Вы находитесь на странице: 1из 5

PT Activity: Configure AAA Authentication on Cisco Routers

Instructor Version Topology Diagram

Addressing Table
Device R1 Interface Fa0/0 !0/0/0 !0/0/0 R2 Fa0/0 !0/0/1 R" TACAC!# !erver RA&%'! !erver PC(A PC() PC(C !0/0/1 Fa0/0 $%C $%C $%C $%C $%C IP Address 192.168.1.1 10.1.1.2 10.1.1.1 192.168.2.1 10.2.2.1 10.2.2.2 192.168.".1 192.168.2.2 192.168.".2 192.168.1." 192.168.2." 192.168."." 2 2 2 2 2 2 2 2 2 2 2 Subnet Mask 2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .2 .0 .2 2 .2 2 .0 .2 2 .2 2 .0 .0 .0 .0 .0 .0
Page 1 of

A** contents are Co+yright , 1992-2009 Cisco !yste.s/ %nc. A** rights reserve0. This 0ocu.ent is Cisco Pu1*ic %nfor.ation.

CC$A !ecurity

Learning Ob ectives
Configure a *oca* user account on R1 an0 authenticate on the conso*e an0 2T3 *ines using *oca* AAA. 2erify *oca* AAA authentication fro. the R1 conso*e an0 the PC(A c*ient. Configure a server(1ase0 AAA authentication using TACAC!#. 2erify server(1ase0 AAA authentication fro. PC() c*ient. Configure a server(1ase0 AAA authentication using RA&%'!. 2erify server(1ase0 AAA authentication fro. PC(C c*ient.

Introduction
The net4or5 to+o*ogy sho4s routers R1/ R2 an0 R". Current*y a** a0.inistrative security is 1ase0 on 5no4*e0ge of the ena1*e secret +ass4or0. 3our tas5 is to configure an0 test *oca* an0 server(1ase0 AAA so*utions. 3ou 4i** create a *oca* user account an0 configure *oca* AAA on router R1 to test the conso*e an0 2T3 *ogins. 'ser account: Admin! an0 +ass4or0 admin!pa""

3ou 4i** then configure router R2 to su++ort server(1ase0 authentication using the TACAC!# +rotoco*. The TACAC!# server has 1een +re(configure0 4ith the fo**o4ing: C*ient: #$ using the 5ey4or0 tacacspa"" 'ser account: Admin$ an0 +ass4or0 admin$pa""

Fina**y/ you 4i** configure router R" to su++ort server(1ase0 authentication using the RA&%'! +rotoco*. The RA&%'! server has 1een +re(configure0 4ith the fo**o4ing: C*ient: #% using the 5ey4or0 radiuspa"" 'ser account: Admin% an0 +ass4or0 admin%pa""

The routers have a*so 1een +re(configure0 4ith the fo**o4ing: 6na1*e secret +ass4or0: ciscoenpa"" R%P version 2

&ote' The conso*e an0 2T3 *ines have not 1een +re(configure0.

Task !'

(onfigure Local AAA Aut)entication for (onsole Access on #!


Step 1. Test connectivity. Ping fro. PC(A to PC(). Ping fro. PC(A to PC(C. Ping fro. PC() to PC(C.

Step 2. Configure a local username on R1. Configure a userna.e of Admin! an0 secret +ass4or0 of admin!pa"". R1(config)# username Admin1 password admin1pa55 Step 3. Configure local AAA authentication for console access on R1. 6na1*e AAA on R1 an0 configure AAA authentication for conso*e *ogin to use the *oca* 0ata1ase. R1(config)# aaa new-model R1(config)# aaa authentication login default local

A** contents are Co+yright , 1992-2009 Cisco !yste.s/ %nc. A** rights reserve0. This 0ocu.ent is Cisco Pu1*ic %nfor.ation.

Page 2 of

CC$A !ecurity

Step 4. Configure the line console to use the defined AAA authentication method. 6na1*e AAA on R1 an0 configure AAA authentication for conso*e *ogin to use the 0efau*t .etho0 *ist. R1(config)# line console 0 R1(config-line)# login authentication default Step 5. erify the AAA authentication method. R1(config-line)# end %SYS-5-CONFIG_I: Configured from con ole !" con ole R1# exit R1 con# i no$ %&%il%!le 're R()*RN +o ge+ +%r+ed, ------------ .*)/ORI0(1 .CC(SS ON2Y ------------*N.*)/ORI0(1 .CC(SS )O )/IS 1(3IC( IS 'RO/I4I)(1, * er .cce 3erific%+ion

2erify the user 676C *ogin using the *oca* 0ata1ase.

* ern%me: Admin1 '% $ord: admin1pa55 R15

Task $'

(onfigure Local AAA Aut)entication for VT* Lines on #!


T" lines on R1.

Step !. Configure a named list AAA authentication method for

Configure a na.e0 *ist ca**e0 T+L&+T,LO-I& to authenticate *ogins using *oca* AAA. R1(config)# aaa authentication login TELNET-LOG N local Step #. Configure the T" lines to use the defined AAA authentication method.

