AAA Authentication via TACACS+

Most enteprise companies authenticate network users via TACACS+ to a Cisco ACS Server. This is useful for single sign-on, management and tracking. This lab will discuss and demonstrate the configuration of a TACACS+ AAA Authentication List.

Real World Application

No network engineer wants to spend countless hours of time maintaining local user accounts on hundreds of Cisco devices. This issue was foreseen many many years ago and resolved with AAA. With AAA you can configure the Cisco device rather it be a router or switch to authentication to a centralized user authentication database. Cisco sells a solution called the Cisco Secure Access Server which is commonly used in networks larger then 50 nodes to provide centralized authentication, authorization and accounting services for network devices.

Please note that the contents found in this lab are not part of the CCNA (640-802) Exam objectives, however this material can be found on the new CCNA Security certification; (Exam: 840-553 – IINS). This lab was created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.

Lab Prerequisites

  • If you are using GNS3 than load the Free CCNA Workbook GNS3 topology and start R1.
  • Establish a console session with Router 1.
  • Complete Lab 3-3 prior to attempting this lab.
  • Create a local user account and password with level 15 privileges.

Lab Objectives

  • Configure a TACACS+ Server located at 10.1.1.20 with the key of P@s$W0rD!
  • Configure a login authentication list named CONSOLE_AUTH to authenticate to the tacacs server group then the local database if authentication to the tacacs server times out.
  • Assign the authentication list to the console line and verify your configuration. (See Notes)

Lab Instruction

Step 1. – First you need to configure the TACACS server host address and key, this is done by executing the tacacs-server host x.x.x.x key keygoeshere as shown below;

Router con0 is now available


Press RETURN to get started.


Router>enable
Router#configure terminal
Router(config)#tacacs-server host 10.1.1.20 key P@s$W0rD!

Step 2. – Now configure the AAA login authentication list name CONSOLE_AUTH to authenticate to the tacacs server first and fail back to the local user database in the event of a server failure. As previously shown in Lab 3-2 the authtype was just local. The AAA login authentication list follows the authtype in order from first to last in the syntax. To configure the list to authenticate to the tacacs server, add group tacacs+ prior to local

To complete the 2nd objective; authenticate to the tacacs server then failback to the local database when the server fails, execute the 

Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH group tacacs local
You will be unable to verify the actual TACACS server authentication as no TACACS server exist in this lab. You can download a trial copy of Cisco ACS and configure the server to authenticate Cisco devices but that is outside of the scope of CCNA and CCNA Security. For verification purposes, use the prerequisites configured local database username and password with level 15 privileges.

 

Router con0 is now available



Press RETURN to get started.



User Access Verification

Username: john
Password: 

Router>
◄ Previous Lab
Next Lab ►