JuniperSRX防火墙AAA试验配置手册-v13

Juniper防火墙SRX系列防火墙AAA实验配置手册康帕斯科技发展有限公司2016年07月JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.2目录1.实验需求......................................................................................................32.实验环境......................................................................................................33.实验拓扑......................................................................................................43.1.创建虚拟机..................................................................................................43.2.虚拟机之间网络连接..................................................................................54.防火墙配置..................................................................................................75.ACS配置.....................................................................................................125.1.主服务器配置............................................................................................125.1.1.配置AAA服务器.............................................................................125.1.2.创建只读用户及用户组..................................................................155.1.3.创建super用户及用户组..............................................................175.2.备服务器配置............................................................................................196.试验测试结果............................................................................................196.1.AAA帐号登录测试....................................................................................196.1.1.只读用户登录测试..........................................................................196.1.2.super用户登录测试.......................................................................206.1.3.用户登录审计测试..........................................................................206.2.Radius服务器冗余性测试........................................................................216.3.AAA失效后使用本地帐号登录................................................................23JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.31.实验需求有JuniperSRX3400和SRX1400需要做AAA配置，为了能够顺利完成与Radius服务器对接，现使用实验环境对JuniperAAA配置进行验证。实验需求如下：JuniperSRX防火墙AAA配置，设备管理用户分为3种：分别为只读用户、超级用户及本地用户，通过与两台Radius服务器（主备）做认证，授权，主Radius服务器故障可以切换到备服务器，设备登录方式采用Radius优先，当Radius服务器故障时可使用本地认证。2.实验环境Juniper防火墙使用虚拟机来搭建，Radius服务器使用windos2003+ACSv4.2。实验工具如下：软件防火墙junos-vsrx-12.1X44-D10.4-domestic；服务器WindowsServer2003EnterpriseEditionServicePack2RadiusACSv4.2登录工具SecureCRTVMWareVMware-workstation-full-10.0.3-1895310.exePC硬件JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.43.实验拓扑3.1.创建虚拟机创建3个虚拟机：SRX：juniper防火墙Radius_server_1：主radius服务器Radius_server_2：备radius服务器JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.53.2.虚拟机之间网络连接各虚拟机网卡连接方式如下：1）将虚拟机SRX网卡1与物理机网卡桥接2）将虚拟机SRX网卡3采用自定义方式，用于与两台服务器连接3）服务器网卡也采用自定义的方式，用于与SRX连接：JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.64）配置IP地址，测试联通性按照以上拓扑图对防火墙接口、服务器网口的IP地址进行配置，并测试连通性。设置Radius_server_1地址：设置Radius_server_2地址：JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.74.防火墙配置防火墙配置及注释如下：system{authentication-order[radius];//证验方式radius优先，radius失效本地帐号可登录root-authentication{encrypted-password$1$XnvX8cV/$ofcHd9NOokhXfFY2vybIA.;##SECRET-DATA}JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.8radius-server{172.16.1.100{//主服务器secretjuniper;##SECRET-DATAsource-address172.16.1.1;}172.16.1.101{//备服务器secretjuniper;##SECRET-DATAsource-address172.16.1.1;}}accounting{//配置审计eventslogin;destination{radius{server{172.16.1.100{port1646;secret$9$VdsgJikP36AGD6Ap0hcbs2;##SECRET-DATA}172.16.1.101{port1646;secret$9$VdsgJikP36AGD6Ap0hcbs2;##SECRET-DATA}}}}}JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.9login{classview-config{//建立只读用户权限classidle-timeout5;permissionsall;deny-commands(request)|(set)|(clear)|(configure);//配置deny-commd}classsuper{//建立super用户权限classidle-timeout15;permissionsall;}userjuniper1{//建立本地账户uid2002;classsuper;authentication{encrypted-password$1$JnCi6P6j$vpWhKOfEW.mXllPzX0oOa1;##SECRET-DATA}userjuniper2{//建立本地账户uid2004;classsuper;authentication{encrypted-password$1$xOmWw0IM$Fj2npdjRgYutg5ZZFZ33r.;##SECRET-DATA}}usertest-read{/建立只读权限模板用户，模板用户不用配置密码，用于与ACS对接；uid2010;JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.10classview-config;}usertest-super{//建立super权限模板用户，模板用户不用配置密码，用于与ACS对接；uid2001;classsuper;}}}interfaces{ge-0/0/0{unit0{familyinet{address192.168.2.100/25;}}}ge-0/0/2{unit0{familyinet{address172.16.1.1/24;}}}}routing-options{static{route0.0.0.0/0next-hop192.168.2.126;JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopmentCo.,Ltd.11}}security{policies;zones{security-zonetrust{interfaces{ge-0/0/0.0{host-inbound-traffic{system-services{ping;telnet;ssh;}}}}}security-zoneuntrust{interfaces{ge-0/0/2.0}}}}}}JUNIPER防火墙SRX3400AAA试验配置手册©CopyrightbyShenzhenCompassTechnologyDevelopme