7.2.6 Packet Tracer – Configure Local AAA for Console and VTY Access Answers

Packet Tracer – Configure Local AAA for Console and VTY Access (Answers Version)

Answers Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Addressing Table

Device

Interface

IP Address

Subnet Mask

Default Gateway

Switch Port

R1

G0/1

192.168.1.1

255.255.255.0

N/A

S1 F0/1

R1

S0/0/0 (DCE)

10.1.1.2

255.255.255.252

N/A

N/A

R2

G0/0

192.168.2.1

255.255.255.0

N/A

S2 F0/2

R2

S0/0/0

10.1.1.1

255.255.255.252

N/A

N/A

R2

S0/0/1 (DCE)

10.2.2.1

255.255.255.252

N/A

N/A

R3

G0/1

192.168.3.1

255.255.255.0

N/A

S3 F0/5

R3

S0/0/1

10.2.2.2

255.255.255.252

N/A

N/A

PC-A

NIC

192.168.1.3

255.255.255.0

192.168.1.1

S1 F0/2

PC-B

NIC

192.168.2.3

255.255.255.0

192.168.2.1

S2 F0/1

PC-C

NIC

192.168.3.3

255.255.255.0

192.168.3.1

S3 F0/18

Blank Line, No additional information

Objectives

Configure a local user account on R1 and configure authenticate on the console and vty lines using local AAA.

Verify local AAA authentication from the R1 console and the PC-A client.

Background / Scenario

The network topology shows routers R1, R2 and R3. Currently, all administrative security is based on knowledge of the enable secret password. Your task is to configure and test local and server-based AAA solutions.

You will create a local user account and configure local AAA on router R1 to test the console and vty logins.

  • User account: Admin1 and password admin1pa55

The routers have also been pre-configured with the following:

  • Enable secret password: ciscoenpa55
  • OSPF routing protocol with MD5 authentication using password: MD5pa55

Note: The console and vty lines have not been pre-configured.

Note: Newer IOS images use more secure encryption hashing algorithm; however, the IOS version currently supported in Packet Tracer uses MD5. Always use the most secure option available on your physical equipment.

Part 1:Configure Local AAA Authentication for Console Access on R1

Step 1:Configure a local username on R1.

Configure a username of Admin1 with a secret password of admin1pa55.

R1(config)# username Admin1 secret admin1pa55

Step 2:Configure local AAA authentication for console access on R1.

Enable AAA on R1 and configure AAA authentication for the console login to use the local database.

R1(config)# aaa new-model

R1(config)# aaa authentication login default local

Step 3:Configure the line console to use the defined AAA authentication method.

Enable AAA on R1 and configure AAA authentication for the console login to use the default method list.

R1(config)# line console 0

R1(config-line)# login authentication default

Step 4:Verify the AAA authentication method.

Verify the user EXEC login using the local database.

R1(config-line)# end

%SYS-5-CONFIG_I: Configured from console by console

R1# exit

R1 con0 is now available

Press RETURN to get started.

************ AUTHORIZED ACCESS ONLY *************

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification

Username: Admin1

Password: admin1pa55

R1>

Part 2:Configure Local AAA Authentication for vty Lines on R1

Step 1:Configure domain name and crypto key for use with SSH.

  1. Use netsec.com as the domain name on R1.

R1(config)# ip domain-name netsec.com

  1. Create an RSA crypto key using 1024 bits.

R1(config)# crypto key generate rsa general-keys modulus 1024

The name for the keys will be: R1.netsec.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

*Mar 1 0:2:12.822: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 2:Configure a named list AAA authentication method for the vty lines on R1.

Configure a named list called SSH-LOGIN to authenticate logins using local AAA.

R1(config)# aaa authentication login SSH-LOGIN local

Step 3:Configure the vty lines to use the defined AAA authentication method.

Configure the vty lines to use the named AAA method and only allow SSH for remote access.

R1(config)# line vty 0 4

R1(config-line)# login authentication SSH-LOGIN

R1(config-line)# transport input ssh

R1(config-line)# end

Step 4:Verify the AAA authentication method.

Verify the SSH configuration SSH to R1 from the command prompt of PC-A.

PC> ssh –l Admin1 192.168.1.1

Open

Password: admin1pa55

Answer Script

Router R1

enable

config terminal

username Admin1 secret admin1pa55

aaa new-model

aaa authentication login default local

line console 0

login authentication default

ip domain-name netsec.com

crypto key generate rsa general-keys modulus 1024

aaa authentication login SSH-LOGIN local

line vty 0 4

login authentication SSH-LOGIN

transport input ssh

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments