Lab 3-4 – Configuring AAA Authentication via TACACS+ Server

In this lab you will learn how to configure a basic AAA list to authenticate VTY line exec sessions to a Cisco Secure Access Control Server. (TACACS+ Server)

Read Me

The contents found in this lab are not part of the CCNA (640-802) Exam objectives, however this material can be found on the new CCNA Security certification; (Exam: 840-553 – IINS). This lab was created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.


Real World Application

No network engineer wants to spend countless hours of time maintaining local user accounts on hundreds of Cisco devices. This issue was foreseen many many years ago and resolved with AAA. With AAA you can configure the Cisco device rather it be a router or switch to authentication to a centralized user authentication database. Cisco sells a solution called the Cisco Secure Access Server which is commonly used in networks larger then 50 nodes to provide centralized authentication, authorization and accounting services for network devices.

Lab Prerequisites

  • If you are using GNS3 than load the Stub Area Networking GNS3 topology and start R1.
  • Establish a console session with Router 1.
  • Complete Lab 3-3 prior to attempting this lab.
  • Create a local user account and password with level 15 privileges.

Lab Objectives

  • Configure a TACACS+ Server located at 10.1.1.20 with the key of P@s$W0rD!
  • Configure a login authentication list named CONSOLE_AUTH to authenticate to the tacacs server group then the local database if authentication to the tacacs server times out.
  • ssign the authentication list to the console line and verify your configuration. (See Notes)

Lab Instruction

Step 1. – First you need to configure the TACACS server host address and key, this is done by executing the tacacs-server host x.x.x.x key keygoeshere as shown below;

Router con0 is now available

Press RETURN to get started.

Router>enable
Router#configure terminal
Router(config)#tacacs-server host 10.1.1.20 key P@s$W0rD!

Step 2. – Now configure the AAA login authentication list name CONSOLE_AUTH to authenticate to the tacacs server first and fail back to the local user database in the event of a server failure. As previously shown in Lab 3-2 the authtype was just local. The AAA login authentication list follows the authtype in order from first to last in the syntax. To configure the list to authenticate to the tacacs server, add group tacacs+ prior to local

To complete the 2nd objective; authenticate to the tacacs server then failback to the local database when the server fails, execute the aaa authentication login CONSOLE_AUTH group tacacs+ local in global configuration mode.

Router(config)#aaa authentication login CONSOLE_AUTH group tacacs+ local


Step 3. – Assign the authentication list to the console line and verify your configuration. To do this you’ll configure the same command as shown previously in Lab 3-2; login authentication CONSOLE_AUTH as shown below;

Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH
Read Me

You will be unable to verify the actual TACACS server authentication as no TACACS server exist. You can download a trial copy of Cisco ACS and configure the server to authenticate Cisco devices but that is outside of the scope of CCNA and CCNA Security. For verification purposes, use the prerequisites configured local database username and password with level 15 privileges.

Router con0 is now available

Press RETURN to get started.

User Access Verification

Username: john
Password: 

Router>

9 comments so far

Add Your Comment
  1. Satyapriya said: July 6, 2011 12:15 PM

    It’s simply awesome!!!!!!!! Great work …

  2. teralord said: September 29, 2011 6:50 AM

    Thanke you

« Older Comments

Your Comment