PT Activity: Configure AAA Authentication on Cisco Routers - 1%

Topology Diagram
Addressing Table
Device Interface IP Address Subnet Mask
R1
Fa0/0 192.1!.1.1 2"".2"".2"".0
#0/0/0 10.1.1.2 2"".2"".2"".2"2
R2
#0/0/0 10.1.1.1 2"".2"".2"".2"2
Fa0/0 192.1!.2.1 2"".2"".2"".0
#0/0/1 10.2.2.1 2"".2"".2"".2"2
R$
#0/0/1 10.2.2.2 2"".2"".2"".2"2
Fa0/0 192.1!.$.1 2"".2"".2"".0
TACAC#% #erver &'C 192.1!.2.2 2"".2"".2"".0
RA(')# #erver &'C 192.1!.$.2 2"".2"".2"".0
PC-A &'C 192.1!.1.$ 2"".2"".2"".0
PC-* &'C 192.1!.2.$ 2"".2"".2"".0
PC-C &'C 192.1!.$.$ 2"".2"".2"".0
A++ contents are Co,yright - 1992.2012 Cisco #yste/s0 'nc. A++ rights reserve1. This 1ocu/ent is Cisco Pu2+ic 'nfor/ation. Page 1 of 3
CC&A #ecurity
Learning Objectives
Configure a +oca+ user account on R1 an1 authenticate on the conso+e an1 4T5 +ines using +oca+
AAA.
4erify +oca+ AAA authentication fro/ the R1 conso+e an1 the PC-A c+ient.
Configure a server-2ase1 AAA authentication using TACAC#%.
4erify server-2ase1 AAA authentication fro/ PC-* c+ient.
Configure a server-2ase1 AAA authentication using RA(')#.
4erify server-2ase1 AAA authentication fro/ PC-C c+ient.
Introduction
The net6or7 to,o+ogy sho6s routers R10 R2 an1 R$. Current+y a++ a1/inistrative security is 2ase1 on 7no6+e1ge
of the ena2+e secret ,ass6or1. 5our tas7 is to configure an1 test +oca+ an1 server-2ase1 AAA so+utions.
5ou 6i++ create a +oca+ user account an1 configure +oca+ AAA on router R1 to test the conso+e an1 4T5 +ogins.
)ser account: Admin an1 ,ass6or1 adminpa!!
5ou 6i++ then configure router R2 to su,,ort server-2ase1 authentication using the TACAC#% ,rotoco+. The
TACAC#% server has 2een ,re-configure1 6ith the fo++o6ing:
C+ient: "# using the 7ey6or1 tacacspa!!
)ser account: Admin# an1 ,ass6or1 admin#pa!!
Fina++y0 you 6i++ configure router R$ to su,,ort server-2ase1 authentication using the RA(')# ,rotoco+. The
RA(')# server has 2een ,re-configure1 6ith the fo++o6ing:
C+ient: "$ using the 7ey6or1 radiuspa!!
)ser account: Admin$ an1 ,ass6or1 admin$pa!!
The routers have a+so 2een ,re-configure1 6ith the fo++o6ing:
8na2+e secret ,ass6or1: ciscoenpa!!
R'P version 2
%ote& The conso+e an1 4T5 +ines have not 2een ,re-configure1.
Task & 'onfigure Local AAA Aut(entication for 'onsole Access on "
Step 1. Test connectivity.
Ping fro/ PC-A to PC-*.
Ping fro/ PC-A to PC-C.
Ping fro/ PC-* to PC-C.
Step 2. Confgure a local username on R1.
Configure a userna/e of Admin an1 secret ,ass6or1 of adminpa!!.
Step 3. Confgure local AAA authentication for console access on R1.
8na2+e AAA on R1 an1 configure AAA authentication for conso+e +ogin to use the +oca+ 1ata2ase.
Step 4. Confgure the line console to use the defned AAA authentication method.
8na2+e AAA on R1 an1 configure AAA authentication for conso+e +ogin to use the 1efau+t /etho1 +ist.
