This is a very simple, several Cisco equipment companies usually use the RADIUS or TACACS + user authentication and authorization. Local authentication is only used as a backup method when a communications failure with the AAA server. AAA server, but they will be TACACS+ (pronounced "tack hammer plus") or the RADIUS provides a centralized point of management for controlling authentication and authorization of Cisco suppliers of equipment or other devices of the device is not used for administrative purposes, but for other authentication methods (such as VPN remote SSL VPN, 802.1 x authentication and proxy server authentication.
Please note that the goal of this laboratory is not part of the CCNA (640-802) exam objectives, such material can be found, however the new CCNA security certification (exam: 840-553--Institute for non-aligned). This lab was created to provide you with a basic understanding of AAA grade, typically used in the production of network authentication, authorization, and accounting.
When you configure AAA new model, license is not configured by default, and is therefore on a newer IOS images with features you will not automatically be placed in the 15-level privilege user account to log on to Cisco routers and switches, privileged mode, as you do in older non-AAA authentication methods locally. To resolve this problem you need to add their own AAA authorization statement specifies the console. This is by performing a AAA-level authorization console global configuration command.
The same concept applies to authorized through a VTY line, you will need to configure the default permission level authorization the authorization list command through the native database, this is the command to execute by the AAA authorization exec default local global configuration level. If you're still using a TACACS + or RADIUS server, will authenticate the authorized list in place of the authentication server database when a failure occurs in server groups.
Note that when enabled in the AAA new-model, if you save your configuration without a user name and/or you are locking the device, will have to perform a password recovery default authentication lists.
Lab Objectives:
- By executing enable AAA AAA new mode command in global configuration level.
- Configure AAA login authentication list named CONSOLE_AUTH and authenticate to native database only.
- Configuration control named CONSOLE_AUTH is created using a list of authentication to authenticate
- Through the router logs to verify that your configuration completely out and back.
Lab Instruction:
Step 1. Through the AAA new-model global configuration mode command enables AAA-level. This allows new authentication and disable legacy authentication methods (such as line passwords.
Router con0 is now available
Press RETURN to get started.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Step 2. Configure AAA login authentication list named CONSOLE_AUTH and only for native database for authentication.
Configure AAA login authentication list syntax is; AAA-level authentication to log on to LISTNAME AUTHTYPE
CONSOLE_AUTH is the name of the list to this goal, the authentication type is local looks like this;
Router(config)#aaa authentication login CONSOLE_AUTH local
Step 3. Now you are ready to configure the console line to try an exec session in the list to the AAA-level logon authentication authenticates the user you just created. This is a single command line configuration mode, performs login authentication listname
Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH
Step 4. By fully logout and back through the router Console logging to verify your configuration. If correctly configured you should be prompted to enter a user name and password now looks like this;
Router(config-line)#end
Router#exit
Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: john
Password:
0 comments:
Post a Comment