Documentos de Académico
Documentos de Profesional
Documentos de Cultura
AAA Authentication
Objective
Configure P1R1 to use a Terminal Access Controller Access Control System Plus (TACACS+) server to
authenticate P1R2 as it attempts to establish a Point-to-Point Protocol (PPP) connection with Password
Authentication Protocol (PAP) authentication across the serial link.
Lab Topology
The topology diagram below represents the NetMap in the Simulator. The TACACS+ server is located on
the Ethernet backbone at 10.2.2.200. For this lab, you will be responsible for configuring P1R1 and P1R2.
BRI1/0 BRI1/0
ISDN
P1R2 P2R2
S0/0 S0/0
10.1.1.2/24 10.1.2.2/24
Frame
Relay
S0/1 S0/1
10.1.1.1/24 10.1.2.1/24
S0/0 S0/0
TACACS+
10.2.2.200/24
Command Summary
Command Description
aaa authentication ppp authentication-list configures TACACS authentication to be used first; if
tacacs local it errors out, then the local user database is used for
authentication
aaa new-model enables the Authentication, Authorization, and Accounting
(AAA) model
clock rate clock-rate sets the clock rate for a Data Communications Equipment
(DCE) interface
The IP addresses and subnet masks used in this lab are shown in the table below:
IP Addresses
Device Interface IP Address Subnet Mask
P1R1 Serial 0/1 10.1.1.1 255.255.255.0
FastEthernet 0/0 10.2.2.1 255.255.255.0
P1R2 Serial 0/0 10.1.1.2 255.255.255.0
P2R1 Serial 0/1 10.1.2.1 255.255.255.0
FastEthernet 0/0 10.2.2.2 255.255.255.0
P2R2 Serial 0/0 10.1.2.2 255.255.255.0
TACACS+ server - 10.2.2.200 255.255.255.0
2. On P1R2, configure the appropriate IP address on the Serial 0/0 interface; refer to the IP Addresses
table.
3. From P1R1, ping the TACACS+ server (10.2.2.200) to ensure that connectivity exists. If the ping
does not succeed, you should verify the configurations you performed in the preceding steps.
4. On P1R1 and P1R2, configure RIPv2 and advertise the 10.0.0.0 network.
2. Enable P1R1 to use a TACACS+ server; configure the shared key to be cisco, and set the timeout
to 15 seconds.
3. On P1R1, create a AAA rule named AAALab for PPP authentication. The rule should require that
authentication be attempted first through a TACACS+ server and then through local authentication if
the server is unavailable.
4. On P1R1, shut down the Serial 0/1 interface and enable PPP encapsulation.
5. On P1R1, specify PPP PAP authentication for the serial interface using the AAALab rule list created
earlier. Configure the PAP sent-user name to be P1R1 with a password of cisco.
6. On P1R2, configure the Serial 0/0 interface to use PPP encapsulation and configure the PAP sent
user name to be AAALab with a password of cisco. P1R1 will receive this user name and password
and forward them to the TACACS+ server for authentication.
7. On P1R2, specify PAP authentication for the serial interface. Create a user name of P1R1 with a
password of cisco. P1R2 will perform local authentication based on the PAP sent user name of
P1R1 and password of cisco transmitted by P1R1.
8. Is authentication attempted against the TACACS+ server? Is it successful? What indicates that
authentication is attempted? _______________________________________________________
9. On P1R1, verify the state of the Serial 0/1 interface. What happens to the Serial 0/1 interface after
authentication succeeds? __________________________________________________________
______________________________________________________________________________
2. On P1R1, shut down the Serial 0/1 interface, and then re-enable that interface.
5. On P1R1, shut down the Serial 0/1 interface and create a user name of AAALab with a password of
cisco.
7. On P1R1, observe the status of the Serial 0/1 interface. What do you notice? _________________
2. You can practice the steps in this lab by configuring P2R2, substituting the host name where
appropriate and using the information contained in the IP Addresses table. The configuration is not
graded as part of this lab.
Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
2. On P1R2, you should issue the following commands to configure the appropriate IP address and
subnet mask on the Serial 0/0 interface:
3. From P1R1, a ping to the TACACS+ server (10.2.2.200) should succeed. If the ping does not
succeed, you should verify the configurations you performed in the preceding steps.
P1R1#ping 10.2.2.200
4. You should issue the following commands on P1R1 and P1R2 to configure RIPv2 and to advertise
the 10.0.0.0 network:
P1R1(config)#router rip
P1R1(config-router)#version 2
P1R1(config-router)#network 10.0.0.0
P1R2(config)#router rip
P1R2(config-router)#version 2
P1R2(config-router)#network 10.0.0.0
P1R1(config)#aaa new-model
2. On P1R1, you should issue the following commands to enable the router to use a TACACS+ server
with a shared key set as cisco and the timeout set to 15 seconds:
4. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and to
enable PPP encapsulation:
5. On P1R1, you should issue the following commands to specify PPP PAP authentication for the
Serial 0/1 interface using the AAALab rule list created earlier, to configure the PAP sent user name
to be P1R1 with a password of cisco, and to enable the interface:
6. On P1R2, you should issue the following commands to configure the Serial 0/0 interface to use PPP
encapsulation and to configure the PAP sent user name to be AAALab with a password of cisco:
7. On P1R2, you should issue the following commands to specify PAP authentication for the serial
interface and to create a user name of P1R1 with a password of cisco:
8. Authentication is attempted against the TACACS+ server and is successful. The following message
displayed on the console of P1R2 indicates that authentication is attempted:
9. The state of P1R1’s Serial 0/1 interface should change to up and up. You should issue the following
command to verify the state of the interface. Below is sample output:
2. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and then
re-enable the interface:
3. Authentication is attempted against the TACACS+ server but fails; the local database is also
consulted, but no entry for user AAALab exists, so the authentication attempt fails.
4. You should issue the following command on P1R1 to verify the state of the Serial 0/1 interface.
Below is sample output:
5. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and to
create a user name of AAALab with a password of cisco:
6. On P1R1, you should issue the following command to enable the Serial 0/1 interface:
7. On P1R1, you should issue the following command to observe the status of the serial interface.
Authentication using the AAALab local user name and the cisco password should succeed; success
is indicated by the status of the Serial 0/1 interface changing to up and up, as shown in the sample
output below:
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.