Está en la página 1de 11

Lab ID: 9.9K1116A159.DHI2.

AAA Authentication
Objective
Configure P1R1 to use a Terminal Access Controller Access Control System Plus (TACACS+) server to
authenticate P1R2 as it attempts to establish a Point-to-Point Protocol (PPP) connection with Password
Authentication Protocol (PAP) authentication across the serial link.

Lab Topology
The topology diagram below represents the NetMap in the Simulator. The TACACS+ server is located on
the Ethernet backbone at 10.2.2.200. For this lab, you will be responsible for configuring P1R1 and P1R2.

BRI1/0 BRI1/0
ISDN
P1R2 P2R2
S0/0 S0/0
10.1.1.2/24 10.1.2.2/24
Frame
Relay
S0/1 S0/1
10.1.1.1/24 10.1.2.1/24
S0/0 S0/0

P1R1 Switch1 P2R1


Fa0/0 Fa0/0
10.2.2.1/24 10.2.2.2/24

TACACS+
10.2.2.200/24

Command Summary
Command Description
aaa authentication ppp authentication-list configures TACACS authentication to be used first; if
tacacs local it errors out, then the local user database is used for
authentication
aaa new-model enables the Authentication, Authorization, and Accounting
(AAA) model
clock rate clock-rate sets the clock rate for a Data Communications Equipment
(DCE) interface

1 Boson NetSim Lab Manual


Command Description
configure terminal enters global configuration mode from privileged EXEC
mode
enable enters privileged EXEC mode
encapsulation ppp enables PPP encapsulation
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode
ip address ip-address subnet-mask assigns an IP address to an interface
network network-address activates the specified routing protocol on the specified
network
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the specified address
ppp authentication pap [authentication- enables PAP authentication
list]
ppp pap sent-username user-name determines which user name and password combination
password password PAP sends as part of its authentication process
router rip enables Routing Information Protocol (RIP) routing
show ip interface brief displays a brief summary of interface status and
configuration
show running-config displays the active configuration file
shutdown; no shutdown disables an interface; enables an interface
tacacs-server host ip-address identifies the TACACS+ server
tacacs-server key shared-key identifies the password required to use the TACACS+
server for AAA
tacacs-server timeout seconds sets the response timeout value in seconds
username name password password creates a local user name and password pair
version 2 enables RIP version 2 (RIPv2)

The IP addresses and subnet masks used in this lab are shown in the table below:

IP Addresses
Device Interface IP Address Subnet Mask
P1R1 Serial 0/1 10.1.1.1 255.255.255.0
FastEthernet 0/0 10.2.2.1 255.255.255.0
P1R2 Serial 0/0 10.1.1.2 255.255.255.0
P2R1 Serial 0/1 10.1.2.1 255.255.255.0
FastEthernet 0/0 10.2.2.2 255.255.255.0
P2R2 Serial 0/0 10.1.2.2 255.255.255.0
TACACS+ server - 10.2.2.200 255.255.255.0

2 Boson NetSim Lab Manual


Lab Tasks
Task 1: Prepare for AAA
1. On P1R1, configure the appropriate IP addresses; refer to the IP Addresses table. Use the default
encapsulation of High-level Data Link Control (HDLC) and a clock rate of 1,000 kilobits per second
(Kbps) on the Serial 0/1 interface.

2. On P1R2, configure the appropriate IP address on the Serial 0/0 interface; refer to the IP Addresses
table.

3. From P1R1, ping the TACACS+ server (10.2.2.200) to ensure that connectivity exists. If the ping
does not succeed, you should verify the configurations you performed in the preceding steps.

4. On P1R1 and P1R2, configure RIPv2 and advertise the 10.0.0.0 network.

Task 2: Configure AAA for PPP Authentication


1. On P1R1, enable AAA.

2. Enable P1R1 to use a TACACS+ server; configure the shared key to be cisco, and set the timeout
to 15 seconds.

3. On P1R1, create a AAA rule named AAALab for PPP authentication. The rule should require that
authentication be attempted first through a TACACS+ server and then through local authentication if
the server is unavailable.

4. On P1R1, shut down the Serial 0/1 interface and enable PPP encapsulation.

5. On P1R1, specify PPP PAP authentication for the serial interface using the AAALab rule list created
earlier. Configure the PAP sent-user name to be P1R1 with a password of cisco.

