Lab 3-3 – Configuring AAA Authentication Lists

In this lab you will learn how to configure a basic AAA (Authentication, Authorization and Accounting) list used for granular authentication control of the console and vty lines.

Read Me

The contents found in this lab are not part of the CCNA (640-802) Exam objectives, however this material can be found on the new CCNA Security certification; (Exam: 840-553 – IINS). This lab was created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.


Real World Application

It’s quite simple, companies with several Cisco devices commonly use RADIUS or TACACS+ for user authentication and authorization. Local authentication is also used but only as a backup method when communication to the AAA server fails. AAA servers, rather they be TACACS+ (pronounced tack ack’s plus) or RADIUS provide a centralized management point to control authentication and authorization to Cisco devices or other vendor devices for not only management purposes of the device but for other authentication methods as well such as remote vpn authentication, ssl vpn, 802.1x and proxy authentication.

Lab Prerequisites

  • If you are using GNS3 than load the Stub Area Networking GNS3 topology and start R1.
  • Establish a console session with Router 1.
  • Configure a username and password of your choice with level 15 privileges in the local database; See Lab 3-2 for reference.

Lab Objectives

  • Enable AAA by executing the aaa new-model command in global configuration.
  • Configure a AAA login authentication list named CONSOLE_AUTH and authenticate to the local database only.
  • Configure the console line to authenticate using the authentication list you created named CONSOLE_AUTH
  • Verify your configuration by logging completely out of the router and back in.

Lab Instruction

Read Me

Complete the Lab prerequisite by creating a local username and password of your choice with level 15 privileges or you WILL be locked out of the router when you enable aaa new-model. For this lab, a user account named john with a password of Cisco has been created with level 15 privileges.

Step 1. – Enable AAA by executing the command aaa new-model in global configuration mode. This enables the new authentication methods and disables the old authentication methods such as line passwords.

Router con0 is now available

Press RETURN to get started.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#aaa new-model

Step 2. – Configure a AAA login authentication list named CONSOLE_AUTH and authenticate to the local database only.

The syntax for configuring a AAA login authentication list is; aaa authentication login LISTNAME AUTHTYPE

In this objective the list name is CONSOLE_AUTH and the authentication type is LOCAL as shown below;

Router(config)#aaa authentication login CONSOLE_AUTH local

Step 3. – Now you’re ready to configure configure the console line to authenticate users attempting an exec session to the AAA login authentication list you just created. This is a single command executed in line configuration mode; login authentication listname

Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH
Read Me

By using AAA New-model, authorization is not configured by default on newer IOS images therefore when logging into a cisco router and/or switch with a user account that has level 15 privileges may not automatically be placed into privileged mode as you were in the older non-aaa login local authentication method. You may need to add a AAA statement to specify console authorization. This is done by executing the aaa authorization console command in global configuration.

Also note that the same concepts apply to authentication via VTY lines, you will need to configure a the default authorization list to authorize commands via local database privilege level, this is done by executing the command aaa authorization exec default local in global configuration. If you also use a TACACS+ or RADIUS server, the authorization list will authenticate to the server group following the local database in the event of an authentication server failure.


Step 4. – Verify your configuration by logging completely out of the router and logging back in via the console. If configured properly you should be prompted for a username and password now as shown below;

Router(config-line)#end
Router#exit

Router con0 is now available

Press RETURN to get started.

User Access Verification

Username: john
Password: 

Router>

8 comments so far

Add Your Comment
  1. Samir said: February 26, 2012 5:46 PM

    adding user to List : For example,
    in config mode
    username John aaa attribute list CONSOLE_AUTH secret CiscoLab

    Am I right??

« Older Comments

Your Comment