Scribd
Upload
33 views7 pages

Configure Local and Server-Based AAA Authentication

The document outlines the configuration of Local and Server-Based AAA Authentication in a network topology involving routers and switches. It includes detailed steps for building the network, configuring basic device settings, and implementing local and server-based AAA using RADIUS and TACACS+. Required resources and specific configurations for each device are also provided to facilitate the setup process.

Uploaded by

jocoa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
33 views7 pages

Configure Local and Server-Based AAA Authentication

The document outlines the configuration of Local and Server-Based AAA Authentication in a network topology involving routers and switches. It includes detailed steps for building the network, configuring basic device settings, and implementing local and server-based AAA using RADIUS and TACACS+. Required resources and specific configurations for each device are also provided to facilitate the setup process.

Uploaded by

jocoa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Configure Local and Server-Based AAA Authentication

Topology

Addressing Table
Device Interface IP Address Subnet Mask

R1 G0/0/1 192.168.1.1 255.255.255.0

D1 VLAN 1 192.168.1.2 255.255.255.0

A1 VLAN 1 192.168.1.3 255.255.255.0

PC 1 NIC DHCP

PC 2 NIC 192.168.1.5 255.255.255.0

Objectives
 Part 1: Build the Network and Configure Basic Device
Settings and Interface Addressing
 Part 2: Configure Local AAA
 Part 3: Configure Server-Based AAA using RADIUS on
A1
 Part 4: Configure Server-Based AAA using TACACS+ on
D1

Background / Scenario

Required Resources
 1 Routers (Cisco 4321 with Cisco IOS XE Release 16.9.4 universal
image or comparable)
 1 Switch (Cisco 3650 with Cisco IOS XE Release 16.9.4 universal
image or comparable)
 1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9
image or comparable)
 1 PC (Choice of operating system with a terminal emulation program
installed)
 1 PC (Choice of operating system with Cisco Networking Academy
CCNP VM running in a virtual machine client)
 Console cables to configure the Cisco IOS devices via the console
ports
 Ethernet cables as shown in the topology
Part 1: Build the Network and Configure Basic Device
Settings and Interface Addressing
In Part 1, you will set up the network topology and configure basic settings and
interface addressing on routers.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for each device.
a. Console into each device, enter global configuration mode, and apply the
basic settings. The startup configurations for each device are provided below.
Router R1

hostname R1

no ip domain lookup

enable secret cisco12345cisco

banner motd # R1, Configure AAA-Based Authentication #


line con 0

exec-timeout 0 0

logging synchronous

exit

interface g0/0/1

ip address 192.168.1.1 255.255.255.0

no shutdown

exit

ip dhcp excluded-address 192.168.1.1 192.168.1.5

ip dhcp pool HOST_ADDRESSING

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

exit

Router D1

hostname D1

no ip domain lookup

enable secret cisco12345cisco

banner motd # D1, Configure AAA-Based Authentication #

line con 0

exec-timeout 0 0

logging synchronous

exit

interface vlan 1

ip address 192.168.1.2 255.255.255.0


no shutdown

exit

ip default-gateway 192.168.1.1

interface g1/0/23

spanning-tree portfast

switchport mode access

no shutdown

exit

interface g1/0/11

spanning-tree portfast

switchport mode access

no shutdown

exit

interface range g1/0/5-6

switchport mode trunk

channel-group 1 mode active

no shutdown

exit

interface range g1/0/1-4, g1/0/7-10, g1/0/12-22, g1/0/24, g1/1/1-4

shutdown

exit

Router A1

hostname A1

no ip domain lookup
enable secret cisco12345cisco

banner motd # A1, Configure AAA-Based Authentication #

line con 0

exec-timeout 0 0

logging synchronous

exit

interface vlan 1

ip address 192.168.1.3 255.255.255.0

no shutdown

exit

ip default-gateway 192.168.1.1

interface range f0/1-2

switchport mode trunk

channel-group 1 mode active

no shutdown

exit

interface range f0/3-24, g0/1-2

shutdown

exit

interface f0/23

switchport mode access

spanning-tree portfast

no shutdown

exit
b. Set the clock on each device to UTC time.
set clock hh:mm:ss date
c. Save the running configuration to startup-config.
copy running-config startup-config
d. Verify PC1 receives an address via DHCP.
e. Verify that D1, A1, and PC1 can ping R1 interface G0/0/1.

Part 2: Configure Local AAA Authentication


One significant drawback to using local authentication is that it offers no backup
capability. Adding AAA services to your device gives you this capability. The
basic configurations you loaded do not include any username/password
protection on the console or vty lines. In this part of the lab, you will use local
AAA to add that functionality.
Note: Do not save your configuration beyond this point, just in case you are
locked out of the device. This gives you the ability to restart the device and start
again at this point versus doing a password recovery and potentially having to
reconfigure everything.
Step 1: Create a local user.
a. Create a local user named localuser with a scrypt-encrypted password of
cisco123.

A1(config)# username localuser secret cisco123

b. Verify that the configuration is present in running-config by issuing the


command show run | include username.

A1# show run | include username

username localuser secret 9


$9$FYuVSfDjMKy7hU$SCFRKN.aehfb6f7rguVl6TWTlnpQmNVHqBolXXjRr
p.

Part 4: Configure Server-Based AAA using TACACS+ on D1


TACACS+ was developed by Cisco and released as an open standard beginning
in 1993. It is an incompatible derivation of the original TACACS protocol,
handling authentication, authorization, and accounting services. TACACS+ works
differently than RADIUS by separating the authentication and authorization
components. This allows TACACS+ to provide granular control of what an
authenticated user is allowed to do. Other differences include operating over
TCP (TCP port 49) instead of UDP, and encrypting the entire TACACS+ packet.
RADIUS only encrypts passwords. In this part of the lab, you will configure a
TACACS+ server and method list for use on the vty lines.
Step 1: Enable AAA new-model.
Enable AAA on the device with the global configuration command aaa new-model.

D1(config)# aaa new-model

Step 2: Create a local user.


Create a local user named localuser with a scrypt-encrypted password of
cisco123.

D1(config)# username localuser algorithm-type scrypt secret cisco123

D1# show run | include username

You might also like