6. On P1R2, configure the Serial 0/0 interface to use PPP encapsulation and configure the PAP sent
user name to be AAALab with a password of cisco. P1R1 will receive this user name and password
and forward them to the TACACS+ server for authentication.

7. On P1R2, specify PAP authentication for the serial interface. Create a user name of P1R1 with a
password of cisco. P1R2 will perform local authentication based on the PAP sent user name of
P1R1 and password of cisco transmitted by P1R1.

8. Is authentication attempted against the TACACS+ server? Is it successful? What indicates that
authentication is attempted? _______________________________________________________

9. On P1R1, verify the state of the Serial 0/1 interface. What happens to the Serial 0/1 interface after
authentication succeeds? __________________________________________________________
______________________________________________________________________________

3 Boson NetSim Lab Manual


Task 3: Configure Failover Behavior
1. On P1R1, shut down the first FastEthernet 0/0 interface.

2. On P1R1, shut down the Serial 0/1 interface, and then re-enable that interface.

3. Is authentication attempted against the TACACS+ server? Is it successful? ___________________

4. On P1R1, display the state of the Serial 0/1 interface.

5. On P1R1, shut down the Serial 0/1 interface and create a user name of AAALab with a password of
cisco.

6. On P1R1, re-enable the Serial 0/1 interface.

7. On P1R1, observe the status of the Serial 0/1 interface. What do you notice? _________________

Task 4: Perform Optional Configuration Steps


1. You can practice the steps in this lab by configuring P2R1, substituting the host name where
appropriate and using the information contained in the IP Addresses table. The configuration is not
graded as part of this lab.

2. You can practice the steps in this lab by configuring P2R2, substituting the host name where
appropriate and using the information contained in the IP Addresses table. The configuration is not
graded as part of this lab.

Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

4 Boson NetSim Lab Manual


Lab Solutions
Task 1: Prepare for AAA
1. On P1R1, you should issue the following commands to configure the appropriate IP addresses using
the default encapsulation of HDLC and a clock rate of 1,000 Kbps on the Serial 0/1 interface:

P1R1(config)#interface serial 0/1


P1R1(config-if)#ip address 10.1.1.1 255.255.255.0
P1R1(config-if)#clock rate 1000000
P1R1(config-if)#no shutdown
P1R1(config-if)#interface fastethernet 0/0
P1R1(config-if)#ip address 10.2.2.1 255.255.255.0
P1R1(config-if)#no shutdown

2. On P1R2, you should issue the following commands to configure the appropriate IP address and
subnet mask on the Serial 0/0 interface:

P1R2(config)#interface serial 0/0


P1R2(config-if)#ip address 10.1.1.2 255.255.255.0
P1R2(config-if)#no shutdown

3. From P1R1, a ping to the TACACS+ server (10.2.2.200) should succeed. If the ping does not
succeed, you should verify the configurations you performed in the preceding steps.

P1R1#ping 10.2.2.200

4. You should issue the following commands on P1R1 and P1R2 to configure RIPv2 and to advertise
the 10.0.0.0 network:

P1R1(config)#router rip
P1R1(config-router)#version 2
P1R1(config-router)#network 10.0.0.0

P1R2(config)#router rip
P1R2(config-router)#version 2
P1R2(config-router)#network 10.0.0.0

Task 2: Configure the Router for AAA Authentication


1. On P1R1, you should issue the following command to enable AAA:

P1R1(config)#aaa new-model

2. On P1R1, you should issue the following commands to enable the router to use a TACACS+ server
with a shared key set as cisco and the timeout set to 15 seconds:

P1R1(config)#tacacs-server host 10.2.2.200


P1R1(config)#tacacs-server key cisco
P1R1(config)#tacacs-server timeout 15

5 Boson NetSim Lab Manual


3. On P1R1, you should issue the following command to create a AAA rule named AAALab for PPP
authentication:

P1R1(config)#aaa authentication ppp AAALab tacacs local

4. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and to
enable PPP encapsulation:

P1R1(config)#interface serial 0/1


P1R1(config-if)#shutdown
P1R1(config-if)#encapsulation ppp

5. On P1R1, you should issue the following commands to specify PPP PAP authentication for the
Serial 0/1 interface using the AAALab rule list created earlier, to configure the PAP sent user name
to be P1R1 with a password of cisco, and to enable the interface:

P1R1(config-if)#ppp authentication pap AAALab


P1R1(config-if)#ppp pap sent-username P1R1 password cisco
P1R1(config-if)#no shutdown

