ACS Configuration 5 Points

Study Material For Cisco Ccna Ccnp And Ccie Students

Study Material For Cisco Students

Get Instant Access

The AAA ACS server is located on the R5 network with the IP address 144.254.6.2, and the server key is set to ccie.

Non-AAA Authentication Methods

Configure the Router R2 so that it provides a TACACS-like username and encrypted password authentication system for networks that cannot support TACACS+. Limit this only to users on VLAN_D.

Non-AAA Authentication Methods Solution

Cisco IOS routers can be configured to authorize usernames with the following command:

username name password password encryption-type

This IOS command establishes username authentication with encrypted passwords.

To define an access list so that only VLAN_D users can access the router, use the following command:

username name access-class number

Example 8-102 configures Router R2 for local-based authentication for users from VLAN_D only.

Example 8-102 Configuring Non-AAA Authentication Methods on R2

Example 8-103 displays the debug output when an EXEC user on Router R2 telnets to Router R3.

Example 8-103 debug aaa authentication on R2

R2#debug aaa authentication

AAA Authentication debugging is on R2#show debugging General OS:

AAA Authentication debugging is on Oct 11 16:27:41: AAA: parse name=tty130 idb type=-1 tty=-1

Oct 11 16:27:41: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 por t=130 channel=0

Oct 11 16:27:41: AAA/MEMORY: create_user (0x62C7BDA8) user='' ruser='' port='tty 130' rem_addr='144.254.4.3' authen_type=ASCII service=LOGIN priv=1 Oct 11 16:27:41: AAA/AUTHEN/START (4131783264): port='tty130' list='' action=LOG IN service=LOGIN

Oct 11 16:27:41: AAA/AUTHEN/START (4131783264): using "default" list

Example 8-103 debug aaa authentication on R2 (Continued)

Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct R2#

16:27:41 16:27:41 16:27:47 16:27:47 16:27:47 16:27:47 16:27:49 16:27:49 16:27:49 16:27:49

AAA/AUTHEN/START (4131783264): Method=LOCAL AAA/AUTHEN (4131783264): status = GETUSER

AAA/AUTHEN/CONT (4131783264): continue_login (user='(undef)1) AAA/AUTHEN (4131783264): status = GETUSER AAA/AUTHEN/CONT (4131783264): Method=LOCAL AAA/AUTHEN (4131783264): status = GETPASS

AAA/AUTHEN/CONT (4131783264): continue_login (user='Massimo') AAA/AUTHEN (4131783264): status = GETPASS AAA/AUTHEN/CONT (4131783264): Method=LOCAL AAA/AUTHEN (4131783264): status = PASS

NOTE When using this form of authentication, usernames and passwords are sent in plain text (Massimo, in this example).

Login Authentication Methods

Configure R2 so that when a user is prompted to enter a password when trying to connect via the vty lines, the following display is visible: "Enter your password within 15 seconds:"

Login Authentication Methods Solutions

To define a message on R2 for Telnet (vty users), use the following IOS command:

aaa authentication password-prompt "Enter your password within 15 seconds:"

Example 8-104 displays the configuration commands on R2.

Example 8-104 R2 Message Banner hostname R2 !

aaa new-model aaa authentication password-prompt "Enter your password within 15 seconds:" aaa authentication login default local enable password cisco !

username gert password 0 gert username Erik password 0 Erik

Example 8-105 displays the message banner when a PRIV user on R3 telnets to R2.

Example 8-105 Telnet from R3 to R2

R3#telnet 144.254.4.2

User Access Verification Username: Erik

Enter your password within 15 seconds:

Example 8-106 displays the debug output once the Telnet connection is made to R2. Notice that you have 15 seconds to enter a valid password; otherwise, the Telnet connection is closed.