A++ contents are Co,yright - 1992.2012 Cisco #yste/s0 'nc. A++ rights reserve1. This 1ocu/ent is Cisco Pu2+ic 'nfor/ation. Page 2 of 3
CC&A #ecurity
Step . !erify the AAA authentication method.
4erify the user 898C +ogin using the +oca+ 1ata2ase.
Task #& 'onfigure Local AAA Aut(entication for )T* Lines on "
Step ". Confgure a named list AAA authentication method for !T# lines on R1.
Configure a na/e1 +ist ca++e1 T+L%+T,LO-I% to authenticate +ogins using +oca+ AAA.
Step $. Confgure the !T# lines to use the defned AAA authentication method.
Configure the 4T5 +ines to use the na/e1 AAA /etho1.
Step %. !erify the AAA authentication method.
4erify the Te+net configuration. Fro/ the co//an1 ,ro/,t of PC-A0 Te+net to R1.
Task $& 'onfigure Server,.ased AAA Aut(entication /sing TA'A'S0 on "#
Step &. Confgure a 'ac(up local data'ase entry called Admin.
For 2ac7u, ,ur,oses0 configure a +oca+ userna/e of Admin an1 secret ,ass6or1 of adminpa!!.
Step 1). !erify the TACACS* Server confguration.
#e+ect the TACAC#% #erver. Fro/ the Config ta20 c+ic7 on AAA an1 notice that there is a &et6or7
configuration entry for R2 an1 a )ser #etu, entry for A1/in2.
Step 11. Confgure the TACACS* server specifcs on R2.
Configure the AAA TACAC# server 'P a11ress an1 secret 7ey on R2.
Step 12. Confgure AAA login authentication for console access on R2.
8na2+e AAA on R2 an1 configure a++ +ogins to authenticate using the AAA TACAC#% server an1 if not
avai+a2+e0 then use the +oca+ 1ata2ase.
Step 13. Confgure the line console to use the defned AAA authentication method.
Configure AAA authentication for conso+e +ogin to use the 1efau+t AAA authentication /etho1.
Step 14. !erify the AAA authentication method.
4erify the user 898C +ogin using the AAA TACAC#% server.
Task 1& 'onfigure Server,.ased AAA Aut(entication /sing "ADI/S on "$
Step 1. Confgure a 'ac(up local data'ase entry called Admin.
For 2ac7u, ,ur,oses0 configure a +oca+ userna/e of Admin an1 secret ,ass6or1 of adminpa!!.
Step 1". !erify the RA+,-S Server confguration.
#e+ect the RA(')# #erver. Fro/ the Config ta20 c+ic7 on AAA an1 notice that there is a &et6or7 configuration
entry for R$ an1 a )ser #etu, entry for A1/in$.
Step 1$. Confgure the RA+,-S server specifcs on R3.
Configure the AAA RA(')# server 'P a11ress an1 secret 7ey on R$.
A++ contents are Co,yright - 1992.2012 Cisco #yste/s0 'nc. A++ rights reserve1. This 1ocu/ent is Cisco Pu2+ic 'nfor/ation. Page $ of 3
CC&A #ecurity
Step 1%. Confgure AAA login authentication for console access on R3.
8na2+e AAA on R$ an1 configure a++ +ogins to authenticate using the AAA RA(')# server an1 if not avai+a2+e0
then use the +oca+ 1ata2ase.
Step 1&. Confgure the line console to use the defned AAA authentication method.
Configure AAA authentication for conso+e +ogin to use the 1efau+t AAA authentication /etho1.
Step 2). !erify the AAA authentication method.
4erify the user 898C +ogin using the AAA RA(')# server.
Step 21. Chec( results.
5our co/,+etion ,ercentage shou+1 2e 100%. C+ic7 '(eck "esults to see fee12ac7 an1 verification of 6hich
re:uire1 co/,onents have 2een co/,+ete1.
A++ contents are Co,yright - 1992.2012 Cisco #yste/s0 'nc. A++ rights reserve1. This 1ocu/ent is Cisco Pu2+ic 'nfor/ation. Page 3 of 3