セキュリティと VPN : 認証プロトコル

VRF TACACS+ トラブルシューティングごとの IOS

2012 年 10 月 25 日 - 機械翻訳について
その他のバージョン: PDFpdf | 英語版 (2012 年 8 月 22 日) | フィードバック


????

?T?v
?O??????
      ?v??
      ?g?p?????R???|?[?l???g
      ?\?L?@
?@?\ ????
?g???u???V???[?e?B???O????
?f?[?^????
?????I??????
Cisco サポート コミュニティ - 特集対話
???A????

?T?v

TACACS+ ???F???v???g?R?????????p?????g?p?????????l?b?g???[?N ?f?o?C?X?????[?U???F?????????????B ???????????????????? VPN Routing and Forwarding ?iVRF?j???g?p?????}?l?W?????g?g???t?B?b?N?????????????????B ?f?t?H???g???AIOS ?? AAA ???p?P?b?g?????M?????????f?t?H???g?E ???[?e?B???O ???[?e?B???O?E?e?[?u?????g?p???????B ?T?[?o?? VRF ???????????????????? TACACS+ ???????????????????@???L?q?????????????B

?uNote: ?????????????e?? Jesse Dubois ?????????ACisco TAC ?G???W?j?A???????????????B

?O??????

?v??

?????????????????m?????????????????????????????B

  • TACACS+

  • VRF

?g?p?????R???|?[?l???g

?????????????????\?t?g?E?F?A???n?[?h?E?F?A???o?[?W???????????????????????????????????B

?\?L?@

?h?L???????g?\?L?????????A?w?V?X?R ?e?N?j?J?? ?e?B?b?v?X???\?L?@?x???Q???????????????B

?????????F????????????

???{?I?? VRF ???f?o?C?X???o?[?`???????[?e?B???O ???[?e?B???O?E?e?[?u???????B ?@?\???C???^?[?t?F?C?X?? VRF ???g?p???????????? IOS ?????[?e?B???O???????????????A???[?e?B???O?????????? VRF ???[?e?B???O ?e?[?u?????????????????????B ?????????????A?@?\???O???[?o?? ???[?e?B???O ?e?[?u?????g?p???????B ???????O???????????A?????? VRF ?i?????????W???????\???j???g?p?????????? TACACS+ ??????????????????????????:

version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vrfAAA
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa group server tacacs+ management
 server-private 192.0.2.4 key cisco
 server-private 192.0.2.5 key cisco
 ip vrf forwarding blue
 ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication login default group management local
aaa authorization exec default group management if-authenticated 
aaa accounting exec default start-stop group management
!
aaa session-id common
!
no ipv6 cef
!
ip vrf blue
!
no ip domain lookup
ip cef
!
interface GigabitEthernet0/0
 ip vrf forwarding blue
 ip address 203.0.113.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route vrf blue 0.0.0.0 0.0.0.0 203.0.113.1
!
line con 0
line aux 0
line vty 0 4
 transport input all

?????????????????A?O???[?o???????`?????? TACACS+ ?T?[?o?????????????B VRF ???T?[?o?????s?????????A???S???O???[?o?????????????? TACACS+ ?T?[?o???????????????B

?g???u???V???[?e?B???O????

  1. AAA ?O???[?v ?T?[?o?????????`?A???? TACACS+ ?g???t?B?b?N?????????\?[?X?C???^?[?t?F?C?X???]???????K???? IP VRF ?????????????m?????????????B

  2. VRF ???[?e?B???O ?e?[?u?????`?F?b?N???A???[?g?? TACACS+ ?T?[?o?????????????m?????????????B ???q?????? VRF ???[?e?B???O ?e?[?u?????\???????????g?p????????????:

    vrfAAA#show ip route vrf blue
    
    Routing Table: blue
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
           + - replicated route, % - next hop override
    
    Gateway of last resort is 203.0.113.1 to network 0.0.0.0
    
    S*    0.0.0.0/0 [1/0] via 203.0.113.1
          203.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
    C        203.0.113.0/24 is directly connected, GigabitEthernet0/0
    L        203.0.113.2/32 is directly connected, GigabitEthernet0/0
  3. TACACS+ ?T?[?o?? ping ???????????B ?????? VRF ?d?l???????????K?v?????????????o??????????????:

    vrfAAA#ping vrf blue 192.0.2.4
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 102.0.2.4, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
  4. ?????i?[?A???K?V?[???????V?R?[?h ?I?v?V???????g?p???????????j???m?F?????e?X?g aaa ?R?}???h???g?p????????:

    vrfAAA#test aaa group management cisco Cisco123 new-code 
    Sending password
    User successfully authenticated
    
    USER ATTRIBUTES
    
    username             "cisco"
    reply-message        "password: "

???[?e?B???O???????????????????????????? TACACS+ ?T?[?o???q?b?g???????????????AACL ?? TCP?|?[?g 49 ?????[?^???????T?[?o???B???????A?????????????????????????????????????m?????????????B ?F?????s?????????W???????? TACACS+ ???AVRF ?@?\?????p?P?b?g?????[?e?B???O?????????????????????????????B

?f?[?^????

