实验目的：

1 使用AAA 验证，允许用户hruser 访问内网的WEB

2 使用本地验证，拒绝用户gcuser 访问内网的WEB

3 自签发证书

拓扑：

配置：

ciscoasa# show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

 nameif inside

 security-level 100

 ip address 192.168.10.254 255.255.255.0

!

interface GigabitEthernet1

 nameif outside

 security-level 0

 ip address 192.168.20.254 255.255.255.0

!

interface GigabitEthernet2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet3

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

clock timezone GMT 8

access-list gcacl extended deny tcp any host 192.168.10.1

access-list gcacl extended deny tcp any host 192.168.10.1 eq www

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool gcpool 192.168.200.100-192.168.200.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm p_w_picpath disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server aaa protocol radius

aaa-server aaa (inside) host 192.168.10.1

 key *****

http server enable 444

http 192.168.20.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

crypto ca trustpoint ssl***ca

 enrollment self

 fqdn

 subject-name CN=www.ssl***.com

 keypair ssl***ca

 crl configure

crypto ca certificate chain ssl***ca

 certificate 9bfe6450

    308201e7 30820150 a0030201 0202049b fe645030 0d06092a 864886f7 0d010105

    05003038 31173015 06035504 03130e77 77772e73 736c7670 6e2e636f 6d311d30

    1b06092a 864886f7 0d010902 160e7777 772e7373 6c76706e 2e636f6d 301e170d

    31323039 32383032 31343435 5a170d32 32303932 36303231 3434355a 30383117

    30150603 55040313 0e777777 2e73736c 76706e2e 636f6d31 1d301b06 092a8648

    86f70d01 0902160e 7777772e 73736c76 706e2e63 6f6d3081 9f300d06 092a8648

    86f70d01 01010500 03818d00 30818902 818100ed 54332c7b b92d6e1d 8536171a

    94c81477 0dad7292 384a58d4 3ab4b208 ae0c14c7 a9025d46 06ec83c6 9156a6c4

    1c4278f5 53a2d9ab b9daf8b3 8920f3a4 7e065fab a5492d71 2ed539b1 bce7b2e9

    b993fb44 49ae69b1 e87dd130 befefcff ba9e6b72 cf4c2ba6 13c448e1 729e8bf2

    bc2bcc47 e323ad4d 1a04e2fc ba1420bc 7654a302 03010001 300d0609 2a864886

    f70d0101 05050003 8181003d be0e59f4 dd52e1b4 dc2e1790 60079073 c1ac4812

    515019bd aacd56f3 1e359dc5 9757eeeb bb724666 0d7f4290 2871ac7a 2c952ebe

    62f13304 b4ce6dc0 f98a1cc4 17ef0a38 b5620649 978f8009 b373c0c8 2f095de3

    51b3cd7c adb3dd03 36bd71ad 6c2ee30a 4f74fa35 235276b3 11b2053a ff13df44

    9f55f5dd 1a8d0d2a 542d32

  quit

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ssl***ca outside

web***

 enable outside

 anyconnect p_w_picpath disk0:/anyconnect-win-3.0.0629-k9.pkg 1

 anyconnect enable

 tunnel-group-list enable

group-policy gc internal

group-policy gc attributes

 ***-filter value gcacl

 ***-tunnel-protocol ssl-client

 group-lock value gcgroup

 address-pools value gcpool

 web***

  anyconnect ask enable default web***

group-policy hr internal

group-policy hr attributes

 ***-tunnel-protocol ssl-client

 group-lock value hrgroup

 web***

  anyconnect ask enable default web***

username gcuser password cOaM9IcVVY8ymrp8 encrypted

username gcuser attributes

 ***-group-policy gc

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group hrgroup type remote-access

tunnel-group hrgroup general-attributes

 authentication-server-group aaa

 default-group-policy hr

tunnel-group hrgroup web***-attributes

 group-alias hrgroup enable

tunnel-group gcgroup type remote-access

tunnel-group gcgroup web***-attributes

 group-alias gcgroup enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

crashinfo save disable

Cryptochecksum:e2ae825a97327f63fed4b90c92e0dfa0

: end

2 新建用户hruser

3 为了管理方便新建组织单位HR

配置AAA服务器（使用RADIUS协议授权）：

1 配置外部数据库（AD数据库）

 

 

 

 

 

 

 

 

配置ACL

 

配置AAA客户端：

配置地址池：

 

 

 配置客户端证书：

参见我另一篇问题"ASA ssl *** 自发证书不受信任的解决方法"

验证：

 

 

从上图可以看出hruser允许访问内部WEB

 

 

从上图可以看出gcuser拒绝访问内部WEB

下面以HR 用户登录GC

从上面可以看出

hruser是无法登录GC的

从上面看已经达到我们的实验目的