Example 8-106 Debugging TACACS+ Operation on R2

R2#debug tacacs

?

events TACACS+ protocol events

<cr>

R2#debug tacacs

events

TACACS+ events debugging is on

R1#debug tacacs

TACACS access control debugging is on

R2#debug aaa authentication

AAA Authentication debugging is on

R2#show debugging

General OS:

TACACS access

control debugging is on

TACACS+ events debugging is on

AAA Authentication debugging is on

R2#

R2#

Oct 11 16:40:44

AAA: parse name=tty130 idb type=-1 tty=-1

Oct 11 16:40:44

AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0

por

t=130 channel=0

Oct 11 16:40:44

AAA/MEMORY: create_user (0x62C7BDA8) user='' ruser=

11 port=

'tty

130' rem_addr='144.254.4.3' authen_type=ASCII service=LOGIN priv=1

Oct 11 16:40:44

AAA/AUTHEN/START (1269435710): port='tty130' list='

1 action

=LOGIN

service=LOGIN

Oct 11 16:40:44

AAA/AUTHEN/START (1269435710): using "default" list

Oct 11 16:40:44

AAA/AUTHEN/START (1269435710): Method=LOCAL

Oct 11 16:40:44

AAA/AUTHEN (1269435710): status = GETUSER

Oct 11 16:40:48

AAA/AUTHEN/CONT (1269435710): continue_login (user=

'(undef)

Oct 11 16:40:48

AAA/AUTHEN (1269435710): status = GETUSER

Oct 11 16:40:48

AAA/AUTHEN/CONT (1269435710): Method=LOCAL

Oct 11 16:40:48

AAA/AUTHEN (1269435710): status = GETPASS

Example 8-106 Debugging TACACS+ Operation on R2 (Continued)

Oct 11 16:40:52 Oct 11 16:40:52

AAA/AUTHEN/CONT (1269435710): continue_login (user='Erik') AAA/AUTHEN (1269435710): status = GETPASS

Oct 11 16:40:52 Oct 11 16:40:52

AAA/AUTHEN/CONT (1269435710): Method=LOCAL : AAA/AUTHEN (1269435710): status = PASS

Example 8-106 displays a successful telnet from R3 to R2.

Login Authentication Using TACACS+

Configure R2 to use TACACS+ for authentication at the login prompt. If TACACS+ returns an error, the user is authenticated using the local database.

Login Authentication Using TACACS+ Solution

R2 must be configured for a login name and login method with the following IOS command:

aaa authentication login name tacacs+ local

Then, the vty lines on R2 must be configured for authentication with the following IOS command:

line vty 0 4

login authentication name

Example 8-107 configures R2 for login authentication.

Example 8-107 AAA Authentication on R2 (Truncated)

hostname R2 aaa new-model aaa authentication login default group tacacs+ local enable password cisco ! !

tacacs-server host 144.254.6.2

tacacs-server key ccie end

Example 8-108 displays a successful login attempt when an EXEC user telnets from R3 to R2.

Example 8-108 Login Authentication Using TACACS+

Oct 11 12:26:56: TAC+: send AUTHEN/START packet ver=192 id=3375296121

Oct 11 12:26:56: TAC+: Using default tacacs server-group "tacacs+" list.

Oct 11 12:26:56: TAC+: Opening TCP/IP to 144.254.6.2/49 timeout=5

Oct 11 12:26:56: TAC+: Opened TCP/IP handle 0x62C8424C to 144.254.6.2/49

Oct 11 12:26:56: TAC+: periodic timer started

Oct 11 12:26:56: TAC+: 144.254.6.2 req=62C81284 Qd id=3375296121 ver=192 handl

Example 8-108 Login Authentication Using TACACS+ (Continued)

e=0x62C8424C (ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued Oct 11 12:26:56: TAC+: 144.254.6.2 (3375296121) AUTHEN/START/LOGIN/ASCII queue d

Oct 11 12:26:56: TAC+: 144.254.6.2 ESTAB id=3375296121 wrote 38 of 38 bytes

Oct 11 12:26:56: TAC+: 144.254.6.2 req=62C81284 Qd id=3375296121 ver=192 handl e=0x62C8424C (ESTAB) expire=4 AUTHEN/START/LOGIN/ASCII sent

Oct 11 12:26:56: TAC+: 144.254.6.2 ESTAB read=12 wanted=12 alloc=12 got=12

Oct 11 12:26:56: TAC+: 144.254.6.2 ESTAB read=28 wanted=28 alloc=28 got=16

Oct 11 12:26:56: TAC+: 144.254.6.2 received 28 byte reply for 62C81284

Oct 11 12:26:56: TAC+: req=62C81284 Tx id=3375296121 ver=192 handle=0x62C8424C (

ESTAB) expire=4 AUTHEN/START/LOGIN/ASCII processed

Oct 11 12:26 Oct 11 12:26

56 56

TAC+ TAC+

(3375296121) AUTHEN/START/LOGIN/ASCII processed periodic timer stopped (queue empty)

