AAA (Authentication, Authorization and Accounting)

Ağ güvenliği tanımlamasında authentication, authorization and accounting terimlerinin baş harflerinin simgelediği, network üzerinden gelen bilgi paketlerini bazi modellere göre dikkatlice inceleyerek kötü niyetli aktiviteleri haber veren bir sistemdir.
Authentication : server, switch ya da router kullanimlarinda cihaz ya da kullanicinin kimliginin onaylanmasidir.
Authorization : kullanici ya da kullanicilara sisteme, programa ve network erisim hakkinin verilmesidir.
Accounting : herhangi bir kullanicinin ne yaptigi, kullanici hareketleri kullanici data baglantilari ve kullanici sistem kayitlarinin izlenebilmesi amaciyla yapilan islemdir.

 

aaaa

 1. Cihaz isimleri ve ip address verme.
 [Huawei]sysname CLIGURU-R1

[CLIGURU-R1]interface GigabitEthernet 0/0/0
[CLIGURU-R1-GigabitEthernet0/0/0]ip address 119.84.111.1 24
[Huawei]sysname CLIGURU-R3
[CLIGURU-R3]interface GigabitEthernet 0/0/0
[CLIGURU-R3-GigabitEthernet0/0/0]ip address 119.84.111.3 24
CLIGURU-R1 ve CLIGURU-R3 arasındaki bağlantıyı kontrol edelim.
<CLIGURU-R1>ping 119.84.111.3
PING 119.84.111.3: 56 data bytes, press CTRL_C to break
Reply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=140 ms
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=60 ms
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=60 ms
— 119.84.111.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/76/140 ms
 2. CLIGURU-R1 cihazı için AAA konfigürasyonunu yapılandıralım.
CLIGURU-R1 routeri için authentication-schame ve authorization-schame konfigurasyonlarını tamamlayalım ve aynı ayarları CLIGURU-R3 içinde yapalım.
[CLIGURU-R1]aaa
[CLIGURU-R1-aaa]authentication-scheme auth1
Info: Create a new authentication scheme.
[CLIGURU-R1-aaa-authen-auth1]authentication-mode local
[CLIGURU-R1-aaa-authen-auth1]quit
[CLIGURU-R1-aaa]authorization-scheme auth2
Info: Create a new authorization scheme.
[CLIGURU-R1-aaa-author-auth2]authorization-mode local
[CLIGURU-R1-aaa-author-auth2]quit
CLIGURU-R1’in domaini huawei olarak yapılandıralım, daha sonra oluşturduğumuz kullanıcılarda  buna uygun olarak yapılandıralım.
[CLIGURU-R1-aaa]domain huawei
Info: Success to create a new domain.
[CLIGURU-R1-aaa-domain-huawei]authentication-scheme auth1
[CLIGURU-R1-aaa-domain-huawei]authorization-scheme auth2
[CLIGURU-R1-aaa-domain-huawei]quit
[CLIGURU-R1-aaa]local-user user1@huawei password cipher huawei
Info: Add a new user.
[CLIGURU-R1-aaa]local-user user1@huawei service-type telnet
[CLIGURU-R1-aaa]local-user user1@huawei privilege level 0
CLIGURU-R1 cihazında AAA authentication modda telnet serverı etkinleştirelim.
[CLIGURU-R1]user-interface vty 0 4
[CLIGURU-R1-ui-vty0-4]authentication-mode aaa
CLIGURU-R1 cihazında  telnet hizmetinin başarıyla kurulup kurulmadığını kontrol edelim.
<CLIGURU-R3>telnet 119.84.111.1
Trying 119.84.111.1 …
Press CTRL+K to abort
Connected to 119.84.111.1 …
Login authentication
Username:user1@huawei
Password:
<CLIGURU-R1>sys
<CLIGURU-R1>system-view
^
Error: Unrecognized command found at ‘^’ position.
<CLIGURU-R1>quit

 

