Configure AAA Authentication on Cisco Routers

作者:admin发表时间:2010-9-12 评论:1 点击 5,141+

Topology Diagram

Addressing Table

Device Interface IP Address Subnet Mask
R1 Fa0/0 192.168.1.1 255.255.255.0
S0/0/0 10.1.1.2 255.255.255.252
R2 S0/0/0 10.1.1.1 255.255.255.252
Fa0/0 192.168.2.1 255.255.255.0
S0/0/1 10.2.2.1 255.255.255.252
R3 S0/0/1 10.2.2.2 255.255.255.252
Fa0/0 192.168.3.1 255.255.255.0
TACACS+ Server NIC 192.168.2.2 255.255.255.0
RADIUS Server NIC 192.168.3.2 255.255.255.0
PC-A NIC 192.168.1.3 255.255.255.0
PC-B NIC 192.168.2.3 255.255.255.0
PC-C NIC 192.168.3.3 255.255.255.0

Learning Objectives

Configure a local user account on R1 and authenticate on the console and VTY lines using local AAA.

Verify local AAA authentication from the R1 console and the PC-A client.

Configure a server-based AAA authentication using TACACS+.

Verify server-based AAA authentication from PC-B client.

Configure a server-based AAA authentication using RADIUS.

Verify server-based AAA authentication from PC-C client.

Introduction

The network topology shows routers R1, R2 and R3. Currently all administrative security is based on knowledge of the enable secret password. Your task is to configure and test local and server-based AAA solutions.

You will create a local user account and configure local AAA on router R1 to test the console and VTY logins.

User account: Admin1 and password admin1pa55

You will then configure router R2 to support server-based authentication using the TACACS+ protocol. The

TACACS+ server has been pre-configured with the following:

Client: R2 using the keyword tacacspa55

User account: Admin2 and password admin2pa55

Finally, you will configure router R3 to support server-based authentication using the RADIUS protocol. The

RADIUS server has been pre-configured with the following:

Client: R3 using the keyword radiuspa55

User account: Admin3 and password admin3pa55

The routers have also been pre-configured with the following:

Enable secret password: ciscoenpa55

RIP version 2

Note: The console and VTY lines have not been pre-configured.

Task 1: Configure Local AAA Authentication for Console Access on R1

S tep 1. T es t c o nnec tiv ity .

Ping from PC-A to PC-B.

Ping from PC-A to PC-C.

Ping from PC-B to PC-C.

S tep 2. C o nfigu re a lo c al u s ern a me o n R 1.

Configure a username of Admin1 and secret password of admin1pa55.


  1: R1(config)# username Admin1 password admin1pa55

S tep 3. C o nfigu re lo c a l A A A a u thentic a tio n fo r c o n s o le a c c es s o n R 1.

Enable AAA on R1 and configure AAA authentication for console login to use the local database.


  1: R1(config)# aaa new-model
  2:
  3: R1(config)# aaa authentication login default local
  4:

S tep 4. C o nfigu re the line c o ns o le to u s e the defined A A A a u thentic a tio n metho d.

Enable AAA on R1 and configure AAA authentication for console login to use the default method list.


  1: R1(config)# line console 0
  2:
  3: R1(config-line)# login authentication default
  4:

S tep 5. V er ify the A A A a u thentic a tio n metho d.

Verify the user EXEC login using the local database.


  1: R1(config-line)# end

%SYS-5-CONFIG_I: Configured from console by console


  1: R1# exit

R1 con0 is now available

Press RETURN to get started.

************ AUTHORIZED ACCESS ONLY ************* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification

Username: Admin1

Password: admin1pa55

R1>

Task 2: Configure Local AAA Authentication for VTY Lines on R1

S tep 1. C o nfigu re a na med lis t A A A a u thentic a tio n m etho d fo r V T Y lines o n R 1.

Configure a named list called TELNET-LOGIN to authenticate logins using local AAA.


  1: R1(config)# aaa authentication login TELNET-LOGIN local

S tep 2. C o nfigu re the V T Y lines to u s e the defined A A A a u thentic a tio n metho d.

Configure the VTY lines to use the named AAA method.


  1: R1(config)# line vty 0 4
  2:
  3: R1(config-line)# login authentication TELNET-LOGIN
  4:
  5: R1(config-line)# end
  6:

S tep 3. V er ify the A A A a u thentic a tio n metho d.