Oct 11 12:26

56

TAC+

ver=192 id=3375296121 received AUTHEN status = GETUSER

Oct 11 12:27 Oct 11 12:27 Oct 11 12:27

00 00 00

TAC+ TAC+ TAC+

send AUTHEN/CONT packet id=3375296121 periodic timer started

144.254.6.2 req=62C81230 Qd id=3375296121 ver=192 handl

e=0x62C8424C (ESTAB) expire=5 AUTHEN/CONT queued

Oct 11 12:27:00: TAC+: 144.254.6.2 (3375296121) AUTHEN/CONT queued Oct 11 12:27:00: TAC+: 144.254.6.2 ESTAB id=3375296121 wrote 21 of 21 bytes Oct 11 12:27:00: TAC+: 144.254.6.2 req=62C81230 Qd id=3375296121 ver=192 handl e=0x62C8424C (ESTAB) expire=4 AUTHEN/CONT sent

Oct 11 12:27:00: TAC+: 144.254.6.2 ESTAB read=12 wanted=12 alloc=12 got=12 Oct 11 12:27:00: TAC+: 144.254.6.2 ESTAB read=28 wanted=28 alloc=28 got=16 Oct 11 12:27:00: TAC+: 144.254.6.2 received 28 byte reply for 62C81230 Oct 11 12:27:00: TAC+: req=62C81230 Tx id=3375296121 ver=192 handle=0x62C8424C ( ESTAB) expire=4 AUTHEN/CONT processed

Oct 11 12:27 Oct 11 12:27

00 00

TAC+ TAC+

(3375296121) AUTHEN/CONT processed periodic timer stopped (queue empty)

Oct 11 12:27

00

TAC+

ver=192 id=3375296121 received AUTHEN status = GETPASS

Oct 11 12:27 Oct 11 12:27 Oct 11 12:27

04 04 04

TAC+ TAC+ TAC+

send AUTHEN/CONT packet id=3375296121 periodic timer started

144.254.6.2 req=62C81230 Qd id=3375296121 ver=192 handl

e=0x62C8424C (ESTAB) expire=5 AUTHEN/CONT queued

Oct 11 12:27:04: TAC+: 144.254.6.2 (3375296121) AUTHEN/CONT queued

Oct 11 12:27:04: TAC+: 144.254.6.2 ESTAB id=3375296121 wrote 21 of 21 bytes

Oct 11 12:27:04: TAC+: 144.254.6.2 req=62C81230 Qd id=3375296121 ver=192 handl e=0x62C8424C (ESTAB) expire=4 AUTHEN/CONT sent

Oct 11 12:27:05: TAC+: 144.254.6.2 ESTAB read=12 wanted=12 alloc=12 got=12

Oct 11 12:27:05: TAC+: 144.254.6.2 ESTAB read=18 wanted=18 alloc=18 got=6

Oct 11 12:27:05: TAC+: 144.254.6.2 received 18 byte reply for 62C81230

Oct 11 12:27:05: TAC+: req=62C81230 Tx id=3375296121 ver=192 handle=0x62C8424C (

ESTAB) expire=3 AUTHEN/CONT processed

Oct 11 12:27:05: TAC+: (3375296121) AUTHEN/CONT processed

Oct 11 12:27:05: TAC+: periodic timer stopped (queue empty)

Oct 11 12:27:05: TAC+: ver=192 id=3375296121 received AUTHEN status = PASS

Oct 11 12:27:05: TAC+: Closing TCP/IP 0x62C8424C connection to 144.254.6.2/49

Example 8-108 displays a successful login attempt. Notice that TCP packets are exchanged because TACACS+ runs over TCP.

Figure 8-4 displays the ACS configuration for AAA and TACACS+. ACS is an intuitive software application.

