CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Authentication and Authorization

Lab 4 

Authentication and Authorization

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how configure Authentication and Authorization in Cisco IOS software.

Lab Purpose:

Authentication and Authorization are two of the three components of AAA services. These two components secure access to Cisco IOS routers and dictate who can access these devices and what they can do on these devices.

Lab Difficulty:

This lab has a difficulty rating of 6/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 10 minutes. 

Lab Topology:

Please use the following topology to complete this lab exercise:

Lab 4 1

Lab 4 Configuration Tasks 

Task 1:

Configure the hostname on R1 and IP addressing as illustrated in the diagram. In addition, configure Host 1 with the IP address specified and a default gateway of 172.16.1.1.

NOTE:

 

If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet interface and a default static route pointing to 172.16.1.1.

 

Task 2:

Configure Authentication as follows on R1:

  • Users should first attempt to be authenticated against TACACS+ server 172.16.1.192
  • If the TACACS+ server is unavailable, users should be authenticated locally
  • If the local database is corrupted, users should be authenticated using the enable password
  • The Authentication username prompt should read: “Please Enter The Correct Username:”
  • The Authentication password prompt should read: “Please Enter The Correct Password:”
  • The TACACS+ server should use the password securetacacs+ for security

Task 3:

Configure Authorization as follows on R1:

  • Users should be allowed to execute EXEC commands once successfully authenticated
  • Network connections to R1 should be authenticated via TACACS+
  • Authorization should NOT be used for configuration commands

Task 4:

Configure user ccna with a password of security on R1. In addition to this, configure an enable secret of aaasecret on R1. Finally, configure R1 so that AAA is used for Telnet/SSH connections.

Task 5:

Verify that your Authentication and Authorization configuration works as expected using the appropriate debugging commands while you Telnet from Host 1 to R1.

Lab 4 Configuration and Verification

Task 1:

Router(config)#hostname R1

R1(config)#int f0/0

R1(config-if)#ip address 172.16.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#exit

R1#

Lab 4 2

Task 2:

R1(config)#aaa new-model

R1(config)#aaa authentication login default group tacacs+ local enable

R1(config)#aaa authentication username-prompt “Please Enter The Correct Username:”

R1(config)#aaa authentication password-prompt “Please Enter The Correct Password:”

R1(config)#tacacs-server host 172.16.1.192 key securetacacs+

 Task 3:

R1(config)#aaa authorization exec default if-authenticated

R1(config)#aaa authorization network default group tacacs+

R1(config)#no aaa authorization config-commands

Task 4:

R1(config)#username ccna secret security

R1(config)#enable secret aaasecret

R1(config)#line vty 0 4

R1(config-line)#login authentication default

R1(config-line)#exit

R1(config)#exit

R1#

Task 5:

Lab 4 3

R1#debug aaa authentication

AAA Authentication debugging is on

R1#

R1#debug aaa authorization

AAA Authorization debugging is on

R1#

R1#debug tacacs authentication

TACACS+ authentication debugging is on

R1#

R1#show debugging

General OS:

TACACS+ authentication debugging is on

AAA Authentication debugging is on

AAA Authorization debugging is on

R1#

R1#

*Mar  1 01:33:11.428: AAA/BIND(00000006): Bind i/f

*Mar  1 01:33:11.428: AAA/AUTHEN/LOGIN (00000006): Pick method list ‘default'

*Mar  1 01:33:11.432: TPLUS: Queuing AAA Authentication request 6 for processing

*Mar  1 01:33:11.432: TPLUS: processing authentication start request id 6

*Mar  1 01:33:11.436: TPLUS: Authentication start packet created for 6()

*Mar  1 01:33:11.436: TPLUS: Using server 172.16.1.192

*Mar  1 01:33:11.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: Started 5 sec timeout

*Mar  1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out

*Mar  1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out, clean up

*Mar  1 01:33:16.440: TPLUS(00000006)/0/83C593B4: Processing the reply packet

*Mar  1 01:33:23.471: AAA/AUTHOR (00000006): Method=If-authen for method list id=00000000Skip author

*Mar  1 01:33:25.298: AAA: parse name=tty66 idb type=-1 tty=-1

*Mar  1 01:33:25.302: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0

*Mar  1 01:33:25.302: AAA/MEMORY: create_user (0x83FE0350) user='ccna' ruser='NULL' ds0=0 port='tty66′ rem_addr='172.16.1.254′ authen_type=ASCII service=ENABLE priv=15 initial_task_id='0′, vrf= (id=0)

*Mar  1 01:33:25.302: AAA/AUTHEN/START (103502052): port='tty66′ list=” action=LOGIN service=ENABLE

*Mar  1 01:33:25.302: AAA/AUTHEN/START (103502052): non-console enable – default to enable password

*Mar  1 01:33:25.302: AAA/AUTHEN/START (103502052): Method=ENABLE

*Mar  1 01:33:25.302: AAA/AUTHEN(103502052): Status=GETPASS

*Mar  1 01:33:29.000: AAA/AUTHEN/CONT (103502052): continue_login (user='(undef)')

*Mar  1 01:33:29.000: AAA/AUTHEN(103502052): Status=GETPASS

*Mar  1 01:33:29.000: AAA/AUTHEN/CONT (103502052): Method=ENABLE

*Mar  1 01:33:29.032: AAA/AUTHEN(103502052): Status=PASS

*Mar  1 01:33:29.032: AAA/MEMORY: free_user (0x83FE0350) user='NULL' ruser='NULL' port='tty66′ rem_addr='172.16.1.254′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

Lab 4 Configurations

R1 Configuration

R1#show run

Building configuration…

 

Current configuration : 1145 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$y8wu$AFbDAxFJykgN55jMYOICo0

!

aaa new-model

!

!

aaa authentication password-prompt “Please Enter The Correct Password:”

aaa authentication username-prompt “Please Enter The Correct Username:”

aaa authentication login default group tacacs+ local enable

aaa authorization exec default if-authenticated

aaa authorization network default group tacacs+

!

!

aaa session-id common

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

username ccna secret 5 $1$Fzrf$K2Ek3GaOj49kbylSrbjJh1

archive

log config

hidekeys

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

!

!

!

tacacs-server host 172.16.1.192 key securetacacs+

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

content-filler