6. On P1R2, you should issue the following commands to configure the Serial 0/0 interface to use PPP
encapsulation and to configure the PAP sent user name to be AAALab with a password of cisco:

P1R2(config)#interface serial 0/0


P1R2(config-if)#encapsulation ppp
P1R2(config-if)#ppp pap sent-username AAALab password cisco

7. On P1R2, you should issue the following commands to specify PAP authentication for the serial
interface and to create a user name of P1R1 with a password of cisco:

P1R2(config-if)#ppp authentication pap


P1R2(config-if)#username P1R1 password cisco

8. Authentication is attempted against the TACACS+ server and is successful. The following message
displayed on the console of P1R2 indicates that authentication is attempted:

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

9. The state of P1R1’s Serial 0/1 interface should change to up and up. You should issue the following
command to verify the state of the interface. Below is sample output:

P1R1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
Serial0/0 unassigned YES unset down down
Serial0/1 10.1.1.1 YES unset up up
FastEthernet0/0 10.2.2.1 YES unset up up
FastEthernet0/1 unassigned YES unset down down

6 Boson NetSim Lab Manual


Task 3: Configure Failover Behavior
1. On P1R1, you should issue the following commands to shut down the FastEthernet 0/0 interface:

P1R1(config)#interface fastethernet 0/0


P1R1(config-if)#shutdown

2. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and then
re-enable the interface:

P1R1(config)#interface serial 0/1


P1R1(config-if)#shutdown
P1R1(config-if)#no shutdown

3. Authentication is attempted against the TACACS+ server but fails; the local database is also
consulted, but no entry for user AAALab exists, so the authentication attempt fails.

4. You should issue the following command on P1R1 to verify the state of the Serial 0/1 interface.
Below is sample output:

P1R1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
Serial0/0 unassigned YES unset down down
Serial0/1 10.1.1.1 YES unset up down
FastEthernet0/0 10.2.2.1 YES unset administratively down down
FastEthernet0/1 unassigned YES unset down down

5. On P1R1, you should issue the following commands to shut down the Serial 0/1 interface and to
create a user name of AAALab with a password of cisco:

P1R1(config)#interface serial 0/1


P1R1(config-if)#shutdown
P1R1(config-if)#username AAALab password cisco

6. On P1R1, you should issue the following command to enable the Serial 0/1 interface:

P1R1(config)#interface serial 0/1


P1R1(config-if)#no shutdown

7. On P1R1, you should issue the following command to observe the status of the serial interface.
Authentication using the AAALab local user name and the cisco password should succeed; success
is indicated by the status of the Serial 0/1 interface changing to up and up, as shown in the sample
output below:

P1R1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
Serial0/0 unassigned YES unset down down
Serial0/1 10.1.1.1 YES unset up up
FastEthernet0/0 10.2.2.1 YES unset administratively down down
FastEthernet0/1 unassigned YES unset down down

7 Boson NetSim Lab Manual


Task 4: Perform Optional Configuration Steps
1. You can practice the steps in this lab by configuring P2R1, substituting the host name where
appropriate and using the information contained in the IP Addresses table. The configuration is not
graded as part of this lab.

P2R1(config)#interface serial 0/1


P2R1(config-if)#ip address 10.1.2.1 255.255.255.0
P2R1(config-if)#clock rate 1000000
P2R1(config-if)#no shutdown
P2R1(config-if)#interface fastethernet 0/0
P2R1(config-if)#ip address 10.2.2.2 255.255.255.0
P2R1(config-if)#no shutdown
P2R1(config-if)#exit
P2R1(config)#router rip
P2R1(config-router)#version 2
P2R1(config-router)#network 10.0.0.0
P2R1(config-router)#exit
P2R1(config)#aaa new-model
P2R1(config)#tacacs-server host 10.2.2.200
P2R1(config)#tacacs-server key cisco
P2R1(config)#tacacs-server timeout 15
P2R1(config)#aaa authentication ppp AAALab tacacs local
P2R1(config)#interface serial 0/1
P2R1(config-if)#shutdown
P2R1(config-if)#encapsulation ppp
P2R1(config-if)#ppp authentication pap AAALab
P2R1(config-if)#ppp pap sent-username P2R1 password cisco
P2R1(config-if)#interface fastethernet 0/0
P2R1(config-if)#shutdown
P2R1(config-if)#interface serial 0/1
P2R1(config-if)#shutdown
P2R1(config-if)#exit
P2R1(config)#username AAALab password cisco
P2R1(config-if)#interface serial 0/1
P2R1(config-if)#no shutdown
P2R1(config-if)#end