Verify the Telnet configuration. From the command prompt of PC-A, Telnet to R1.


  1: PC> telnet 192.168.1.1

************ AUTHORIZED ACCESS ONLY ************* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification

Username: Admin1

Password: admin1pa55

R1>

Task 3: Configure Server-Based AAA Authentication Using TACACS+ on R2

S tep 1. C o nfigu re a ba c k u p lo c al databas e entr y c alled A dmin .

For backup purposes, configure a local username of Admin and secret password of adminpa55.


  1: R2(config)# username Admin password adminpa55

S tep 2. V er ify the T A C A C S + S erv er c o nfigu r a tio n.

Select the TACACS+ Server. From the Config tab, click on AAA and notice that there is a Network configuration entry for R2 and a User Setup entry for Admin2.

S tep 3. C o nfigu re the T A C A C S + s erv er s pec ific s o n R 2.

Configure the AAA TACACS server IP address and secret key on R2.


  1: R2(config)# tacacs-server host 192.168.2.2
  2:
  3: R2(config)# tacacs-server key tacacspa55
  4:

S tep 4. C o nfigu re A A A lo g in au th entic a tio n fo r c o n s o le a c c es s o n R 2.

Enable AAA on R2 and configure all logins to authenticate using the AAA TACACS+ server and if not available, then use the local database.


  1: R2(config)# aaa new-model
  2:
  3: R2(config)# aaa authentication login default group tacacs+ local
  4:

S tep 5. C o nfigu re the line c o ns o le to u s e the defined A A A a u thentic a tio n metho d.

Configure AAA authentication for console login to use the default AAA authentication method.


  1: R2(config)# line console 0
  2:
  3: R2(config-line)# login authentication default
  4:

S tep 6. V er ify the A A A a u thentic a tio n metho d.

Verify the user EXEC login using the AAA TACACS+ server.

R2(config-line)# end

%SYS-5-CONFIG_I: Configured from console by console

R2# exit

R2 con0 is now available

Press RETURN to get started.

************ AUTHORIZED ACCESS ONLY ************* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification

Username: Admin2

Password: admin2pa55

R2>

Task 4: Configure Server-Based AAA Authentication Using RADIUS on R3

S tep 1. C o nfigu re a ba c k u p lo c al databas e entr y c alled A dmin.

For backup purposes, configure a local username of Admin and secret password of adminpa55.


  1: R3(config)# username Admin password adminpa55

S tep 2. V er ify the R A D IU S S e rv er c o nfigu ra tio n.

Select the RADIUS Server. From the Config tab, click on AAA and notice that there is a Network configuration entry for R3 and a User Setup entry for Admin3.

S tep 3. C o nfigu re the R A D IU S s e rv er s pe c ific s o n R 3.

Configure the AAA RADIUS server IP address and secret key on R3.


  1: R3(config)# radius-server host 192.168.3.2
  2:
  3: R3(config)# radius-server key radiuspa55
  4:

S tep 4. C o nfigu re A A A lo g in au th entic a tio n fo r c o n s o le a c c es s o n R 3.

Enable AAA on R3 and configure all logins to authenticate using the AAA RADIUS server and if not available, then use the local database.


  1: R3(config)# aaa new-model
  2:
  3: R3(config)# aaa authentication login default group radius local
  4:

S tep 5. C o nfigu re the line c o ns o le to u s e the defined A A A a u thentic a tio n metho d.

Configure AAA authentication for console login to use the default AAA authentication method.


  1: R3(config)# line console 0
  2:
  3: R3(config-line)# login authentication default
  4:

S tep 6. V er ify the A A A a u thentic a tio n metho d.

Verify the user EXEC login using the AAA TACACS+ server.

R3(config-line)# end

%SYS-5-CONFIG_I: Configured from console by console

R3# exit

R3 con0 is now available

Press RETURN to get started.

************ AUTHORIZED ACCESS ONLY ************* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

Step 7. Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.

All contents are Copyright ? 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

顶一下 0 踩一下 0

你可能对以下内容感兴趣!

  1. Configure a Network for S...
  2. Configure and Verify a Si...
  3. Layer 2 VLAN Security
  4. Layer 2 Security
  5. Configure IOS Intrusion P...
  6. Configuring Context-Based...
  7. Configure IP ACLs to Miti...
  8. Configure Cisco Routers f...

一个评论“Configure AAA Authentication on Cisco Routers

发表评论

*

w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif