AAA Lab in Packet Tracer

AAA Lab in Packet Tracer

Lab Objective : any one try to Telnet the router must be authenticated through AAA server First and in case AAA server is down , routers will use his local user accounts database.

Configuration on the router:

=setting telnet=

Router (config) #enable secret 1111

Router (config) #line vty 0 4

Router (config-line) #login authentication default ?( to apply an on Telnet lines )?

Router (config-line) #login

Router (config-line) #exit

Router (config) #username JKR password 3333

=AAA commands=

Enable AAA on the router :

Router (config) #aaa new-model

Set authentication for login using two methods , method 1 uses AAA server through Tacacs+ protocol , method 2 using local router user accounts:

Router (config) #aaa authentication login default group tacacs+ local

Tell the router what is the IP address for Tacas+ server and key (password) to connect to:

Router (config) #tacacs-server host 11.0.0.2 key 8888

Configuration on AAA server

ACS SERVER

User account :

Username : JKR

Password: 4444

tacas+ client : 11.0.0.1

Key : 8888

Now here is few show commands we can use plus one command to unlock any user account reach max failed attempts to logon:

Router#show AAA user all

Router#show AAA sessions

Router#show a local user lockout

Router#clear a local user lockout username all

In best practice try to Telnet the router with local username Yasser password 3333 and it will not work then try to use? the ACS server user name we wrote above : audio password 4444 and it will work fine .

Now disconnect the ACS server or just remove the cable and try to Telnet the router using Yasser and it will work fine .

Remember method 1 fail , you will not go to method 2

But if method 1 is not available then you can go to method 2 and use it.