P2R1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
Serial0/0 unassigned YES unset administratively down down
Serial0/1 10.1.2.1 YES unset up up
FastEthernet0/0 10.2.2.2 YES unset administratively down down
FastEthernet0/1 unassigned YES unset down down

8 Boson NetSim Lab Manual


2. You can practice the steps in this lab by configuring P2R2, substituting the host name where
appropriate and using the information contained in the IP Addresses table. The configuration is not
graded as part of this lab.

P2R2(config)#interface serial 0/0


P2R2(config-if)#ip address 10.1.2.2 255.255.255.0
P2R2(config-if)#no shutdown
P2R2(config-if)#exit
P2R2(config)#router rip
P2R2(config-router)#version 2
P2R2(config-router)#network 10.0.0.0
P2R2(config-router)#exit
P2R2(config)#aaa new-model
P2R2(config)#tacacs-server host 10.2.2.200
P2R2(config)#tacacs-server key cisco
P2R2(config)#tacacs-server timeout 15
P2R2(config)#aaa authentication ppp AAALab tacacs local
P2R2(config)#interface serial 0/0
P2R2(config-if)#shutdown
P2R2(config-if)#encapsulation ppp
P2R2(config-if)#ppp authentication pap AAALab
P2R2(config-if)#ppp pap sent-username P2R2 password cisco
P2R2(config-if)#no shutdown
P2R2(config-if)#interface serial 0/0
P2R2(config-if)#shutdown
P2R2(config-if)#exit
P2R2(config)#username AAALab password cisco
P2R2(config)#interface serial 0/0
P2R2(config-if)#no shutdown
P2R2(config-if)#end

P2R1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
Serial0/0 10.1.2.2 YES unset up down
FastEthernet0/0 unassigned YES unset down down
FastEthernet0/1 unassigned YES unset down down
Bri1/0 unassigned YES unset up up
Bri1/0:1 unassigned YES unset down down
Bri1/0:2 unassigned YES unset down down

9 Boson NetSim Lab Manual


Sample Configuration Scripts
P1R1 P1R1 (continued)
P1R1#show running-config interface FastEthernet0/0
Building configuration... ip address 10.2.2.1 255.255.255.0
Current configuration : 1037 bytes no ip directed-broadcast
! shutdown
Version 15.b !
service timestamps debug uptime interface FastEthernet0/1
service timestamps log uptime no ip address
no service password-encryption no ip directed-broadcast
! !
hostname P1R1 router rip
aaa new-model version 2
! network 10.0.0.0
aaa authentication ppp AAALab tacacs local !
! ip classless
username AAALab password cisco no ip http server
! !
ip subnet-zero tacacs-server host 10.2.2.200
! tacacs-server timeout 15
ip cef tacacs-server key cisco
no ip domain-lookup !
! line con 0
interface Serial0/0 line aux 0
no ip address line vty 0 4
no ip directed-broadcast login
! !
interface Serial0/1 no scheduler allocate
ip address 10.1.1.1 255.255.255.0 end
no ip directed-broadcast
clock rate 1000000
encapsulation ppp
ppp authentication pap AAALab
ppp pap sent-username P1R1 password cisco
!

10 Boson NetSim Lab Manual


P1R2 P1R2 (continued)
P1R2#show running-config interface Bri1/0
Building configuration... no ip address
Current configuration : 890 bytes no ip directed-broadcast
! !
Version 15.b interface Bri1/0:1
service timestamps debug uptime no ip address
service timestamps log uptime no ip directed-broadcast
no service password-encryption !
! interface Bri1/0:2
hostname P1R2 no ip address
! no ip directed-broadcast
username P1R1 password cisco !
! router rip
ip subnet-zero version 2
! network 10.0.0.0
ip cef !
no ip domain-lookup ip classless
! no ip http server
interface Serial0/0 !
ip address 10.1.1.2 255.255.255.0 line con 0
no ip directed-broadcast line aux 0
encapsulation ppp line vty 0 4
ppp authentication pap login
ppp pap sent-username AAALab password cisco !
! no scheduler allocate
interface FastEthernet0/0 end
no ip address
no ip directed-broadcast
!

Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

11 Boson NetSim Lab Manual