Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 5-6: Configuring AAA Using Local Authentication


Lab5-6c.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.6c Configuring AAA Using Local Authentication
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
 workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-6c/workingconfig

[[3725]]
# Specify 3725 IOS image on Linux here:
 image = /opt/dynamips/images/c3725-ad.bin
 ram = 256
 idlepc =0x60bf8d58
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
[[Router R1]]
 model = 3725
 console = 2001
 f0/0 = NIO_linux_eth:eth0

Scenario
In this lab, you will configure a local username database with AAA. Host’s job will only be to access R1; most of the configuration will be done on R1.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host R1


Step 1: Configure the interface
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.100.214 255.255.255.192
R1(config-if)#no shutdown

R1#ping 192.168.100.213

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.213, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms


Step 2: Configure the Local User Database
R1(config)#username cisco password cisco


Step 3: Implement AAA Services
If you were using an authentication method with a remote server, such as TACACS+ or RADIUS, you would configure a secondary authentication method for fallback if the server is unreachable. Normally, the secondary method would be the local database. In this case, if no usernames are configured in the local database, the router allows all users login access to the device.
R1(config)#aaa new-model
R1(config)#aaa authentication login default local none

Next, create a unique authentication list for Telnet access to the router. This does not have the fallback of no authentication, so if there are no usernames in the local database, Telnet access is disabled.
R1(config)#aaa authentication login Telnet_lines local
R1(config)#line vty 0 4
R1(config-line)#login authentication Telnet_lines

Verify that this authentication list is used by opening a Telnet session from Host to R1.
C:\>telnet 192.168.100.217

User Access Verification

Username: cisco
Password: cisco

R1>


Final Configurations
R1:
hostname R1
!
aaa new-model
!
aaa authentication login default local none
aaa authentication login Telnet_lines local
!
no ip domain lookup
!
username cisco password cisco
!
interface FastEthernet0/0
 ip address 192.168.100.214 255.255.255.192
 no shutdown
!
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login authentication Telnet_lines
!       
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.11.09 / 2018.06.11

0 comments:

張貼留言