Lab 2

Lab ID: 9.9K1116A159.DHI2.
AAA Authentication
Objective
Configure P1R1 to use a Terminal Access Controller Access Control System Plus (TACACS+) server to
authenticate P1R2 as it attempts to establish a Point-to-Point Protocol (PPP) connection with Password
Authentication Protocol (PAP) authentication across the serial link.
Lab Topology
The topology diagram below represents the NetMap in the Simulator. The TACACS+ server is located on
the Ethernet backbone at 10.2.2.200. For this lab, you will be responsible for configuring P1R1 and P1R2.
BRI1/0 BRI1/0
ISDN
P1R2 P2R2
S0/0 S0/0
10.1.1.2/24 10.1.2.2/24
Frame
Relay
S0/1 S0/1
10.1.1.1/24 10.1.2.1/24
S0/0 S0/0
P1R1 Switch1 P2R1

Fa0/0 Fa0/0
10.2.2.1/24 10.2.2.2/24
TACACS+
10.2.2.200/24
Command Summary
Command Description
aaa authentication ppp authentication-list configures TACACS authentication to be used first; if
tacacs local it errors out, then the local user database is used for
authentication
aaa new-model enables the Authentication, Authorization, and Accounting
(AAA) model
clock rate clock-rate sets the clock rate for a Data Communications Equipment
(DCE) interface
1 Boson NetSim Lab Manual

Command Description
configure terminal enters global configuration mode from privileged EXEC
mode
enable enters privileged EXEC mode
encapsulation ppp enables PPP encapsulation
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode
ip address ip-address subnet-mask assigns an IP address to an interface
network network-address activates the specified routing protocol on the specified
network
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the specified address
ppp authentication pap [authentication- enables PAP authentication
list]
ppp pap sent-username user-name determines which user name and password combination
password password PAP sends as part of its authentication process
router rip enables Routing Information Protocol (RIP) routing
show ip interface brief displays a brief summary of interface status and
configuration
show running-config displays the active configuration file
shutdown; no shutdown disables an interface; enables an interface
tacacs-server host ip-address identifies the TACACS+ server
tacacs-server key shared-key identifies the password required to use the TACACS+
server for AAA
tacacs-server timeout seconds sets the response timeout value in seconds
username name password password creates a local user name and password pair
version 2 enables RIP version 2 (RIPv2)
The IP addresses and subnet masks used in this lab are shown in the table below:
IP Addresses
Device Interface IP Address Subnet Mask
P1R1 Serial 0/1 10.1.1.1 255.255.255.0
FastEthernet 0/0 10.2.2.1 255.255.255.0
P1R2 Serial 0/0 10.1.1.2 255.255.255.0
P2R1 Serial 0/1 10.1.2.1 255.255.255.0
FastEthernet 0/0 10.2.2.2 255.255.255.0
P2R2 Serial 0/0 10.1.2.2 255.255.255.0
TACACS+ server - 10.2.2.200 255.255.255.0

Lab Tasks
Task 1: Prepare for AAA
1. On P1R1, configure the appropriate IP addresses; refer to the IP Addresses table. Use the default
encapsulation of High-level Data Link Control (HDLC) and a clock rate of 1,000 kilobits per second
(Kbps) on the Serial 0/1 interface.
2. On P1R2, configure the appropriate IP address on the Serial 0/0 interface; refer to the IP Addresses
table.
3. From P1R1, ping the TACACS+ server (10.2.2.200) to ensure that connectivity exists. If the ping
does not succeed, you should verify the configurations you performed in the preceding steps.
4. On P1R1 and P1R2, configure RIPv2 and advertise the 10.0.0.0 network.
Task 2: Configure AAA for PPP Authentication

1. On P1R1, enable AAA.
2. Enable P1R1 to use a TACACS+ server; configure the shared key to be cisco, and set the timeout
to 15 seconds.
3. On P1R1, create a AAA rule named AAALab for PPP authentication. The rule should require that
authentication be attempted first through a TACACS+ server and then through local authentication if
the server is unavailable.
4. On P1R1, shut down the Serial 0/1 interface and enable PPP encapsulation.
5. On P1R1, specify PPP PAP authentication for the serial interface using the AAALab rule list created
earlier. Configure the PAP sent-user name to be P1R1 with a password of cisco.
6. On P1R2, configure the Serial 0/0 interface to use PPP encapsulation and configure the PAP sent
user name to be AAALab with a password of cisco. P1R1 will receive this user name and password
and forward them to the TACACS+ server for authentication.
7. On P1R2, specify PAP authentication for the serial interface. Create a user name of P1R1 with a
password of cisco. P1R2 will perform local authentication based on the PAP sent user name of
P1R1 and password of cisco transmitted by P1R1.
8. Is authentication attempted against the TACACS+ server? Is it successful? What indicates that
authentication is attempted? _______________________________________________________
9. On P1R1, verify the state of the Serial 0/1 interface. What happens to the Serial 0/1 interface after
authentication succeeds? __________________________________________________________
______________________________________________________________________________

