使用ACS 验证EZ×××
实验目的:
使用ACS 为远程客户分配IP ,并且下载允许访问的服务。
实验拓扑:
ASA 配置:
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0
!
aaa-server aaa protocol radius
aaa-server aaa (inside) host 192.168.10.1
key *****
crypto ipsec ikev1 transform-set ez***trans esp-des esp-md5-hmac
crypto dynamic-map ez***dymap 10 set ikev1 transform-set ez***trans
crypto map ez***map 100 ipsec-isakmp dynamic ez***dymap
crypto map ez***map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group ez***tunnel type remote-access
tunnel-group ez***tunnel general-attributes
authentication-server-group aaa
tunnel-group ez***tunnel ipsec-attributes
ikev1 pre-shared-key *****
ACS配置:
1、配置AAA client 和AAA服务器
2、配置Downloadable IP ACLs.
3、配置IP地址池
4、添加用户root,加入group6,配置组group6。
在PC上安装××× Client接入×××。
在PC上通过Ipconfig 查看网络属性。
转载于:https://blog.51cto.com/692344/1009873