AAA服务器

常见的AAA协议主要分两种，一种是思科专有的TACACS;另一种就是Radius。思科通过ACS服务器支持两种AAA协议，而Radius，根据不同厂商而不同，常见的有freeradius和daloradius。RAdius使用了两套UDP端口:
http://en.wikipedia.org/wiki/RADIUS
1. 1812 for Authentication and 1813 for Accounting that provide by IANA
2. ports 1645 and 1646 (authentication and accounting) were used unofficially in past
传统的1645和1646仍然有客户端在用，所以为了向后兼容，Radius会监控这两套端口。

Daloradius

这个是集成了mysql和php的web客户端，很方便。有两种安装方式，一种是OVA文件，直接用vmware导入既可以用，里面是bundle好的；另一种就是在linux里单独安装daloradius，php和mysql。第二种方法太麻烦，没有使用过，第一种试过，但是遇到了一些问题，不知道为什么不能使用admin账户，为了这个还特意在网上发了帖子，但是暂时没人理：
https://sourceforge.net/p/daloradius/discussion/684102/thread/487fe3b8/

1. Assign a static IP Address for NAT VMWare
由于NAT开启后，地址是随机分配的，为了保证日后访问方便，可以固定NAT后的地址，可以参考下面的文章：
Assign static IP to guest with NAT Virt Network Adaptor?

下面是操作步骤：

root@lamp ~# ifconfig |grep HWaddr
eth0 Link encap:Ethernet HWaddr 00:0c:29:3d:d9:f5

mac:~ test$ find  /Library -name dhcpd.conf
find: /Library/Application Support/Apple/ParentalControls/Users: Permission denied
find: /Library/Caches/com.apple.coresymbolicationd: Permission denied
find: /Library/Caches/com.apple.Spotlight/schema.501.plist: Permission denied
find: /Library/Caches/com.apple.Spotlight/schema.89.plist: Permission denied
find: /Library/Caches/com.apple.Spotlight: Permission denied
find: /Library/McAfee/cma/scratch: Permission denied
/Library/Preferences/VMware Fusion/vmnet1/dhcpd.conf
/Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf

mac:~ test$ su
Password:
sh-3.2#
sh-3.2# more /Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf
/Library/Preferences/VMware: No such file or directory
Fusion/vmnet8/dhcpd.conf: No such file or directory
sh-3.2#
sh-3.2# cd /Library/Preferences/VMware\ Fusion/vmnet8/
sh-3.2# ls |grep dhcpd.conf
dhcpd.conf
dhcpd.conf.bak
sh-3.2#
sh-3.2# more dhcpd.conf

####### VMNET DHCP Configuration. End of "DO NOT MODIFY SECTION" #######
host radius-vm { hardware ethernet 00:0c:29:3d:d9:f5; fixed-address 192.168.255.100; } host windows { hardware ethernet 0:0c:29:06:96:1f; fixed-address 192.168.255.120; }

2. Port forwarding for NAT Vmware
正常的VM NAT只能允许VM HOST访问外网，但是外网是不能激活NAT的。所以这种情况下，外部的设备不能直接访问VM HOST，好在VM支持端口转换，不过仅支持TCP和UDP转换，不支持ICMP：VMware Server NAT Configuration。跟dhcpd.conf同一个目录下，有nat.conf文件，修改这个就可以了。如下所示，标红处就是端口转换的方法：

sh-3.2#  ls
dhcpd.conf	dhcpd.conf.bak	nat.conf	nat.conf.bak	nat.mac
sh-3.2# vi nat.conf
[incomingudp]
# UDP port forwarding example
#6000 = 172.16.3.0:6001
1812 = 192.168.255.100:1812
1813 = 192.168.255.100:1813
1645 = 192.168.255.100:1645
1646 = 192.168.255.100:1646

Freeradius

其实daloradius的核心也是freeradius，只不过加了web客户端而已，对于freeradius有windows版的，这个软件很小，而且很好使，配置都是通过文本来完成的，去这里下载：”http://freeradius.net”。本测试也是通过这个软件完成的。

2013-5-27 更新：
在Vmware之间切换网卡模式时（NAT和Bridge），发现freeradius失效，3个服务器控制选项也是灰的，重启free radius 进程不起作用，重新安装后就好了，不知是不是freeradius安装后就不能变更网络配置。。。另外如果wifi环境是加密的，需要输入用户名和密码，那么VM Host就不能通过Bridge或NAT接入。

2014-9-4 更新：
在做实验时，发现freeradius.net的free radius（1.1.7）有些bug，而且更新极慢；如果你遇到了，可以去http://freeradius.org去下载(3.0.3)，注意一个是.net，另一个是.org，两个版本号都不一样。另外3.0.3的是开源软件，linux版的。。。最后还有一个2.2.5版本的，google FreeRADIUS for Windows就可以了。