Task 3: Configure Failover Behavior
1. On P1R1, shut down the first FastEthernet 0/0 interface.
2. On P1R1, shut down the Serial 0/1 interface, and then re-enable that interface.
3. Is authentication attempted against the TACACS+ server? Is it successful? ___________________
4. On P1R1, display the state of the Serial 0/1 interface.
5. On P1R1, shut down the Serial 0/1 interface and create a user name of AAALab with a password of
cisco.
6. On P1R1, re-enable the Serial 0/1 interface.
7. On P1R1, observe the status of the Serial 0/1 interface. What do you notice? _________________
Task 4: Perform Optional Configuration Steps

1. You can practice the steps in this lab by configuring P2R1, substituting the host name where
appropriate and using the information contained in the IP Addresses table. The configuration is not
graded as part of this lab.
Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

Lab Solutions
Task 1: Prepare for AAA
1. On P1R1, you should issue the following commands to configure the appropriate IP addresses using
the default encapsulation of HDLC and a clock rate of 1,000 Kbps on the Serial 0/1 interface:
P1R1(config)#interface serial 0/1

P1R1(config-if)#ip address 10.1.1.1 255.255.255.0
P1R1(config-if)#clock rate 1000000
P1R1(config-if)#no shutdown
P1R1(config-if)#interface fastethernet 0/0
2. On P1R2, you should issue the following commands to configure the appropriate IP address and
subnet mask on the Serial 0/0 interface:

3. From P1R1, a ping to the TACACS+ server (10.2.2.200) should succeed. If the ping does not
succeed, you should verify the configurations you performed in the preceding steps.
P1R1#ping 10.2.2.200
4. You should issue the following commands on P1R1 and P1R2 to configure RIPv2 and to advertise
the 10.0.0.0 network:
P1R1(config)#router rip
P1R1(config-router)#version 2
P1R1(config-router)#network 10.0.0.0
Task 2: Configure the Router for AAA Authentication

1. On P1R1, you should issue the following command to enable AAA:
P1R1(config)#aaa new-model
2. On P1R1, you should issue the following commands to enable the router to use a TACACS+ server
with a shared key set as cisco and the timeout set to 15 seconds:
P1R1(config)#tacacs-server host 10.2.2.200

P1R1(config)#tacacs-server key cisco
P1R1(config)#tacacs-server timeout 15

3. On P1R1, you should issue the following command to create a AAA rule named AAALab for PPP
authentication:
P1R1(config)#aaa authentication ppp AAALab tacacs local
4. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and to
enable PPP encapsulation:

P1R1(config-if)#shutdown
P1R1(config-if)#encapsulation ppp
5. On P1R1, you should issue the following commands to specify PPP PAP authentication for the
Serial 0/1 interface using the AAALab rule list created earlier, to configure the PAP sent user name
to be P1R1 with a password of cisco, and to enable the interface:
P1R1(config-if)#ppp authentication pap AAALab

P1R1(config-if)#ppp pap sent-username P1R1 password cisco
6. On P1R2, you should issue the following commands to configure the Serial 0/0 interface to use PPP
encapsulation and to configure the PAP sent user name to be AAALab with a password of cisco:

P1R2(config-if)#ppp pap sent-username AAALab password cisco
7. On P1R2, you should issue the following commands to specify PAP authentication for the serial
interface and to create a user name of P1R1 with a password of cisco:
P1R2(config-if)#ppp authentication pap

P1R2(config-if)#username P1R1 password cisco
8. Authentication is attempted against the TACACS+ server and is successful. The following message
displayed on the console of P1R2 indicates that authentication is attempted:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
9. The state of P1R1’s Serial 0/1 interface should change to up and up. You should issue the following
command to verify the state of the interface. Below is sample output:
P1R1#show ip interface brief

Interface IP-Address OK? Method Status Protocol
Serial0/0 unassigned YES unset down down
Serial0/1 10.1.1.1 YES unset up up
FastEthernet0/0 10.2.2.1 YES unset up up
FastEthernet0/1 unassigned YES unset down down

Task 3: Configure Failover Behavior
1. On P1R1, you should issue the following commands to shut down the FastEthernet 0/0 interface:
P1R1(config)#interface fastethernet 0/0

2. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and then
re-enable the interface:

3. Authentication is attempted against the TACACS+ server but fails; the local database is also
consulted, but no entry for user AAALab exists, so the authentication attempt fails.
4. You should issue the following command on P1R1 to verify the state of the Serial 0/1 interface.
Below is sample output:

Serial0/1 10.1.1.1 YES unset up down
FastEthernet0/0 10.2.2.1 YES unset administratively down down
5. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and to
create a user name of AAALab with a password of cisco:

