Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Lab 5.6c Configuring AAA Using Local Authentication

advertisement 
Lab 5.6c Configuring AAA Using Local Authentication
Learning Objectives
•
•
Create a local user database on a router
Configure AAA on a router
Topology Diagram
Scenario
In this lab, you will configure a local username database with AAA. R2’s job will
only be to access R1; most of the configuration will be done on R1.
Step 1: Configure the Interface
Configure the physical interface on R1 and R2 with the IP addresses shown in
the topology diagram. Issue the no shutdown command to activate the
interface.
R1(config)# interface fastethernet0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no shutdown
R2(config)# interface fastethernet0/0
R2(config-if)# ip address 192.168.10.2 255.255.255.0
R2(config-if)# no shutdown
Step 2: Configure the Local User Database
On R1, configure a user account in the local user database with the username
and password of “cisco” using the username username password password
command in global configuration mode.
R1(config)# username cisco password cisco
Step 3: Implement AAA Services
On R1, enable authentication, authorization, and accounting (AAA) services
with the global configuration command aaa new-model. Since you are
implementing local authentication, use local authentication as the first method,
1-3
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-6c
Copyright © 2007, Cisco Systems, Inc
and no authentication as the secondary method. Create the default login
authentication list by issuing the aaa authentication login default methods
command with a method list using the local and none keywords.
If you were using an authentication method with a remote server, such as
TACACS+ or RADIUS, you would configure a secondary authentication method
for fallback if the server is unreachable. Normally, the secondary method would
be the local database. In this case, if no usernames are configured in the local
database, the router allows all users login access to the device.
R1(config)# aaa new-model
R1(config)# aaa authentication login default local none
Note: If you do not set up a default login authentication list, you could get
locked out of the router and be forced to use the password recovery procedure
for your specific router.
Next, create a unique authentication list for Telnet access to the router. This
does not have the fallback of no authentication, so if there are no usernames in
the local database, Telnet access is disabled. To create an authentication list
that is not the default list, use the aaa authentication login name method1
[method2] [method3] command. Name the authentication method list
“telnet_lines.” To apply the authentication list to vtys, use the login
authentication name command in line configuration mode.
R1(config)# aaa authentication login telnet_lines local
R1(config)# line vty 0 4
R1(config-line)# login authentication telnet_lines
Verify that this authentication list is used by opening a Telnet session from R2
to R1.
R2# telnet 192.168.10.1
Trying 192.168.10.1 ... Open
User Access Verification
Username: cisco
Password: cisco
R1> exit
[Connection to 192.168.10.1 closed by foreign host]
R2#
If you are able to log in to the router, your user account was verified against the
local database on the router.
If your session with the console port of the router times out, you may have to
log in using the default authentication list.
2-3
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-6c
Copyright © 2007, Cisco Systems, Inc
If no user accounts are configured in the local database, which users are
permitted to access the device?
Final Configuration
R1# show run
hostname R1
!
aaa new-model
!
aaa authentication login default local none
aaa authentication login telnet_lines local
!
username cisco password 0 cisco
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
line vty 0 4
login authentication telnet_lines
end
R2# show run
hostname R2
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
no shutdown
end
3-3
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-6c
Copyright © 2007, Cisco Systems, Inc
Related documents
CCNA Security – Chapter 3 Case Study © 2009 Cisco Learning
CCNA Security – Chapter 3 Case Study © 2009 Cisco Learning
CS 2813 - Loyola College
CS 2813 - Loyola College
EZproxy
EZproxy
Chapter 11 HW
Chapter 11 HW
Chapter 1:
Chapter 1:
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
Davis
Davis
CCNA Security
CCNA Security
Download
advertisement