Lab 4
Authentication and Authorization
Lab Objective:
The objective of this lab exercise is for you to learn and understand how configure Authentication and Authorization in Cisco IOS software.
Lab Purpose:
Authentication and Authorization are two of the three components of AAA services. These two components secure access to Cisco IOS routers and dictate who can access these devices and what they can do on these devices.
Lab Difficulty:
This lab has a difficulty rating of 6/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 10 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Lab 4 Configuration Tasks
Task 1:
Configure the hostname on R1 and IP addressing as illustrated in the diagram. In addition, configure Host 1 with the IP address specified and a default gateway of 172.16.1.1.
NOTE:
If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet interface and a default static route pointing to 172.16.1.1.
|
Task 2:
Configure Authentication as follows on R1:
- Users should first attempt to be authenticated against TACACS+ server 172.16.1.192
- If the TACACS+ server is unavailable, users should be authenticated locally
- If the local database is corrupted, users should be authenticated using the enable password
- The Authentication username prompt should read: “Please Enter The Correct Username:”
- The Authentication password prompt should read: “Please Enter The Correct Password:”
- The TACACS+ server should use the password securetacacs+ for security
Task 3:
Configure Authorization as follows on R1:
- Users should be allowed to execute EXEC commands once successfully authenticated
- Network connections to R1 should be authenticated via TACACS+
- Authorization should NOT be used for configuration commands
Task 4:
Configure user ccna with a password of security on R1. In addition to this, configure an enable secret of aaasecret on R1. Finally, configure R1 so that AAA is used for Telnet/SSH connections.
Task 5:
Verify that your Authentication and Authorization configuration works as expected using the appropriate debugging commands while you Telnet from Host 1 to R1.
Lab 4 Configuration and Verification
Task 1:
Router(config)#hostname R1
R1(config)#int f0/0 R1(config-if)#ip address 172.16.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#exit R1# |
Task 2:
R1(config)#aaa new-model
R1(config)#aaa authentication login default group tacacs+ local enable R1(config)#aaa authentication username-prompt “Please Enter The Correct Username:” R1(config)#aaa authentication password-prompt “Please Enter The Correct Password:” R1(config)#tacacs-server host 172.16.1.192 key securetacacs+ |
Task 3:
R1(config)#aaa authorization exec default if-authenticated
R1(config)#aaa authorization network default group tacacs+ R1(config)#no aaa authorization config-commands |
Task 4:
R1(config)#username ccna secret security
R1(config)#enable secret aaasecret R1(config)#line vty 0 4 R1(config-line)#login authentication default R1(config-line)#exit R1(config)#exit R1# |
Task 5:
R1#debug aaa authentication
AAA Authentication debugging is on R1# R1#debug aaa authorization AAA Authorization debugging is on R1# R1#debug tacacs authentication TACACS+ authentication debugging is on R1# R1#show debugging General OS: TACACS+ authentication debugging is on AAA Authentication debugging is on AAA Authorization debugging is on R1# R1# *Mar 1 01:33:11.428: AAA/BIND(00000006): Bind i/f *Mar 1 01:33:11.428: AAA/AUTHEN/LOGIN (00000006): Pick method list ‘default' *Mar 1 01:33:11.432: TPLUS: Queuing AAA Authentication request 6 for processing *Mar 1 01:33:11.432: TPLUS: processing authentication start request id 6 *Mar 1 01:33:11.436: TPLUS: Authentication start packet created for 6() *Mar 1 01:33:11.436: TPLUS: Using server 172.16.1.192 *Mar 1 01:33:11.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: Started 5 sec timeout *Mar 1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out *Mar 1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out, clean up *Mar 1 01:33:16.440: TPLUS(00000006)/0/83C593B4: Processing the reply packet *Mar 1 01:33:23.471: AAA/AUTHOR (00000006): Method=If-authen for method list id=00000000Skip author *Mar 1 01:33:25.298: AAA: parse name=tty66 idb type=-1 tty=-1 *Mar 1 01:33:25.302: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0 *Mar 1 01:33:25.302: AAA/MEMORY: create_user (0x83FE0350) user='ccna' ruser='NULL' ds0=0 port='tty66′ rem_addr='172.16.1.254′ authen_type=ASCII service=ENABLE priv=15 initial_task_id='0′, vrf= (id=0) *Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): port='tty66′ list=” action=LOGIN service=ENABLE *Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): non-console enable – default to enable password *Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): Method=ENABLE *Mar 1 01:33:25.302: AAA/AUTHEN(103502052): Status=GETPASS *Mar 1 01:33:29.000: AAA/AUTHEN/CONT (103502052): continue_login (user='(undef)') *Mar 1 01:33:29.000: AAA/AUTHEN(103502052): Status=GETPASS *Mar 1 01:33:29.000: AAA/AUTHEN/CONT (103502052): Method=ENABLE *Mar 1 01:33:29.032: AAA/AUTHEN(103502052): Status=PASS *Mar 1 01:33:29.032: AAA/MEMORY: free_user (0x83FE0350) user='NULL' ruser='NULL' port='tty66′ rem_addr='172.16.1.254′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0) |
Lab 4 Configurations
R1 Configuration
R1#show run
Building configuration…
Current configuration : 1145 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$y8wu$AFbDAxFJykgN55jMYOICo0 ! aaa new-model ! ! aaa authentication password-prompt “Please Enter The Correct Password:” aaa authentication username-prompt “Please Enter The Correct Username:” aaa authentication login default group tacacs+ local enable aaa authorization exec default if-authenticated aaa authorization network default group tacacs+ ! ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! username ccna secret 5 $1$Fzrf$K2Ek3GaOj49kbylSrbjJh1 archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 no ip address ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ! ! ! tacacs-server host 172.16.1.192 key securetacacs+ ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end |