Lab 12.2.2: AAA Authentication

Objectives:

  • Add AAA local Authentication to a NAS device.

Scenario:

The Denver office needs to control whom logs in to their router and dials in for remote access. You will setup AAA Authentication on this router and test each user account.

Notes: 

Lab Tasks:

  1. Log into the Denver office router and enter global configuration mode.
  2. Configure the following basic information into the router:
  • Configure the hostname AAA_Router on the router.
  • Configure the enable password to be cisco.
  • Configure a Loopback interface with the IP address 172.16.1.1/24.
  • Configure the FastEthernet 0/0 interface with the IP address 192.168.1.1/24.
  • Configure the line VTY 0 4 to request a login with the cisco password.
  1. On the router, start configuring AAA Authentication. The following steps will ensure that you will not be “locked out” of the router INITIALLY. The commands to configure AAA Authentication are:

AAA_Router(config)# aaa new-model
AAA_Router(config)# username cisco1 password 0 cisco1
AAA_Router(config)# aaa authentication login default group tacacs+ local enable
AAA_Router(config)# tacacs-server host 192.168.1.200
AAA_Router(config)# tacacs-server key cisco4me
AAA_Router(config)# line con 0
AAA_Router(config-line)# password cisco
AAA_Router(config-line)# exec-timeout 0 0
AAA_Router(config-line)# line vty 0 4
AAA_Router(config-line)# exec-timeout 0 0

The command

AAA_Router(config)#aaa authentication login default group tacacs+ local enable 

Sets the following properties:

AAA This a AAA command
Authentication This only applies to authentication
Login This only applies to logins on the router
Default This is the default method
Group  Prepare to use a group of “Servers”
TACACS+ This is the type of servers, not RADIUS
Local  If TACACS+ servers fail then use local database
Enable  Last chance password is the enable password

Even though there is a final condition to use NONE after enable, it is extremely discouraged as it presents a tremendous security gap.

  1. The next step is to test the AAA Authentication. On the AAA_Router issue the following command from the console:

AAA_Router # debug aaa authentication

  1. From a remote workstation telnet to the AAA_Router. You should see a prompt like the one below:

User Access Verification

Username:

Press the Enter key seven times and record your findings below:



Type in the Username of dialinuser and the Password of dialinuser and record your findings of the debug output below:

Why did the router present you with a final “password only” prompt?



Type in the Username of cisco1 and the Password of cisco1 and record your findings of the debug output below:

  1. To enable PPP authentication on the router issue the following command:

AAA_Router(config)# aaa authentication ppp default group tacacs+ local

Note: The above command applies only to PPP authentication. There is no option to use the enable password as the last chance authentication method.

  1. Place a modem on the AUX port and issue the following commands:

AAA_Router(config)# line aux 0
AAA_Router(config-line)#autoselect ppp
AAA_Router(config-line)#modem InOut
AAA_Router(config-line)#modem autoconfigure discovery
AAA_Router(config-line)#transport input all
AAA_Router(config-line)#stopbits 1
AAA_Router(config-line)#flowcontrol hardware
AAA_Router(config-line)#speed 115200
AAA_Router(config-line)#interface async65
AAA_Router(config-if)# ip unnumbered FastEthernet 0/0
AAA_Router(config-if)#encapsulation ppp
AAA_Router(config-if)#async mode interactive
AAA_Router(config-if)#peer default ip address 192.168.1.254
AAA_Router(config-if)#no cdp enable
AAA_Router(config-if)#ppp authentication pap

Write your configuration to memory and reboot the router.

  1. Log into the AAA_Router and issue the following command:

AAA_Router# debug aaa authentication

  1. From the workstation, establish a dialup networking connection using the Username cisco1 and the Password cisco1 to the AAA_Router. Once the dialup networking connection is established issue the following command:

AAA_Router#who

Record your findings below: