confguring ios security aaa.pdf
TRANSCRIPT
-
1 Boson NetSim Lab Manual
SWITCH Lab: Con guring IOS Security Part II:
TACACS+
ObjectiveCon gure ASWs to authenticate to a Terminal Access Controller Access Control System Plus (TACACS+) server.
For this lab, you will be responsible for con guring P1ASW1.
Lab TopologyThe Topology diagram below represents the NetMap in the Simulator:
P2DSW2
P2ASW2P1ASW1
P1DSW1
P1PC1 P2PC2
VLAN 11 VLAN 12
172.16.11.1 172.16.12.1
172.16.1.10 172.16.1.20
172.16.1.100 172.16.1.200
ACS
172.16.1.150
Lab ID: 8.8K312A135.SWP.2
-
2 Boson NetSim Lab Manual
Command Summary
Command Description
aaa authentication login {default | list-name}
method1 [method2]
enables Authentication, Authorization, and Accounting (AAA)
login
aaa new-model enables the AAA model
line vty 0 15 enters con guration mode for virtual terminal (vty) lines
login enables password checking
login authentication {default | list-name} enables login to a TACACS+ server
password password speci es the password that is required for a user to log in
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the speci ed address
shutdown; no shutdown disables an interface; enables an interface
tacacs-server host ip-address single-
connection
con gures a TACACS+ server to communicate with the
speci ed host
tacacs-server key key sets the authentication encryption key used for all TACACS+
communications between the access server and the TACACS+
daemon
tacacs user name password password used in NetSim to create a user name and password pair on a
workstation con gured as a TACACS server
tacacs key case-sensitive-key-phrase used in NetSim to add a TACACS key to a workstation
con gured as a TACACS server
telnet ip-address starts the terminal emulation program from a PC, router, or
switch; permits the user to access devices remotely over the
network
username name password password creates a local user name and password pair
Lab Tasks
Task 1: Con gure P1ASW1 to Authenticate to a TACACS+ Server
Setting Value
TACACS+ server IP address 172.16.1.150
TACACS+ server key boson
TACACS+ server user name P1PC1
TACACS+ server password cisco
1. Enable Telnet on P1ASW1, and specify a password of cisco. Verify that you can ping and telnet to
P1ASW1 from P1PC1.
2. Con gure P1ASW1 to use the AAA features.
3. On P1ASW1, de ne the TACACS+ server that should be used.
-
3 Boson NetSim Lab Manual
4. On P1ASW1, con gure the key string for the TACACS+ server.
5. Con gure the primary authentication method to try TACACS+ rst and to try the local authentication
method if TACACS+ fails.
6. On P1ASW1, apply the primary authentication method to the vty ports.
7. On P1ASW1, con gure a local user name and password pair. Specify the user name admin and the
password cisco. This will allow you to log in even if the TACACS+ server is unavailable. In a production
environment, you should always con gure a local user name and password pair to enable you to access
your switch even when the TACACS+ server is unavailable.
8. Attempt to telnet to P1ASW1 from P1PC1. When prompted for authentication, use the TACACS+ server
user name and password. This attempt should fail because the user name and password have not been
added to your TACACS+ server yet. Try to telnet again, but use the local user name and password instead.
This attempt should work because this user name and password pair have been con gured on P1ASW1.
9. On ACS, which is the TACACS+ server, add the user name P1PC1 and the password cisco. Set the
TACACS+ server key to boson.
10. On P1PC1, try to telnet to P1ASW1 again. Use the TACACS+ server user name and password. This
attempt should succeed.
Lab Solutions
Con gure P1ASW1 to Authenticate to a TACACS+ Server
1. You should issue the following commands to enable telnet on P1ASW1 and to specify a password of
cisco:
You should issue the following commands to verify that you can ping and telnet to P1ASW1 from P1PC1:
!"#$##
!"#$##
%!"#$#####&
'
(!"#$##)*+
-
4 Boson NetSim Lab Manual
2. You should issue the following command to con gure P1ASW1 to use the AAA features:
,
3. You should issue the following command to de ne the TACACS+ server that should be used:
*!"#$##
4. You should issue the following command to con gure the key string for the TACACS+ server:
-)
5. You should issue the following command to con gure the primary authentication method to try TACACS+
rst and to try the local authentication method if TACACS+ fails:
.*,./
6. You should issue the following commands to apply the primary authentication method to the vty ports:
.*,
7. You should issue the following command to con gure a local user name and password pair. Specify the
user name admin and the password cisco:
.,,
8. You should issue the following command to attempt to telnet to P1ASW1 from P1PC1. When prompted for
authentication, use the TACACS+ server user name P1PC1 and password boson. This attempt should fail
because the user name and password have not been added to your TACACS+ server yet.
!"#$##
%!"#$#####&
0,
)
12
Try to telnet again, but use the local user name and password instead. This attempt should work because
this user name and password pair have been con gured on P1ASW1.
!"#$##
%!"#$#####&
0,,
'
(!"#$##)*+
-
5 Boson NetSim Lab Manual
9. On ACS, you should issue the following command to add the user name P1PC1 and password cisco to the
TACACS+ server. Set the TACACS+ server key to boson.
.
-)
10. On P1PC1, you should issue the following command to try to telnet to P1ASW1. Use the TACACS+ server
user name and password. This attempt should succeed.
!"#$##
%!"#$#####&
03
0,
'
(!"#$##)*+
-
6 Boson NetSim Lab Manual
Sample Con guration Scripts
P1ASW1 P1ASW1 (continued)P1ASW1#show running-con g
!
Version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname P1ASW1
aaa new-model
!
ip cef
!
aaa authentication login primary group tacacs+ local
!
username admin password cisco
!
ip subnet-zero
spanning-tree extend system-id
!
ip default-gateway 172.16.1.100
!
interface FastEthernet0/1
description P1ASW1 to P1DSW1
switchport mode trunk
!
interface FastEthernet0/2
description P1ASW1 to P1DSW1
switchport mode trunk
!
interface FastEthernet0/3
description P1ASW1 to P2DSW2
switchport mode trunk
!
interface FastEthernet0/4
description P1ASW1 to P2DSW2
switchport mode trunk
!
interface FastEthernet0/5
description P1PC1 to P1ASW1
switchport mode access
switchport access vlan 11
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface Vlan 1
ip address 172.16.1.10 255.255.255.0
no ip route-cache
!
vlan 11 name 11
!
ip default-gateway 172.16.1.100
!
ip classless
no ip http server
!
tacacs-server host 172.16.1.150 single-connection
tacacs-server key boson
!
line con 0
line aux 0
line vty 0 15
login authentication primary
password cisco
!
no scheduler allocate
end
Copyright 19962012 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.