Microsoft Word - CCNP2v50L5-6c.doc

1 - 3

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-6c

Lab 5.6c Configuring AAA Using Local Authentication

Learning Objectives

• Create a local user database on a router

• Configure AAA on a router

Topology Diagram

Scenario

In this lab, you will configure a local username database with AAA. R2’s job will
only be to access R1; most of the configuration will be done on R1.

Step 1: Configure the Interface

Configure the physical interface on R1 and R2 with the IP addresses shown in
the topology diagram. Issue the no shutdown command to activate the
interface.

R1(config)# interface fastethernet0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no shutdown

R2(config)# interface fastethernet0/0
R2(config-if)# ip address 192.168.10.2 255.255.255.0
R2(config-if)# no shutdown

Step 2: Configure the Local User Database

On R1, configure a user account in the local user database with the username
and password of “cisco” using the username username password password
command in global configuration mode.

R1(config)# username cisco password cisco

Step 3: Implement AAA Services

On R1, enable authentication, authorization, and accounting (AAA) services
with the global configuration command aaa new-model. Since you are
implementing local authentication, use local authentication as the first method,

and no authentication as the secondary method. Create the default login
authentication list by issuing the aaa authentication login default methods
command with a method list using the local and none keywords.

If you were using an authentication method with a remote server, such as
TACACS+ or RADIUS, you would configure a secondary authentication method
for fallback if the server is unreachable. Normally, the secondary method would
be the local database. In this case, if no usernames are configured in the local
database, the router allows all users login access to the device.

R1(config)# aaa new-model
R1(config)# aaa authentication login default local none

Note: If you do not set up a default login authentication list, you could get
locked out of the router and be forced to use the password recovery procedure
for your specific router.

Next, create a unique authentication list for Telnet access to the router. This
does not have the fallback of no authentication, so if there are no usernames in
the local database, Telnet access is disabled. To create an authentication list
that is not the default list, use the aaa authentication login name method1
[method2] [method3] command. Name the authentication method list
“telnet_lines.” To apply the authentication list to vtys, use the login
authentication name command in line configuration mode.

R1(config)# aaa authentication login telnet_lines local
R1(config)# line vty 0 4
R1(config-line)# login authentication telnet_lines

Verify that this authentication list is used by opening a Telnet session from R2
to R1.

R2# telnet 192.168.10.1
Trying 192.168.10.1 ... Open

User Access Verification

Username: cisco
Password: cisco

R1> exit

[Connection to 192.168.10.1 closed by foreign host]
R2#

If you are able to log in to the router, your user account was verified against the
local database on the router.

If your session with the console port of the router times out, you may have to
log in using the default authentication list.

2 - 3

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-6c

If no user accounts are configured in the local database, which users are
permitted to access the device?

Final Configuration

R1# show run
hostname R1
!
aaa new-model
!
aaa authentication login default local none
aaa authentication login telnet_lines local
!
username cisco password 0 cisco
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
line vty 0 4
login authentication telnet_lines
end

R2# show run
hostname R2
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
no shutdown
end

3 - 3

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-6c