1 - 3

CCNP 2: Remote Access v 3.0 - Lab 11.3.3

Copyright

 2003, Cisco Systems, Inc.

Lab 11.3.3 AAA TACACS+ Server

Objective

In this lab, the student will configure AAA to use a TACACS+ server.

Scenario

The International Travel Agency (ITA) has set up and configured a Cisco Secure TACACS+ server.
ITA needs to place the routers under the control of the TACACS+ server. The host name and IP
address of the router may need to be modified.

Step 1

The host shown in the diagram can be running Cisco Secure software to provide TACACS+
services. Configure SanJose1 using the following commands as an example:

SanJose1(config)#line con 0
SanJose1(config-line)#exec-timeout 0 0
SanJose1(config-line)#password cisco
SanJose1(config-line)#logging synchronous

SanJose1(config-line)#enable password cisco
SanJose1(config-line)#line vty 0 4
SanJose1(config-line)#login
SanJose1(config-line)#password cisco
SanJose1(config-line)#exec-timeout 0 0
SanJose1(config-line)#line aux 0
SanJose1(config-line)#exec-timeout 0 0
SanJose1(config-line)#login
SanJose1(config-line)#password cisco

2 - 3

CCNP 2: Remote Access v 3.0 - Lab 11.3.3

Copyright

 2003, Cisco Systems, Inc.

Confirm that SanJose1 can ping the TACACS+ server.

The instructor will provide the IP address of the TACACS+ server and an encryption key. This key is
required to establish a connection between the router and the server. The instructor will also provide
a username/password combination, which is already entered in the Cisco Secure database.

Step 2

On SanJose1, enter the following configuration lines:

Note: Ask the instructor to obtain the IP address and server key for Taccacs+ or Radius server.

SanJose1(config)#aaa new-model
SanJose1(config)#username admin password aaacisco
SanJose1(config)#aaa authentication login default group tacacs+ local enable
SanJose1(config)#tacacs-server host xxx.xxx.xxx.xxx
SanJose1(config)#tacacs-server key xxxxx

Exit from SanJose1 and then try to log in with the username of nobody and the password nothing.
This should fail if there is a working connection to the TACACS+ server. If the login does not fail,
reload the routers and try again.

After the login using nobody fails, log in as the user assigned by the instructor. This login should
work, indicating that SanJose1 has successfully queried the TACACS+ server, and authenticated
using the username and password.

1. If none of the valid username/password combinations stored on the TACACS+ server were

known, how can access be gained to the router?

__________________________________________________________________________

Simulate a network outage by disconnecting the cable from SanJose1’s Fast Ethernet interface.
Attempt to log in to the router a second time through the console port.

2. Because the attempt to query the TACACS+ server by the router will fail, which authentication

method should be used? Why?

__________________________________________________________________________

When attempting to log in, SanJose1 will try to query the TACACS+ server first. Because the
network connection to the server is unavailable, this query returns an error. The second method of
authentication defined by the aaa authentication command specifies that the local database
should be consulted next. Therefore, authentication as admin using the password aaacisco should
now be available.

Once authenticated, enter the following command on SanJose1:

SanJose1(config)#no username admin password aaacisco

3. If no TCP/IP connection to the TACACS+ server is available, and no local username/password

database exists on the router, which authentication method will be used? Why?

__________________________________________________________________________

Exit the console session on SanJose1 and log back in again. Eventually, there will be a prompt for a
username. Enter the username admin. When prompted for a password, enter the password of
aaacisco. This authentication attempt will return an error, because there is no local
username/password database. Remember, an error is not the same as an authentication failure. A
failure occurs when the authentication method is operational, but the username/password
combination is found to be invalid.

3 - 3

CCNP 2: Remote Access v 3.0 - Lab 11.3.3

Copyright

 2003, Cisco Systems, Inc.

There is a third method of authentication defined by the aaa authentication command. This
specifies that the enable password, or secret, if it exists, should be used in the event the first two
authentication methods return an error.

The router can be accessed by using the enable password, cisco.