60 likes | 265 Views
Radius based ssh authentication. Location of Radius server radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius T he same config must be on the Radius server (and the username password ) Authentication method aaa new-model
E N D
Radius basedsshauthentication • Location of Radius server • radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius • The sameconfigmustbe on the Radius server (and the usernamepassword) • Authenticationmethod • aaanew-model • aaaauthenticationlogindefaultgroup radius none <= GENERAL • aaaauthenticationlogin SSH_LINE group radius <= FOR SSH • SSH configuration (onlypartlistedhere) • line vty 0 4 • privilege level 15 • login authentication SSH_LINE <= SAME NAME • transport input ssh
Example of reflective ACL Outside generatedtraffic Inside generatedtraffic Outgoingtrafficmakes ahole to incommingtraffic
Reflectiveacl • INTERNAL ACL • R1(config)# ip access-list extended internal_ACL • R1(config-ext-nacl)# permit tcp any anyeq 23 reflect telnet-only-reflexive-ACL • R1(config-ext-nacl)# permit udp any anyeq 53 reflect dns-only-reflexive-ACL timeout 10 • EXTERNAL ACL • R1(config)# ip access-list extended external_ACL • R1(config-ext-nacl)# evaluate telnet-only-reflexive-ACL • R1(config-ext-nacl)# evaluate dns-only-reflexive-ACL • R1(config-ext-nacl)# deny ip any any • APPLY ACLS • R1(config)# interface s0/0/0 • R1(config-if)# description connection to the ISP. • R1(config-if)# ip access-group internal_ACL out • R1(config-if)# ip access-group external_ACL in
Yourtask • Create a refelctiveaclwhichallowswebsurfing (http) fromleft to rigthbutnotfromright to left OK
Review of the lab INTERNAL ACL • R1(config)# ip access-list extended internal_ACL • R1(config-ext-nacl)# permit tcp any anyeq 80 reflect www-only-reflexive-ACL • R1(config-ext-nacl)# deny ip any any EXTERNAL ACL • R1(config)# ip access-list extended external_ACL • R1(config-ext-nacl)# evaluate www-only-reflexive-ACL • R1(config-ext-nacl)# deny ip any any APPLY ACLS • R1(config)# interface fa0/0 • R1(config-if)# description Local • R1(config-if)# ip access-group internal_ACL in • R1(config)# interface fa0/1 • R1(config-if)# description Remote • R1(config-if)# ip access-group external_ACL in