The Denver office needs to control whom logs in to their router and dials in for remote access. You will setup AAA Authentication on this router and test each user account.
Notes:
Lab Tasks:
Log into the Denver office router and enter global configuration mode.
Configure the following basic information into the router:
Configure the hostname AAA_Router on the router.
Configure the enable password to be cisco.
Configure a Loopback interface with the IP address 172.16.1.1/24.
Configure the FastEthernet 0/0 interface with the IP address 192.168.1.1/24.
Configure the line VTY 0 4 to request a login with the cisco password.
On the router, start configuring AAA Authentication. The following steps will ensure that you will not be “locked out” of the router INITIALLY. The commands to configure AAA Authentication are:
AAA_Router(config)# aaa new-model
AAA_Router(config)# username cisco1 password 0 cisco1
AAA_Router(config)# aaa authentication login default group tacacs+ local enable
AAA_Router(config)# tacacs-server host 192.168.1.200
AAA_Router(config)# tacacs-server key cisco4me
AAA_Router(config)# line con 0
AAA_Router(config-line)# password cisco
AAA_Router(config-line)# exec-timeout 0 0
AAA_Router(config-line)# line vty 0 4
AAA_Router(config-line)# exec-timeout 0 0
The command
AAA_Router(config)#aaa authentication login default group tacacs+ local enable
Sets the following properties:
AAA
This a AAA command
Authentication
This only applies to authentication
Login
This only applies to logins on the router
Default
This is the default method
Group
Prepare to use a group of “Servers”
TACACS+
This is the type of servers, not RADIUS
Local
If TACACS+ servers fail then use local database
Enable
Last chance password is the enable password
Even though there is a final condition to use NONE after enable, it is extremely discouraged as it presents a tremendous security gap.
The next step is to test the AAA Authentication. On the AAA_Router issue the following command from the console:
AAA_Router # debug aaa authentication
From a remote workstation telnet to the AAA_Router. You should see a prompt like the one below:
User Access Verification
Username:
Press the Enter key seven times and record your findings below:
Type in the Username of dialinuser and the Password of dialinuser and record your findings of the debug output below:
Why did the router present you with a final “password only” prompt?
Type in the Username of cisco1 and the Password of cisco1 and record your findings of the debug output below:
To enable PPP authentication on the router issue the following command:
AAA_Router(config)# aaa authentication ppp default group
tacacs+ local
Note: The above command applies only to PPP authentication. There is no option to use the enable password as the last chance authentication method.
Place a modem on the AUX port and issue the following commands:
AAA_Router(config)# line aux 0
AAA_Router(config-line)#autoselect ppp
AAA_Router(config-line)#modem InOut
AAA_Router(config-line)#modem autoconfigure discovery
AAA_Router(config-line)#transport input all
AAA_Router(config-line)#stopbits 1
AAA_Router(config-line)#flowcontrol hardware
AAA_Router(config-line)#speed 115200
AAA_Router(config-line)#interface async65
AAA_Router(config-if)# ip unnumbered FastEthernet 0/0
AAA_Router(config-if)#encapsulation ppp
AAA_Router(config-if)#async mode interactive
AAA_Router(config-if)#peer default ip address 192.168.1.254
AAA_Router(config-if)#no cdp enable
AAA_Router(config-if)#ppp authentication pap
Write your configuration to memory and reboot the router.
Log into the AAA_Router and issue the following command:
AAA_Router# debug aaa
authentication
From the workstation, establish a dialup networking connection using the Username cisco1 and the Password cisco1 to the AAA_Router. Once the dialup networking connection is established issue the following command: