1 Boson NetSim Lab Manual

SWITCH Lab: Con guring IOS Security Part II:

TACACS+

ObjectiveCon gure ASWs to authenticate to a Terminal Access Controller Access Control System Plus (TACACS+) server.

For this lab, you will be responsible for con guring P1ASW1.

Lab TopologyThe Topology diagram below represents the NetMap in the Simulator:

P2DSW2

P2ASW2P1ASW1

P1DSW1

P1PC1 P2PC2

VLAN 11 VLAN 12

172.16.11.1 172.16.12.1

172.16.1.10 172.16.1.20

172.16.1.100 172.16.1.200

ACS

172.16.1.150

Lab ID: 8.8K312A135.SWP.2

2 Boson NetSim Lab Manual

Command Summary

Command Description

aaa authentication login {default | list-name}

method1 [method2]

enables Authentication, Authorization, and Accounting (AAA)

login

aaa new-model enables the AAA model

line vty 0 15 enters con guration mode for virtual terminal (vty) lines

login enables password checking

login authentication {default | list-name} enables login to a TACACS+ server

password password speci es the password that is required for a user to log in

ping ip-address sends an Internet Control Message Protocol (ICMP) echo

request to the speci ed address

shutdown; no shutdown disables an interface; enables an interface

tacacs-server host ip-address single-

connection

con gures a TACACS+ server to communicate with the

speci ed host

tacacs-server key key sets the authentication encryption key used for all TACACS+

communications between the access server and the TACACS+

daemon

tacacs user name password password used in NetSim to create a user name and password pair on a

workstation con gured as a TACACS server

tacacs key case-sensitive-key-phrase used in NetSim to add a TACACS key to a workstation

con gured as a TACACS server

telnet ip-address starts the terminal emulation program from a PC, router, or

switch; permits the user to access devices remotely over the

network

username name password password creates a local user name and password pair

Lab Tasks

Task 1: Con gure P1ASW1 to Authenticate to a TACACS+ Server

Setting Value

TACACS+ server IP address 172.16.1.150

TACACS+ server key boson

TACACS+ server user name P1PC1

TACACS+ server password cisco

1. Enable Telnet on P1ASW1, and specify a password of cisco. Verify that you can ping and telnet to

P1ASW1 from P1PC1.

2. Con gure P1ASW1 to use the AAA features.

3. On P1ASW1, de ne the TACACS+ server that should be used.

3 Boson NetSim Lab Manual

4. On P1ASW1, con gure the key string for the TACACS+ server.

5. Con gure the primary authentication method to try TACACS+ rst and to try the local authentication

method if TACACS+ fails.

6. On P1ASW1, apply the primary authentication method to the vty ports.

7. On P1ASW1, con gure a local user name and password pair. Specify the user name admin and the

password cisco. This will allow you to log in even if the TACACS+ server is unavailable. In a production

environment, you should always con gure a local user name and password pair to enable you to access

your switch even when the TACACS+ server is unavailable.

8. Attempt to telnet to P1ASW1 from P1PC1. When prompted for authentication, use the TACACS+ server

user name and password. This attempt should fail because the user name and password have not been

added to your TACACS+ server yet. Try to telnet again, but use the local user name and password instead.

This attempt should work because this user name and password pair have been con gured on P1ASW1.

9. On ACS, which is the TACACS+ server, add the user name P1PC1 and the password cisco. Set the

TACACS+ server key to boson.

10. On P1PC1, try to telnet to P1ASW1 again. Use the TACACS+ server user name and password. This

attempt should succeed.

Lab Solutions

Con gure P1ASW1 to Authenticate to a TACACS+ Server

1. You should issue the following commands to enable telnet on P1ASW1 and to specify a password of

cisco:

You should issue the following commands to verify that you can ping and telnet to P1ASW1 from P1PC1:

!"#$##

!"#$##

%!"#$#####&

'

(!"#$##)*+

4 Boson NetSim Lab Manual

2. You should issue the following command to con gure P1ASW1 to use the AAA features:

,

3. You should issue the following command to de ne the TACACS+ server that should be used:

*!"#$##

4. You should issue the following command to con gure the key string for the TACACS+ server:

-)

5. You should issue the following command to con gure the primary authentication method to try TACACS+

rst and to try the local authentication method if TACACS+ fails:

.*,./

6. You should issue the following commands to apply the primary authentication method to the vty ports:

.*,

7. You should issue the following command to con gure a local user name and password pair. Specify the

user name admin and the password cisco:

.,,

8. You should issue the following command to attempt to telnet to P1ASW1 from P1PC1. When prompted for

authentication, use the TACACS+ server user name P1PC1 and password boson. This attempt should fail

because the user name and password have not been added to your TACACS+ server yet.

!"#$##

%!"#$#####&

0,

)

12

Try to telnet again, but use the local user name and password instead. This attempt should work because

this user name and password pair have been con gured on P1ASW1.

!"#$##

%!"#$#####&

0,,

'

(!"#$##)*+

5 Boson NetSim Lab Manual

9. On ACS, you should issue the following command to add the user name P1PC1 and password cisco to the

TACACS+ server. Set the TACACS+ server key to boson.

.

-)

10. On P1PC1, you should issue the following command to try to telnet to P1ASW1. Use the TACACS+ server

user name and password. This attempt should succeed.

!"#$##

%!"#$#####&

03

0,

'

(!"#$##)*+

6 Boson NetSim Lab Manual

Sample Con guration Scripts

P1ASW1 P1ASW1 (continued)P1ASW1#show running-con g

!

Version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname P1ASW1

aaa new-model

!

ip cef

!

aaa authentication login primary group tacacs+ local

!

username admin password cisco

!

ip subnet-zero

spanning-tree extend system-id

!

ip default-gateway 172.16.1.100

!

interface FastEthernet0/1

description P1ASW1 to P1DSW1

switchport mode trunk

!

interface FastEthernet0/2

description P1ASW1 to P1DSW1

switchport mode trunk

!

interface FastEthernet0/3

description P1ASW1 to P2DSW2

switchport mode trunk

!

interface FastEthernet0/4

description P1ASW1 to P2DSW2

switchport mode trunk

!

interface FastEthernet0/5

description P1PC1 to P1ASW1

switchport mode access

switchport access vlan 11

!

interface FastEthernet0/6

switchport mode dynamic desirable

!

interface FastEthernet0/7

switchport mode dynamic desirable

!

interface FastEthernet0/8

switchport mode dynamic desirable

!

interface FastEthernet0/9

switchport mode dynamic desirable

!

interface FastEthernet0/10

switchport mode dynamic desirable

!

interface FastEthernet0/11

switchport mode dynamic desirable

!

interface FastEthernet0/12

switchport mode dynamic desirable

!

interface Vlan 1

ip address 172.16.1.10 255.255.255.0

no ip route-cache

!

vlan 11 name 11

!

ip default-gateway 172.16.1.100

!

ip classless

no ip http server

!

tacacs-server host 172.16.1.150 single-connection

tacacs-server key boson

!

line con 0

line aux 0

line vty 0 15

login authentication primary

password cisco

!

no scheduler allocate

end

Copyright 19962012 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.