P1R1(config-if)#username AAALab password cisco
6. On P1R1, you should issue the following command to enable the Serial 0/1 interface:

7. On P1R1, you should issue the following command to observe the status of the serial interface.
Authentication using the AAALab local user name and the cisco password should succeed; success
is indicated by the status of the Serial 0/1 interface changing to up and up, as shown in the sample
output below:


Task 4: Perform Optional Configuration Steps

P2R1(config-if)#clock rate 1000000
P2R1(config-if)#exit
P2R1(config-router)#exit
P2R1(config-if)#interface serial 0/1
P2R1(config)#username AAALab password cisco
P2R1(config-if)#end

Serial0/0 unassigned YES unset administratively down down


P2R2(config-router)#exit
P2R2(config)#username AAALab password cisco
P2R2(config-if)#end

Serial0/0 10.1.2.2 YES unset up down
Bri1/0 unassigned YES unset up up
Bri1/0:1 unassigned YES unset down down
Bri1/0:2 unassigned YES unset down down

Sample Configuration Scripts
P1R1 P1R1 (continued)
P1R1#show running-config interface FastEthernet0/0
Building configuration... ip address 10.2.2.1 255.255.255.0
Current configuration : 1037 bytes no ip directed-broadcast
! shutdown
Version 15.b !
service timestamps debug uptime interface FastEthernet0/1
service timestamps log uptime no ip address
no service password-encryption no ip directed-broadcast
! !
hostname P1R1 router rip
aaa new-model version 2
! network 10.0.0.0
aaa authentication ppp AAALab tacacs local !
! ip classless
username AAALab password cisco no ip http server
! !
ip subnet-zero tacacs-server host 10.2.2.200
! tacacs-server timeout 15
ip cef tacacs-server key cisco
no ip domain-lookup !
! line con 0
interface Serial0/0 line aux 0
no ip address line vty 0 4
no ip directed-broadcast login
! !
interface Serial0/1 no scheduler allocate
ip address 10.1.1.1 255.255.255.0 end
no ip directed-broadcast
clock rate 1000000
encapsulation ppp
ppp authentication pap AAALab
ppp pap sent-username P1R1 password cisco
!

P1R2 P1R2 (continued)
P1R2#show running-config interface Bri1/0
Building configuration... no ip address
Current configuration : 890 bytes no ip directed-broadcast
! !
Version 15.b interface Bri1/0:1
service timestamps debug uptime no ip address
service timestamps log uptime no ip directed-broadcast
no service password-encryption !
! interface Bri1/0:2
hostname P1R2 no ip address
! no ip directed-broadcast
username P1R1 password cisco !
! router rip
ip subnet-zero version 2
! network 10.0.0.0
ip cef !
no ip domain-lookup ip classless
! no ip http server
interface Serial0/0 !
ip address 10.1.1.2 255.255.255.0 line con 0
no ip directed-broadcast line aux 0
encapsulation ppp line vty 0 4
ppp authentication pap login
ppp pap sent-username AAALab password cisco !
! no scheduler allocate
interface FastEthernet0/0 end
no ip address
no ip directed-broadcast
!
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

Lab 2

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Lab 2

Cargado por

Copyright:

Formatos disponibles

Lab ID: 9.9K1116A159.DHI2.

P1R1 Switch1 P2R1

1 Boson NetSim Lab Manual

2 Boson NetSim Lab Manual

Task 2: Configure AAA for PPP Authentication

3 Boson NetSim Lab Manual

3. Is authentication attempted against the TACACS+ server? Is it successful? ___________________

4. On P1R1, display the state of the Serial 0/1 interface.

6. On P1R1, re-enable the Serial 0/1 interface.

Task 4: Perform Optional Configuration Steps

4 Boson NetSim Lab Manual

P1R1(config)#interface serial 0/1

P1R2(config)#interface serial 0/0

Task 2: Configure the Router for AAA Authentication

P1R1(config)#tacacs-server host 10.2.2.200

5 Boson NetSim Lab Manual

P1R1(config)#aaa authentication ppp AAALab tacacs local

P1R1(config)#interface serial 0/1

P1R1(config-if)#ppp authentication pap AAALab

P1R2(config)#interface serial 0/0

P1R2(config-if)#ppp authentication pap

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

P1R1#show ip interface brief

6 Boson NetSim Lab Manual

P1R1(config)#interface fastethernet 0/0

P1R1(config)#interface serial 0/1

P1R1#show ip interface brief

P1R1(config)#interface serial 0/1

P1R1(config)#interface serial 0/1

P1R1#show ip interface brief

7 Boson NetSim Lab Manual

P2R1(config)#interface serial 0/1

P2R1#show ip interface brief

8 Boson NetSim Lab Manual

P2R2(config)#interface serial 0/0

P2R1#show ip interface brief

9 Boson NetSim Lab Manual

10 Boson NetSim Lab Manual

11 Boson NetSim Lab Manual

También podría gustarte