Figure 8-4 Figure 8-4Configure Cisco ACS for TACACS+

Figure 8-4 Figure 8-4Configure Cisco ACS for TACACS+

Figure 8-5 displays the ACS network configuration that allows Router R2 (IP address 144.254.152.1) to use the TACACS+ server daemon.

Figure 8-4 displays the creation of a remote username named "Gert" and password creation.

Figure 8-5 displays the ACS network configuration that allows Router R2 (IP address 144.254.152.1) to use the TACACS+ server daemon.

Figure 8-5 TACACS+ Network Configuration

Figure 8-5 TACACS+ Network Configuration

■ iij H , - ■ la-- ■ I Jl «--

ACS Configuration: Login Authentication Using RADIUS

Configure R3 to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. Also, make sure the display "Enter your name:" is visible when logging in.

ACS Configuration: Login Authentication Using RADIUS Solution

RADIUS commands (similar to previous tasks on TACACS+) are as follows:

aaa new-model aaa authentication login name group radius local aaa authentication username-prompt "Enter your name:"

vty 0 4

login authentication name

Example 8-109 configures R3 for RADIUS authentication.

Example 8-109 Login Authentication Using RADIUS

R3 must first be enabled for AAA and for the RADIUS server and RADIUS key.

Example 8-110 shows sample debug displays when a successful login attempt is made to R3. R2 is used to telnet to R3.

Example 8-110 Telnet from R2 to R3

R3#debug aaa authentication

AAA Authentication debugging is on R3#show debugging General OS:

AAA Authentication debugging is on Radius protocol debugging is on R3#

R2#144.254.4.1

Trying 144.254.4.1 ..

Open

Enter your name:Gert

Password: *****

R3>enable

Password:****

! Debug output follows

2d23h: AAA: parse name=tty66 idb type=-1 tty=-1

! Debug output follows

2d23h: AAA: parse name=tty66 idb type=-1 tty=-1

Example 8-110 Telnet from R2 to R3 (Continued)

2d23h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channe l=0

2d23h: AAA/MEMORY: create_user (0x8271FE78) user='' ruser=11 port='tty66l rem_ad dr='144.254.4.2' authen_type=ASCII service=LOGIN priv=1

2d23h: AAA/AUTHEN/START (503012338): port='tty66' list=,radiusl action=LOGIN ser vice=LOGIN

2d23h: AAA/AUTHEN/START (503012338): found list radius

2d23h: AAA/AUTHEN/START (503012338): Method=radius (radius)

2d23h: AAA/AUTHEN (503012338): status = GETUSER

2d23h: AAA/AUTHEN/CONT (503012338): continue_login (user='(undef)')

2d23h: AAA/AUTHEN (503012338): status = GETUSER

2d23h: AAA/AUTHEN (503012338): Method=radius (radius)

2d23h: AAA/AUTHEN (503012338): status = GETPASS

2d23h: AAA/AUTHEN/CONT (503012338): continue_login (user='Gert')

2d23h: AAA/AUTHEN (503012338): status = GETPASS

2d23h: AAA/AUTHEN (503012338): Method=radius (radius)

2d23h: RADIUS: ustruct sharecount=1

2d23h: RADIUS: Initial Transmit tty66 id 2 144.254.6.2:1645, Access-Request, l en 76

2d23h 2d23h 2d23h 2d23h 2d23h 2d23h

Attribute 4 6 96640115 Attribute 5 6 00000042 Attribute 61 6 00000005 Attribute 1 6 47657274

Attribute 31 14 3135302E Attribute 2 18 74DEA58C

2d23h: RADIUS: Received from id 2 144.254.6.2:1645, Access-Accept, len 20 2d23h: RADIUS: saved authorization data for user 8271FE78 at 826F6E2C 2d23h: AAA/AUTHEN (503012338): status = PASS

The successful user in Example 8-110 was authenticated by the RADIUS (ACS server) server. Figure 8-6 displays the username creation on the ACS server.

Figure 8-6 Username Creation on the ACS for RADIUS

Figure 8-6 Username Creation on the ACS for RADIUS

Figure 8-7 displays enabling RADIUS on the ACS server so that Router R3 can authenticate users.

Figure 8-7 Radius Network Configuration

Figure 8-7 Radius Network Configuration

Was this article helpful?

0 0

Post a comment