.100.254     192.168.100.254        0     0 192.168.100.254
resume 3 ----> 3번으로
disconnect 1
-------------------------------------------------------------------------------
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#no lo
R1(config-line)#no log
R1(config-line)#no login
R1(config-line)#no login
R1(config-line)#

@r4
telnet 192.168.100.254 or 192.168.100.254
exit
@R1
privilege level 15

15 - 모든 명령어 권한을 준다.
0-14 제한

show privilege level
--------------------------------------------------------
@R4

conf t
ip host r1 192.168.100.254
end

ping r1
-------------------------------------------------------
@R1
login local
R1(config)#username test password test ---> 계정 및 비밀번호
@R4
텔넷 접속 후 exit

@R1
username abc one-time password 1234 ---> 일회용 계정(otp)
show run
@R4
텔넷 접속 exit
-----------------------------------------------------------
@R1
R1(config)#username gu
R1(config)#username guset p
R1(config)#username guset pr
R1(config)#username guset privilege 5 p
R1(config)#username guset privilege 5 pa
R1(config)#username guest privilege 5 password cisco1234

@R4
admin , cisco

게스트모드에서는 아무것도 안됨

@R1

R1(config)#privilege exec level 5 debug ip rip
R1(config)#privilege exec level 5 conf t
R1(config)#privilege configure level 5 interface
R1(config)#privilege interface level 5 ip address

exec          R1#
configure    R1(config)#
interface     R1(config-if)#

show run
R1(config)#no username admin                    
R1(config)#no username guest

@R4
텔넷접속, guest모드에서는 설정한것만 됨

-----------------------------------------------------------
@AAA
콘솔은 username 안물어보고, 텔넷은 물어본다.

Authentication 인증
authorization 권한
accounting 과금/기록
AAA를 통해 텔넷,콘솔접속

@R1
R1(config)#line vty 0 4
R1(config-line)#login

@R4
텔넷 접속하면 username을 물어본다. test,test
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#no pr
R1(config-line)#no pri
R1(config-line)#no privi
R1(config-line)#no privilege le
R1(config-line)#no privilege level 15

@R1
R1(config)#aaa new-model
R1(config)#username test password test

R1#show run
line con 0
password ciscocon  ---> login 명령어가 사라진다.
!
line vty 0 4
password ciscovty --> login 명령어가 사라진다.

R1(config)#aaa authentication login default enable
enable secret 패스워드를 이용하는 인증 정보 확인
R4#r1
Translating "r1"
Trying r1 (13.13.1.1)... Open
User Access Verification
Password: <cisco>  ---->  enable secret cisco에서 입력한 패스워드 가 된다.
R1>exit

라우터 콘솔 및 VTY 라인으로 접속할때, 인증 패스워드를 각각의 라인 패스워드를 사용한다
R1(config)#aaa authentication login default line

R4#r1
Translating "r1"
Trying r1 (192.168.100.254)... Open

User Access Verification

Password: cisco

R1>en
Password:

이 방법은 라우터 콘솔 및 VTY 라인으로 접속할때, 사용자 정보(username/password) 사용한다. 만약, ‘localcase’로 설정하면, 사용자 정보의 username에 대해서 대소문자를 구분한다. R1에서
R1(config)#aaa authentication login default local
R4#r1
Translating "r1"
Trying r1 (13.13.1.1)... Open
User Access Verification
Username: test
Password: <test>
R1>exit
[Connection to r1 closed by foreign host]

-----------------------------------------------------------
@R1
R1(config)#aaa authentication login VTY group tacacs+ local

R1(config)#tacacs-server host 192.168.100.200 key cisco1234
R1(config)#line con 0
R1(config-line)#login authentication CON
R1(config-line)#line vty 0 4
R1(config-line)#login authentication VTY
@R4
계정접속,,시간이 걸림
나옴

@R1
R1(config)#username admin privilege 15 password cisco
R1(config)#username guest privilege 5 password cisco1234
@R4
guest
R4#192.168.100.254
Translating "192.168.100.254"
Trying 192.168.100.254 ... Open

User Access Verification

Username: guest
Password:

R1#
R1#
R1#
R1#       copy run s
R1#       copy run start
            ^
% Invalid input detected at '^' marker.

R1#
R4#

--------------------------------------------------------------------------------------
@tacas-server
tacacs-server host 192.168.100.200 key cisco1234
!
line con 0
 login authentication CON
!
line vty 0 4
 login authentication VTY
!
---------------------------------------------------------------------
@SW1

username test password test
!
aaa new-model
!
aaa authentication login CON local
aaa authentication login VTY group tacacs+ local
!
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
!
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

---------------------------------------
telnet 192.168.100.1

------------------------------------

-관리자 : admin/cisco(모든 명령어 가능)
             (group 185)
- 부-관리자 : user1/cisco1 (reload,copy,erase,delete 제외한 모든 명령어 사용 가능)
             (group 186)
- 신입 직원 : user2/cisco2 (show ip route, show ip int brief, show version 명령어만 사용 가능)
             (group 187)