3.  CLIGURU-R3 cihazı için AAA konfigürasyonunu yapılandıralım.
[CLIGURU-R3]aaa
[CLIGURU-R3-aaa]authentication-scheme auth1
Info: Create a new authentication scheme.
[CLIGURU-R3-aaa-authen-auth1]authentication-mode local
[CLIGURU-R3-aaa-authen-auth1]quit
[CLIGURU-R3-aaa]authorization-scheme auth2
Info: Create a new authorization scheme.
[CLIGURU-R3-aaa-author-auth2]authorization-mode local
[CLIGURU-R3-aaa-author-auth2]quit
CLIGURU-R3’in domaini huawei olarak yapılandıralım, daha önce oluşturduğumuz kullanıcılara uygun olsun.
[CLIGURU-R3-aaa]domain huawei
[CLIGURU-R3-aaa-domain-huawei]authentication-scheme auth1
[CLIGURU-R3-aaa-domain-huawei]authorization-scheme auth2
[CLIGURU-R3-aaa-domain-huawei]quit
[CLIGURU-R3-aaa]local-user user3@huawei password cipher huawei
Info: Add a new user.
[CLIGURU-R3-aaa]local-user user3@huawei service-type telnet
[CLIGURU-R3-aaa]local-user user3@huawei privilege level 0
CLIGURU-R1 cihazında AAA authentication modda telnet serverı etkinleştirelim.
[CLIGURU-R3]user-interface vty 0 4
[CLIGURU-R3-ui-vty0-4]authentication-mode aaa
CLIGURU-R3 cihazında telnet hizmetinin başarıyla kurulup kurulmadığını kontrol edelim.
<CLIGURU-R1>telnet 119.84.111.3
Trying 119.84.111.3 …
Press CTRL+K to abort
Connected to 119.84.111.3 …
Login authentication
Username:user3@huawei
Password:
<CLIGURU-R3>system-view
^
Error: Unrecognized command found at ‘^’ position.
<CLIGURU-R3>
4.  AAA konfigürasyonunun  sonuçlarını bakalım.
<CLIGURU-R1>display domain name huawei
Domain-name                     : huawei
Domain-state                   : Active
Authentication-scheme-name     : auth1
Accounting-scheme-name         : default
Authorization-scheme-name       : auth2
Service-scheme-name             : –
RADIUS-server-template         : –
HWTACACS-server-template       : –
User-group                     : –
<CLIGURU-R1>display local-user username user1@huawei
The contents of local user(s):
Password         : ****************
State             : active
Service-type-mask : T
Privilege level   : 0
Ftp-directory     : –
Access-limit     : –
Accessed-num     : 0
Idle-timeout     : –
User-group       : –
<CLIGURU-R3>display domain name huawei
Domain-name                     : huawei
Domain-state                   : Active
Authentication-scheme-name     : auth1
Accounting-scheme-name         : default
Authorization-scheme-name      : auth2
Service-scheme-name             : –
RADIUS-server-template         : –
HWTACACS-server-template       : –
User-group                     : –
<CLIGURU-R3>display local-user username user3@huawei
The contents of local user(s):
Password          : ****************
State             : active
Service-type-mask : T
Privilege level   : 0
Ftp-directory     : –
Access-limit     : –
Accessed-num     : 0
Idle-timeout     : –
User-group       : –
Sonuç…
<CLIGURU-R1>display current-configuration
#
sysname CLIGURU-R1
#
aaa
authentication-scheme default
authentication-scheme auth1
authorization-scheme default
authorization-scheme auth2
accounting-scheme default
domain default
domain default_admin
domain huawei
authentication-scheme auth1
authorization-scheme auth2
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
local-user user1@huawei password cipher ,fM\8+wUb#3@9_G-B0Y2lf”#
local-user user1@huawei privilege level 0
local-user user1@huawei service-type telnet
#
interface GigabitEthernet0/0/0
ip address 119.84.111.1 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
Return
 <CLIGURU-R3>display current-configuration
#
sysname CLIGURU-R3
#
aaa
authentication-scheme default
authentication-scheme auth1
authorization-scheme default
authorization-scheme auth2
accounting-scheme default
domain default
domain default_admin
domain huawei
authentication-scheme auth1
authorization-scheme auth2
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
local-user user3@huawei password cipher gQ+ZJr\.h/939O4.`(ZGxU:#
local-user user3@huawei privilege level 0
local-user user3@huawei service-type telnet
#
interface GigabitEthernet0/0/0
ip address 119.84.111.3 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
Return