Configure the 2T3 *ines to use the na.e0 AAA .etho0. R1(config)# line !t" 0 # R1(config-line)# login authentication TELNET-LOG N R1(config-line)# end Step $. erify the AAA authentication method. 'C5 telnet 1$%&1'(&1&1 ------------ .*)/ORI0(1 .CC(SS ON2Y ------------*N.*)/ORI0(1 .CC(SS )O )/IS 1(3IC( IS 'RO/I4I)(1, * er .cce 3erific%+ion

2erify the Te*net configuration. Fro. the co..an0 +ro.+t of PC(A/ Te*net to R1.

* ern%me: Admin1 '% $ord: admin1pa55 R15

A** contents are Co+yright , 1992-2009 Cisco !yste.s/ %nc. A** rights reserve0. This 0ocu.ent is Cisco Pu1*ic %nfor.ation.

Page " of

CC$A !ecurity

Task %'

(onfigure Server,.ased AAA Aut)entication /sing TA(A(S0 on #$

Step %. Configure a &ac'up local data&ase entry called Admin. For 1ac5u+ +ur+oses/ configure a *oca* userna.e of Admin an0 secret +ass4or0 of adminpa"". R6(config)# username Admin password adminpa55 Step 1(. erify the TACACS) Server configuration.

!e*ect the TACAC!# !erver. Fro. the Config ta1/ c*ic5 on AAA an0 notice that there is a $et4or5 configuration entry for R2 an0 a 'ser !etu+ entry for A0.in2. Step 11. Configure the TACACS) server specifics on R2.

Configure the AAA TACAC! server %P a00ress an0 secret 5ey on R2. R6(config)# tacacs-ser!er host 1$%&1'(&%&% R6(config)# tacacs-ser!er )e" tacacspa55 Step 12. Configure AAA login authentication for console access on R2.

6na1*e AAA on R2 an0 configure a** *ogins to authenticate using the AAA TACAC!# server an0 if not avai*a1*e/ then use the *oca* 0ata1ase. R6(config)# aaa new-model R6(config)# aaa authentication login default group tacacs* local Step 13. Configure the line console to use the defined AAA authentication method.

Configure AAA authentication for conso*e *ogin to use the 0efau*t AAA authentication .etho0. R6(config)# line console 0 R6(config-line)# login authentication default Step 14. erify the AAA authentication method.

2erify the user 676C *ogin using the AAA TACAC!# server. R6(config-line)# end %SYS-5-CONFIG_I: Configured from con ole !" con ole R6# exit R6 con# i no$ %&%il%!le 're R()*RN +o ge+ +%r+ed, ------------ .*)/ORI0(1 .CC(SS ON2Y ------------*N.*)/ORI0(1 .CC(SS )O )/IS 1(3IC( IS 'RO/I4I)(1, * er .cce 3erific%+ion

* ern%me: Admin% '% $ord: admin%pa55 R65

A** contents are Co+yright , 1992-2009 Cisco !yste.s/ %nc. A** rights reserve0. This 0ocu.ent is Cisco Pu1*ic %nfor.ation.

Page 8 of

CC$A !ecurity

Task 1'

(onfigure Server,.ased AAA Aut)entication /sing #ADI/S on #%


Configure a &ac'up local data&ase entry called Admin.

Step 15.

For 1ac5u+ +ur+oses/ configure a *oca* userna.e of Admin an0 secret +ass4or0 of adminpa"". R7(config)# username Admin password adminpa55 Step 1!. erify the RA*+,S Server configuration.

!e*ect the RA&%'! !erver. Fro. the Config ta1/ c*ic5 on AAA an0 notice that there is a $et4or5 configuration entry for R" an0 a 'ser !etu+ entry for A0.in". Step 1#. Configure the RA*+,S server specifics on R3.

Configure the AAA RA&%'! server %P a00ress an0 secret 5ey on R". R7(config)# radius-ser!er host 1$%&1'(&+&% R7(config)# radius-ser!er )e" radiuspa55 Step 1$. Configure AAA login authentication for console access on R3.

6na1*e AAA on R" an0 configure a** *ogins to authenticate using the AAA RA&%'! server an0 if not avai*a1*e/ then use the *oca* 0ata1ase. R7(config)# aaa new-model R7(config)# aaa authentication login default group radius local Step 1%. Configure the line console to use the defined AAA authentication method.

Configure AAA authentication for conso*e *ogin to use the 0efau*t AAA authentication .etho0. R7(config)# line console 0 R7(config-line)# login authentication default Step 2(. erify the AAA authentication method.

2erify the user 676C *ogin using the AAA TACAC!# server. R7(config-line)# end %SYS-5-CONFIG_I: Configured from con ole !" con ole R7# exit R7 con# i no$ %&%il%!le 're R()*RN +o ge+ +%r+ed, ------------ .*)/ORI0(1 .CC(SS ON2Y ------------*N.*)/ORI0(1 .CC(SS )O )/IS 1(3IC( IS 'RO/I4I)(1, * er .cce 3erific%+ion

* ern%me: Admin+ '% $ord: admin+pa55 R75 Step 21. Chec' results.

3our co.+*etion +ercentage shou*0 1e 1009. C*ic5 ()eck #esults to see fee01ac5 an0 verification of 4hich re:uire0 co.+onents have 1een co.+*ete0.

A** contents are Co+yright , 1992-2009 Cisco !yste.s/ %nc. A** rights reserve0. This 0ocu.ent is Cisco Pu1*ic %nfor.ation.

Page

of