User Group Firewall is a mechanism to authenticate each user and provide access privileges based on the type of user being authenticated. The authentication is done by a RADIUS server. The user initially has limited or no access to the protected network. When the user is authenticated, access privileges are established for the IP address from which the user is accessing the network. The access privileges depend on which user group the user belongs to on the RADIUS server.
<a href="http://blog.51cto.com/attachment/201110/150447103.jpg" target="_blank"></a>
教主配置執行個體介紹:
<a href="http://blog.51cto.com/attachment/201110/150500459.jpg" target="_blank"></a>
**********************任務目标***************************
**********************基本配置***************************
enable
config ter
hostname FW
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet1/0
ip address 10.1.1.10 255.255.255.0
**********************************************************
%%%%%%%%%%%%%%基本AAA%%%%%%%%%%%%%%%%%%%%%%%%%
aaa new
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
line vty 0 15
radius-server host 202.100.1.100 key cisco
radius-server vsa send
注意test
%%%%%%%%%%%%%auth-proxy部分%%%%%%%%%%%%%%%%%%%%%
-------------------比對使用者組------------------------
identity policy usergroup-policy1
user-group usergroup1
identity policy usergroup-policy2
user-group usergroup2
-------------------比對ACS傳回的tag------------------
class-map type control tag match-all class-usergroup2
match tag tag-usergroup2
class-map type control tag match-all class-usergroup1
match tag tag-usergroup1
-------------------把tag影射到使用者組-----------------
policy-map type control tag tag.policy
class type control tag class-usergroup1
class type control tag class-usergroup2
--------------------啟用auth-proxy-------------------
aaa authentication login default group radius
aaa authorization auth-proxy default group radius
ip admission name auth proxy http service-policy type tag tag.policy
--------------------運用auth-proxy-------------------
ip admission auth
--------------------啟用http服務---------------------
ip http server
ip http authentication aaa
%%%%%%%%%%%%%%%%%%%%配置ZBFW%%%%%%%%%%%%%%%%%%%%%%%%%
--------------------比對正規表達式---------------------------------
parameter-map type regex user1.regex
pattern sh/run
parameter-map type regex user2.regex
pattern sh/ip/inter/brie
--------------------通過class-map type http比對URI-----------------
class-map type inspect http match-any user1.class
match request uri regex user1.regex
class-map type inspect http match-any user2.class
match request uri regex user2.regex
--------------------通過policy-map typ http丢棄适當URI-------------
policy-map type inspect http user2.http
class type inspect http user2.class
reset
policy-map type inspect http user1.http
class type inspect http user1.class
reset
-------------------通過class-map type inspect比對usergroup1的http流量--------
class-map type inspect match-all usergroup1-inspect
match user-group usergroup1
match protocol http
-------------------通過class-map type inspect比對usergroup2的http流量--------
class-map type inspect match-all usergroup2-inspect
match user-group usergroup2
-------------------通過policy-map type inspect配置zone-pair間政策------------
policy-map type inspect in-to-out
class type inspect usergroup1-inspect
inspect
service-policy http user1.http
class type inspect usergroup2-inspect
service-policy http user2.http
-------------------配置ZBFW---------------------------------------------------
zone security out
zone security in
zone-member security out
zone-member security in
zone-pair security in-to-out source in destination out
service-policy type inspect in-to-out
******************************ACS配置**************************************
傳統方法:
<a href="http://blog.51cto.com/attachment/201110/150557265.jpg" target="_blank"></a>
RAC配置方法:
<a href="http://blog.51cto.com/attachment/201110/150613361.jpg" target="_blank"></a>
本文轉自Yeslab教主 51CTO部落格,原文連結:http://blog.51cto.com/xrmjjz/683524
![1、Linux 指令行使用技巧[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)