ISCW - AAA server Tacacs Lab Sim

You are a network support specialist for NetworkTut, an IT training firm. They have just installed a new router (R1) into their network. The router was successfully installed and is passing traffic. However, your manager is concerned about security and has tasked you with implementing access security for the new router R1.

The portion of NetworkTut's security policy related to router access states:
# The default user access authentication scheme requires that the user be authenticated using the router's local database.
# User console access should be authenticated using the default authentication scheme.
# User aux port access should be authenticated using the default authentication scheme.
# User vty access should be protected via a password that is validated using only the corporate Tacacs server.

For this router installation:

# The corporate Tacacs server has an IP address of 10.6.6.254 and uses a shared key of Training.

# The enable password for R1 is New1

You have successfully completed your task when you have verified that you can login into:

# R1's console using the local user's ID of Net1 with a password of Sel

# R2's console using the username of Net2 with a password of Loc and establish a SSH session from R2 to R1 using the test Tacacs user's ID of cisco with a password of cisco123

(Notice: The IP addresses, user names, passwords in the real exam may be different!!!)

Answer and Explanation:

R1>enable
password: New1
R1#configure terminal

R1(config)#aaa new-model (enable the AAA security services)

R1(config)#tacacs-server host 10.6.6.254 key Training (notice that the key is case sensitive)

The default user access authentication scheme requires that the user be authenticated using the router's local database

R1(config)#aaa authentication login default local (verify login authentication using the local user database. The "aaa authentication login" specifies the authentication will take place at login. Because we used the list "default", login authentication is automatically applied for all login connections, such as tty, vty, console and aux).

Define the MY_VTY_LIST (or another name) group to use the corporate Tacacs server for the authentication

R1(config)#aaa authentication login MY_VTY_LIST group tacacs+

Configure user console access using the default authentication scheme

R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit

Configure user aux port access using the default authentication scheme

R1(config)#line aux 0
R1(config-line)#login authentication default
R1(config-line)#exit

Configure vty access using TACACS server by applying MY_VTY_LIST to the vty lines

R1(config)#line vty 0 4
R1(config-line)#login authentication MY_VTY_LIST
R1(config-line)#end

R1#copy running-config startup-config

Logout R1 to test the console password of R1

R1#exit

Press RETURN to get started.

(Press Enter here)

Username: Net1
Password: Sel

R1> (Now you see you are in User Mode, that means you configured the console password correctly! If you wish to continue entering privileged EXEC mode again, use the password New1).

Login to R1 using SSH from R2

R2>enable
username: Net2
password: Loc
R2#ssh 10.2.1.1 (10.2.1.1 is the IP address of R1 shown in the picture)

You will be asked for the user ID(cisco) and password (cisco123).