Lab 12.2.5: AAA TACACS+ Server

Objectives:

  • Add AAA enabled NAS devices to the TACACS+ server.

Scenario:

The Denver office has setup and configured a Cisco Secure TACACS+ server and needs to place the routers under the control of the TACACS+ server. You may need to modify the hostname and IP address of your router.

Notes: 

Lab Tasks:

  1. On the first router, AAA_Router, connect the FastEthernet 0/0 cable to the same switch as the TACACS+ server.
  2. Ping the TACACS+ server at IP address 192.168.1.200.

Was the ping successful?

  1. Exit from AAA_Router and then try to login with the Username of superuser and the Password of ciscorocks. This should fail if you have a connection to the TACACS+ server. If the login with the Username of superuser is successful reload the router and try again:
  1. Once the Login of superuser fails, use the TACACS+ Username of dialin1 and the Password of cisco. Congratulations! Your router is now under the control of the TACACS+ server:

How might you regain control of the router locally?

  1. On the second router you must change the hostname and the IP address of the FastEthernet 0/0 interface before you can connect it to the same switch as the TACACS+ server. Issue the following commands on the second router.

AAA_Router(config)# hostname AAA_Router2
AAA_Router2(config)# interface fastethernet 0/0
AAA_Router2(config-if)# ip address 192.168.1.2 255.255.255.0
AAA_Router2(config-if)# ctrl-z

  1. Write the configuration to memory and then reload the second router. As the router reloads connect the FastEthernet 0/0 cable to the same switch as the TACACS+ server. Wait three minutes for the router to load and the switch port to go active.
  1. Try to login with the Username of superuser and the Password of ciscorocks. This should fail if you have a connection to the TACACS+ server.
  1. Once the Login of superuser fails, use the TACACS+ Username of dialin2 and the Password of cisco. Congratulations! Your router is now under the control of the TACACS+ server.

How might you regain control of the router locally?

  1. On the third router you must change the hostname and the IP address of the FastEthernet 0/0 interface before you can connect it to the same switch as the TACACS+ server. Issue the following commands on the second router:

AAA_Router(config)# hostname AAA_Router3
AAA_Router3(config)# interface fastethernet 0/0
AAA_Router3(config-if)# ip address 192.168.1.3 255.255.255.0
AAA_Router3(config-if)# ctrl-Z

  1. Write the configuration to memory and then reload the third router. As the router reloads connect the FastEthernet 0/0 cable to the same switch as the TACACS+ server. Wait three minutes for the router to load and the switch port to go active.
  1. Once the Login of superuser fails, use the TACACS+ Username of dialin3 and the Password of cisco. Congratulations! Your router is now under the control of the TACACS+ server.
  2. On all of the routers login and add a description to the FastEthernet interface.
  1. From a remote workstation dial-in to the modem on the AUX port via PPP with the Username dialin1 and the Password of cisco.

Does the username and password work for dial-in access to the router?

  1. Try the Username of dialin3 and the Password of cisco on the console of each router.

Does the username and password work on all the routers? Why?

  1. Remove the FastEthernet cable from a router and attempt to login with the Username dialin3 and the password cisco. Does the login work? Why?