[CCNA Security v2] 3.6.1.2 Packet Tracer - Configure AAA Authentication on Cisco Routers




Packet Tracer - Configure AAA Authentication on Cisco Routers


Addressing Table

Objectives

·         Configure a local user account on R1 and configure authenticate on the console and vty lines using local AAA.
·         Verify local AAA authentication from the R1 console and the PC-A client.
·         Configure server-based AAA authentication using TACACS+.
·         Verify server-based AAA authentication from the PC-B client.
·         Configure server-based AAA authentication using RADIUS.
·         Verify server-based AAA authentication from the PC-C client.
Background / Scenario

The network topology shows routers R1, R2 and R3. Currently, all administrative security is based on knowledge of the enable secret password. Your task is to configure and test local and server-based AAA solutions.

You will create a local user account and configure local AAA on router R1 to test the console and vty logins.

o    User account: Admin1 and password admin1pa55
You will then configure router R2 to support server-based authentication using the TACACS+ protocol. The TACACS+ server has been pre-configured with the following:

o    Client: R2 using the keyword tacacspa55
o    User account: Admin2 and password admin2pa55
Finally, you will configure router R3 to support server-based authentication using the RADIUS protocol. The RADIUS server has been pre-configured with the following:

o    Client: R3 using the keyword radiuspa55
o    User account: Admin3 and password admin3pa55
The routers have also been pre-configured with the following:

o    Enable secret password: ciscoenpa55
o    OSPF routing protocol with MD5 authentication using password: MD5pa55
Note: The console and vty lines have not been pre-configured.

Note: IOS version 15.3 uses SCRYPT  as a secure encryption hashing algorithm; however, the IOS version that is currently supported in Packet Tracer uses MD5. Always use the most secure option available on your equipment.

Part 1: Configure Local AAA Authentication for Console Access on R1
Step 1: Test connectivity.

·         Ping from PC-A to PC-B.
·         Ping from PC-A to PC-C.
·         Ping from PC-B to PC-C.
Step 2: Configure a local username on R1.

Configure a username of Admin1 with a secret password of admin1pa55.

Step 3: Configure local AAA authentication for console access on R1.

Enable AAA on R1 and configure AAA authentication for the console login to use the local database.

Step 4: Configure the line console to use the defined AAA authentication method.

Enable AAA on R1 and configure AAA authentication for the console login to use the default method list.

Step 5: Verify the AAA authentication method.

Verify the user EXEC login using the local database.

Part 2: Configure Local AAA Authentication for vty Lines on R1
Step 1: Configure domain name and crypto key for use with SSH.

a.     Use ccnasecurity.com as the domain name on R1.

b.     Create an RSA crypto key using 1024 bits.

Step 2: Configure a named list AAA authentication method for the vty lines on R1.

Configure a named list called SSH-LOGIN to authenticate logins using local AAA.

Step 3: Configure the vty lines to use the defined AAA authentication method.

Configure the vty lines to use the named AAA method and only allow SSH for remote access.

Step 4: Verify the AAA authentication method.

Verify the SSH configuration SSH to R1 from the command prompt of PC-A..

Part 3: Configure Server-Based AAA Authentication Using TACACS+ on R2
Step 1: Configure a backup local database entry called Admin.

For backup purposes, configure a local username of Admin2 and a secret password of admin2pa55.

Step 2: Verify the TACACS+ Server configuration.

Click the TACACS+ Server.  On the Services tab, click AAA. Notice that there is a Network configuration entry for R2 and a User Setup entry for Admin2.

Step 3: Configure the TACACS+ server specifics on R2.

Configure the AAA TACACS server IP address and secret key on R2.

Note: The commands tacacs-server host and tacacs-server key are deprecated. Currently, Packet Tracer does not support the new command tacacs server.

R2(config)# tacacs-server host 192.168.2.2
R2(config)# tacacs-server key tacacspa55
Step 4: Configure AAA login authentication for console access on R2.

Enable AAA on R2 and configure all logins to authenticate using the AAA TACACS+ server. If it is not available, then use the local database.

Step 5: Configure the line console to use the defined AAA authentication method.

Configure AAA authentication for console login to use the default AAA authentication method.

Step 6: Verify the AAA authentication method.

Verify the user EXEC login using the AAA TACACS+ server.

Part 4: Configure Server-Based AAA Authentication Using RADIUS on R3
Step 1: Configure a backup local database entry called Admin.

For backup purposes, configure a local username of Admin3 and a secret password of admin3pa55.

Step 2: Verify the RADIUS Server configuration.

Click the RADIUS Server. On the Services tab, click AAA. Notice that there is a Network configuration entry for R3 and a User Setup entry for Admin3.

Step 3: Configure the RADIUS server specifics on R3.

Configure the AAA RADIUS server IP address and secret key on R3.

Note: The commands radius-server host and radius-server key are deprecated. Currently Packet Tracer does not support the new command radius server.

R3(config)# radius-server host 192.168.3.2
R3(config)# radius-server key radiuspa55
Step 4: Configure AAA login authentication for console access on R3.

Enable AAA on R3 and configure all logins to authenticate using the AAA RADIUS server. If it is not available, then use the local database.

Step 5: Configure the line console to use the defined AAA authentication method.

Configure AAA authentication for console login to use the default AAA authentication method.

Step 6: Verify the AAA authentication method.

Verify the user EXEC login using the AAA RADIUS server.

Step 7: Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.


Configuration R1:

enable
ciscoenpa55
configure terminal
username Admin1 secret admin1pa55
aaa new-model
aaa authentication login default local
line console 0
 login authentication default
 exit
ip domain-name ccnasecurity.com
crypto key generate rsa
1024
aaa authentication login SSH-LOGIN local
line vty 0 4
 login authentication SSH-LOGIN
 transport input ssh
 exit
!

Configuration R2: 


enable
ciscoenpa55
configure terminal
username Admin2 secret admin2pa55
tacacs-server host 192.168.2.2
tacacs-server key tacacspa55
aaa new-model
aaa authentication login default group tacacs+ local
line con 0
 login authentication default
 exit
!

Configuration R3: 

enable
ciscoenpa55
configure terminal
username Admin3 secret admin3pa55
radius-server host 192.168.3.2
radius-server key radiuspa55
aaa new-model
aaa authentication login default group radius local
line con 0
 login authentication default
 exit
!


TACACS+ Server:




RADIUS Server:



Nhận xét

  1. StevenHWickerlúc 09:52 4 tháng 2, 2021

    It is a very informative and useful post thanks it is good material to read this post increases my knowledge. Acls NZ

    Trả lờiXóa

Đăng nhận xét

Bài đăng phổ biến từ blog này

[CCNAv6 S2] 2.2.2.4 Packet Tracer - Configuring IPv4 Static and Default Routes

Hình ảnh
Packet Tracer - Configuring IPv4 Static and Default Routes Addressing Table Objectives Part 1: Examine the Network and Evaluate the Need for Static Routing Part 2: Configure Static and Default Routes Part 3: Verify Connectivity Background In this activity, you will configure static and default routes. A static route is a route that is entered manually by the network administrator to create a reliable and safe route. There are four different static routes that are used in this activity: a recursive static route, a directly attached static route, a fully specified static route, and a default route. Part 1:     Examine the Network and Evaluate the Need for Static Routing a.     Looking at the topology diagram, how many networks are there in total? b.    How many networks are directly connected to R1, R2, and R3? c.     How many static routes are required by each router to reach networks that are not directly ...
Đọc thêm

[CCNAv6 S2] 8.3.1.2 Packet Tracer - Skills Integration Challenge

Hình ảnh
Packet Tracer – Skills Integration Challenge Addressing Table VLAN Port Assignments and DHCP Information Scenario In this culminating activity, you will configure VLANs, trunks, DHCP Server, DHCP relay agents, and configure a router as a DHCP client. Requirements Using the information in the tables above, implement the following requirements: ·         Create VLANs on S2 and assign VLANs to appropriate ports. Names are case-sensitive ·         Configure S2 ports for trunking. ·         Configure all non-trunk ports on S2 as access ports. ·         Configure R1 to route between VLANs. Subinterface names should match the VLAN number. ·         Configure R1 to act as a DHCP server for the VLANs attached to S2. -       Create a DHCP pool for each VLAN. Names are case-sensitive. -       Assign the ap...
Đọc thêm

[CCNAv6 S2] 9.4.1.2 Packet Tracer - Skills Integration Challenge Part II

Hình ảnh
Packet Tracer – Skills Integration Challenge Addressing Table VLANs and Port Assignments Table Scenario This culminating activity includes many of the skills that you have acquired during this course. First, you will complete the documentation for the network. So make sure you have a printed version of the instructions. During implementation, you will configure VLANs, trunking, port security and SSH remote access on a switch. Then, you will implement inter-VLAN routing and NAT on a router. Finally, you will use your documentation to verify your implementation by testing end-to-end connectivity. Documentation You are required to fully document the network. You will need a print out of this instruction set, which will include an unlabeled topology diagram: -       Label all the device names, network addresses and other important information that Packet Tracer generated. -       Complete the Addressing Table and VLANs and Por...
Đọc thêm