LNS Radius认证

LNS配置

aaa group server radius AAA
 server name test123
 authorization reply reject TEST
!---通过上面的命令，过滤不支持的radius属性
!
aaa authentication ppp default group AAA local
aaa authorization network default group AAA local
!
aaa policy interface-config allow-subinterface
!
ip vrf ccna
 description BRUCE TEST  20130222
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname 3845-2
 local name ASR1002-1
 lcp renegotiation on-mismatch
 l2tp tunnel password 0 cisco
!
username cisco password 0 cisco
!---这里的本地数据库是备份用的，用于测试
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/2/0
 ip address 10.75.49.71 255.255.255.0
 negotiation auto
!
interface Virtual-Template1
 no ip address
 no peer default ip address
 ppp authentication chap
!---这里既没有设置unnumbered也没有给拨号分配地址，即使配置了，也优先考虑radius
!
ip radius source-interface FastEthernet0/2/0
!
radius-server attribute list TEST
 attribute 13
!
!
radius server test123
 address ipv4 10.75.73.195 auth-port 1812 acct-port 1813
 key testing123

Radius的配置
User config:

[email protected] := Local, User-Password == "test"
      Cisco-AVPair += "ip:ip-unnumbered=loopback0",
      Cisco-AVPair += "ip:vrf-id=ccna",
      Framed-IP-Address += 33.33.33.250,
      Framed-Route += "172.16.0.0 255.255.0.0 33.33.33.250 100",
      Framed-Compression += ""

注意：在user配置中，建议把默认配置都清空，否则会出现Access-Reject
Radius Clients:

client 10.75.49.71 {
secret      = testing123
shortname   = asr1k
}

注意：在client配置中，不建议清空默认配置，否则可能会发生Server报端口（1812）不可达
下面是LNS上的“debug radius”信息：

RADIUS: Removing all radius source-int. pointing to Virtual-Access2.1
RADIUS/ENCODE(00000050):Orig. component type = VPDN
RADIUS:  AAA Unsupported Attr: interface         [223] 14
RADIUS:   55 6E 69 71 2D 53 65 73 73 2D 49 44      [ Uniq-Sess-ID]
RADIUS(00000050): Config NAS IP: 10.75.49.71
RADIUS(00000050): Config NAS IPv6: ::
RADIUS/ENCODE(00000050): acct_session_id: 69
RADIUS(00000050): sending
RADIUS(00000050): Send Access-Request to 72.163.226.56:1812 id 1645/34, len 112
RADIUS(00000050): Sending a IPv4 Radius Packet
RADIUS(00000050): Send Access-Request to 72.163.226.56:1812 id 1645/34, len 112
RADIUS:  authenticator 96 45 10 29 44 15 EE 90 - 12 77 E6 94 A2 62 5B 7B
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS:  User-Name           [1]   16  "[email protected]"
RADIUS:  CHAP-Password       [3]   19  *
RADIUS:  Connect-Info        [77]  11  "100000000"
RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
RADIUS:  NAS-Port            [5]   6   35
RADIUS:  NAS-Port-Id         [87]  16  "Uniq-Sess-ID35"
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  NAS-IP-Address      [4]   6   10.75.49.71
RADIUS(00000050): Started 5 sec timeout
RADIUS: Received from id 1645/34 72.163.226.56:1812, Access-Accept, len 129
RADIUS:  authenticator 06 95 4C 5D 4D 0B 48 37 - 95 25 D8 6B 9C 1B 5B 3F
RADIUS:  Vendor, Cisco       [26]  34
RADIUS:   Cisco AVpair       [1]   28  "ip:ip-unnumbered=loopback0"
RADIUS:  Vendor, Cisco       [26]  22
RADIUS:   Cisco AVpair       [1]   16  "ip:vrf-id=ccna"
RADIUS:  Framed-IP-Address   [8]   6   33.33.33.250
RADIUS:  Framed-Route        [22]  41  "172.16.0.0 255.255.0.0 33.33.33.250 100"
RADIUS:  Framed-Compression  [13]  6   None                      [0]
RADIUS(00000050): Received from id 1645/34
RADIUS: attribute 13 rejected

ASR1002-1#sh ip vrf ccna
  Name                             Default RD          Interfaces
  ccna                             1:1                 Vi2.1
ASR1002-1#sh ip route vrf ccna

Routing Table: ccna
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      33.0.0.0/32 is subnetted, 1 subnets
C        33.33.33.250 is directly connected, Virtual-Access2.1
U     172.16.0.0/16 [100/0] via 33.33.33.250

版权声明：