Tuesday 12 February 2019

Enable AAA Security on Router

Enable AAA Security on Router

Open console of router by default you are in user mode
Router>

Write command enable to enter privilege mode
Router>enable                                
Router#    

Write command configure terminal to enter global config mode
Router#configure terminal
Router(config)#

All the configuration are done in  global config mode

Introduction

AAA security can be enabled in two ways--
1) Using local data base of the router
2) Using a third party server (Server-based Authentication)
  1. Using TACACS+ server
  2. Using RADIUS server

AAA Using local data base of the router

The rest of the discussion is done through  the example scenario given below--


1) Initial Setting

    Change the hostnames of routers to R1, R2, and R3 as shown in the figure above.
    Router1(config)#hostname R1
    Router2(config)#hostname R2
    Router3(config)#hostname R3 

    Assign all the IP addresses.
    Configure all the routers using RIP.
    Set enable password for each router R1, R2, and R3 to cisco. 
    R1(config)#enable password cisco
    R2(config)#enable password cisco
    R3(config)#enable password cisco

    Create new usernames and passwords for R1, R2, and R3 using the following commands--
    R1(config)#username Admin1 secret admin1
    R2(config)#username Admin2 secret admin2
    R3(config)#username Admin3 secret admin3

AAA Authentication using the local database

2) Configure the line console to use AAA authentication.

    Create new usernames and passwords for R1
    R1(config)#username Admin1 secret admin1

    Enable AAA on R1 and configure AAA authentication for the console login to use default method list
    R1(config)#aaa new-model
    R1(config)#aaa authentication login default local
    R1(config)#line console 0
    R1(config-line)#login authentication default


    Verify the setting by exiting from router's console and re-login using R1's console

 3) Configure the line vty to use AAA authentication.
 
     Configure the domain name and generate RSA key to use with SSH
     R1(config)#ip domain-name ccnasecurity.com
     R1(config)#crypto key generate rsa
     Enter 1024 on prompt

    Create a name-list AAA authentication method for the vty line
    R1(config)#aaa authentication login SSH-LOGIN local

    Configure the vty line to use the defined AAA authentication method named SSH-LOGIN
    R1(config)#line vty 0 4
    R1(config-line)#transport input ssh
    R1(config-line)#login authentication SSH-LOGIN

    Verify the setting form PC-A by doing ssh from the command prompt
    PC-A>ssh -l Admin1 192.168.1.1

Server-based Authentication using TACACS+ Server

    For backup purposes, configure a local username of Admin2 having
    password admin2 on R2.
    R2(config)#username Admin2 secret admin2

    TACACS+ Server configuration
   Click the TACACS+ Server. On the Services tab, click AAA.
 
   Add network configuration entry.
   Client Name: R2
   Client IP: 192.168.2.1
   Secret: tacacspass
   Choose Server type as TACACS
   Click Add button

  Add username and password corresponding to R2.
  Username: Admin2
  Password: admin2
  Click Add button
 
  On the service by clicking ON radio button near Service label
   Configure the AAA TACACS server IP address and secret key on R2
   R2(config)#tacacs-server host 192.168.2.2
   R2(config)#tacacs-server key tacacspass

   Configure AAA login authentication for console access on R2.
   R2(config)#aaa new-model
   R2(config)#aaa authentication login default group tacacs+ local
   R2(config)#line console 0
   R2(config-line)#login authentication default

    

Posted by at

1 comment:

  1. Alibaba1 March 2019 at 03:01

    Very Very Helpful For Understanding Lab Assignments.....

    ReplyDelete

Subscribe to: Post Comments (Atom)