???????????????????????????????????????????????????AAAA ?????? tacacs ?f?o?b?O???L???? ???????????????????B ?????????f?o?b?O?????J?n??????????:

  • debug tacacs

  • aaa ?F?????f?o?b?O

?????????????????????????f?o?b?O????????????????????????????????????????:

  • ?????????? TACACS+ ?\?[?X?C???^?[?t?F?C?X

  • ?\?[?X?C???^?[?t?F?C?X?????? AAA ?O???[?v ?T?[?o???????????? ip vrf forwarding ?R?}???h

  • VRF ???[?e?B???O ?e?[?u???? TACACS+ ?T?[?o???????[?g????

Jul 30 20:23:16.399: TPLUS: Queuing AAA Authentication request 0 for processing
Jul 30 20:23:16.399: TPLUS: processing authentication start request id 0
Jul 30 20:23:16.399: TPLUS: Authentication start packet created for 0(cisco)
Jul 30 20:23:16.399: TPLUS: Using server 192.0.2.4
Jul 30 20:23:16.399: TPLUS(00000000)/0: Connect Error No route to host
Jul 30 20:23:16.399: TPLUS: Choosing next server 192.0.2.5
Jul 30 20:23:16.399: TPLUS(00000000)/0: Connect Error No route to host

??????????????????????????:

Jul 30 20:54:29.091: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' 
Jul 30 20:54:29.091: TPLUS: Queuing AAA Authentication request 0 for processing
Jul 30 20:54:29.091: TPLUS: processing authentication start request id 0
Jul 30 20:54:29.091: TPLUS: Authentication start packet created for 0(cisco)
Jul 30 20:54:29.091: TPLUS: Using server 192.0.2.4
Jul 30 20:54:29.091: TPLUS(00000000)/0/NB_WAIT/2B2DC1AC: Started 5 sec timeout
Jul 30 20:54:29.095: TPLUS(00000000)/0/NB_WAIT: socket event 2
Jul 30 20:54:29.095: TPLUS(00000000)/0/NB_WAIT: wrote entire 25 bytes request
Jul 30 20:54:29.095: TPLUS(00000000)/0/READ: socket event 1
Jul 30 20:54:29.095: TPLUS(00000000)/0/READ: Would block while reading
Jul 30 20:54:29.099: TPLUS(00000000)/0/READ: socket event 1
Jul 30 20:54:29.099: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jul 30 20:54:29.099: TPLUS(00000000)/0/READ: socket event 1
Jul 30 20:54:29.099: TPLUS(00000000)/0/READ: read entire 28 bytes response
Jul 30 20:54:29.099: TPLUS(00000000)/0/2B2DC1AC: Processing the reply packet
Jul 30 20:54:29.099: TPLUS: Received authen response status GET_PASSWORD (8)
Jul 30 20:54:29.099: TPLUS: Queuing AAA Authentication request 0 for processing
Jul 30 20:54:29.099: TPLUS: processing authentication continue request id 0
Jul 30 20:54:29.099: TPLUS: Authentication continue packet generated for 0
Jul 30 20:54:29.099: TPLUS(00000000)/0/WRITE/2B2DC1AC: Started 5 sec timeout
Jul 30 20:54:29.099: TPLUS(00000000)/0/WRITE: wrote entire 25 bytes request
Jul 30 20:54:29.103: TPLUS(00000000)/0/READ: socket event 1
Jul 30 20:54:29.103: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Jul 30 20:54:29.103: TPLUS(00000000)/0/READ: socket event 1
Jul 30 20:54:29.103: TPLUS(00000000)/0/READ: read entire 18 bytes response
Jul 30 20:54:29.103: TPLUS(00000000)/0/2B2DC1AC: Processing the reply packet
Jul 30 20:54:29.103: TPLUS: Received authen response status PASS (2)

?????I??????

???? ?????I ?? ???????????????B admin ?????{?? AAA ?O???[?v ?T?[?o???u?????????A?T?[?o?O???[?v???w???????? AAA ?s???A?b?v?f?[?g?????????B ??????:

aaa authentication login default group management local
aaa authorization exec default group management if-authenticated 
aaa accounting exec default start-stop group management

admin ?????u??????????????:

aaa authentication login default grout tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated 
aaa accounting exec default start-stop group tacacs+

???????T?[?o?O???[?v???????????P???A?b?v?f?[?g???????????B

?? 2 ???????????????T?[?o?O???[?v???????]?????? IP VRF ?????????????????????????????[?U?????????????????G???[??????:

% Unknown command or computer name, or unable to find computer address

???????R?}???h?????????????????????????????????????B ???????????????? IOS?o?[?W???? ?T?|?[?g?? VRF TACACS+ ???m?????????????B ???????????????????????o?[?W????????????????????:

  • 12.3(7)T

  • 12.2(33)SRA1

  • 12.2(33)SXI

  • 12.2(33)SXH4

  • 12.2(54)SG

Cisco サポート コミュニティ - 特集対話

Cisco サポート コミュニティでは、フォーラムに参加して情報交換することができます。現在、このドキュメントに関連するトピックについて次のような対話が行われています。


???A????