AAA Lab in Packet Tracer
Lab Objective : any one try to Telnet the router must be authenticated through AAA server First and in case AAA server is down , routers will use his local user accounts database.
Configuration on the router:
Router (config) #enable secret 1111
Router (config) #line vty 0 4
Router (config-line) #login authentication default ?( to apply an on Telnet lines )?
Router (config-line) #login
Router (config-line) #exit
Router (config) #username JKR password 3333
Enable AAA on the router :
Router (config) #aaa new-model
Set authentication for login using two methods , method 1 uses AAA server through Tacacs+ protocol , method 2 using local router user accounts:
Router (config) #aaa authentication login default group tacacs+ local
Tell the router what is the IP address for Tacas+ server and key (password) to connect to:
Router (config) #tacacs-server host 126.96.36.199 key 8888
Configuration on AAA server
User account :
Username : JKR
tacas+ client : 188.8.131.52
Key : 8888
Now here is few show commands we can use plus one command to unlock any user account reach max failed attempts to logon:
Router#show AAA user all
Router#show AAA sessions
Router#show a local user lockout
Router#clear a local user lockout username all
In best practice try to Telnet the router with local username Yasser password 3333 and it will not work then try to use? the ACS server user name we wrote above : audio password 4444 and it will work fine .
Now disconnect the ACS server or just remove the cable and try to Telnet the router using Yasser and it will work fine .
Remember method 1 fail , you will not go to method 2
But if method 1 is not available then you can go to method 2 and use it.