Documents

CCNASv1.1_Chp03_Lab-A_AAA-RADIUS_Student.doc

Description
CCNA Security Chapter 3 Lab A: Securing Administrative Access Using AAA and RADIUS Topoogy Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces. All contents are Copyright © 12!2 12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1 of 2( CCNA Security I! Addressing Tabe Device Inter ace I! Address Subnet #as$ De aut %ate&ay S&itch !ort R1 FA )1 12.1*+.1.1 2((.2((.2((. ,)A S1 FA )( S ) ) -.CE/ 1 .1.1.1 2((.2((.2((.2
Categories
Published
of 25
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  CCNA Security Chapter 3 Lab A: Securing Administrative Access Using AAA and RADIUS Topoogy Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.  All contents are Copyright © 12!2 12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.'age 1 of 2(  CCNA Security I! Addressing Tabe DeviceInter aceI! AddressSubnet #as$De aut %ate&ayS&itch !ort R1FA )112.1*+.1.12((.2((.2((. ,)AS1 FA )(S ) ) -CE/1 .1.1.12((.2((.2((.2(2,)A,)AR2S ) ) 1 .1.1.22((.2((.2((.2(2,)A,)AS ) )1 -CE/1 .2.2.22((.2((.2((.2(2,)A,)AR0FA )112.1*+.0.12((.2((.2((. ,)AS0 FA )(S ) )1 1 .2.2.12((.2((.2((.2(2,)A,)A'CA,IC12.1*+.1.02((.2((.2((. 12.1*+.1.1S1 FA )*'CC,IC12.1*+.0.02((.2((.2((. 12.1*+.0.1S0 FA )1+ 'b(ectives !art ): *asic Net&or$ Device Con iguration ã Config&re basic settings s&ch as host na#e$ interface I' addresses$ and access passords. ã Config&re static ro&ting. !art +: Con igure Loca Authentication ã Config&re a local database &ser and local access for the console$ vty$ and a&3 lines. ã %est the config&ration. !art 3: Con igure Loca Authentication Using AAA ã Config&re the local &ser database &sing Cisco I4S. ã Config&re AAA local a&thentication &sing Cisco I4S. ã Config&re AAA local a&thentication &sing CC'. ã %est the config&ration. !art ,: Con igure Centrai-ed Authentication Using AAA and RADIUS ã Install a RAI5S server on a co#p&ter. ã Config&re &sers on the RAI5S server. ã 5se Cisco I4S to config&re AAA services on a ro&ter to access the RAI5S server for a&thentication. ã 5se CC' to config&re AAA services on a ro&ter to access the RAI5S server for a&thentication. ã %est the AAA RAI5S config&ration. *ac$ground %he #ost basic for# of ro&ter access sec&rity is to create passords for the console$ vty$ and a&3 lines. A &ser is pro#pted for only a passord hen accessing the ro&ter. Config&ring a privileged E6EC #ode enablesecret passord f&rther i#proves sec&rity$ b&t still only a basic passord is re7&ired for each #ode of access.In addition to basic passords$ specific &serna#es or acco&nts ith varying privilege levels can be defined in the local ro&ter database that can apply to the ro&ter as a hole. 8hen the console$ vty$ or a&3 lines are config&red to refer to this local database$ the &ser is pro#pted for a &serna#e and a passord hen &sing any of these lines to access the ro&ter.  All contents are Copyright © 12!2 12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.'age 2 of 2(  CCNA Security  Additional control over the login process can be achieved &sing a&thentication$ a&thori9ation$ and acco&nting -AAA/. For basic a&thentication$ AAA can be config&red to access the local database for &ser logins$ and fallbac: proced&res can also be defined. ;oever$ this approach is not very scalable beca&se it #&st be config&red on every ro&ter. %o ta:e f&ll advantage of AAA and achieve #a3i#&# scalability$ AAA is &sed in con<&nction ith an e3ternal %ACACS= or RAI5S server database. 8hen a &ser atte#pts to log in$ the ro&ter references the e3ternal server database to verify that the &ser is logging in ith a valid &serna#e and passord. In this lab$ yo& b&ild a #&ltiro&ter netor: and config&re the ro&ters and hosts. >o& ill then &se C?I co##ands and CC' tools to config&re ro&ters ith basic local a&thentication by #eans of AAA. >o& ill install RAI5S softare on an e3ternal co#p&ter and &se AAA to a&thenticate &sers ith the RAI5S server. Note:  %he ro&ter co##ands and o&tp&t in this lab are fro# a Cisco 1+@1 ith Cisco I4S Release 12.@-2 /% -Advance I' i#age/. 4ther ro&ters and Cisco I4S versions can be &sed. See the Ro&ter Interface S&##ary table at the end of the lab to deter#ine hich interface identifiers to &se based on the e7&ip#ent in the lab. epending on the ro&ter #odel and Cisco I4S version$ the co##ands available and o&tp&t prod&ced #ight vary fro# hat is shon in this lab. Note: a:e s&re that the ro&ters and sitches have been erased and have no start&p config&rations. Re.uired Resources ã 0 ro&ters -Cisco 1+@1 ith Cisco I4S Release 12.@-2 /%1 or co#parable/ ã 2 sitches -Cisco 2* or co#parable/ ã 'CAB 8indos 6'$ ista or 8indos D ith CC' 2.(  RAI5S server softare available ã 'CCB 8indos 6'$ ista or 8indos D ith CC' 2.( ã Serial and Ethernet cables as shon in the topology ã Rollover cables to config&re the ro&ters via the console CC! Notes: ã Refer to Chp ?ab A for instr&ctions on ho to install and r&n CC'. ;ardare)softare reco##endations for CC' incl&de 8indos 6'$ ista$ or 8indos D ith ava version 1.*. 11 &p to1.*. 21$ Internet E3plorer *. or above and Flash 'layer ersion 1 . .12.0* and later. ã If the 'C on hich CC' is installed is r&nning 8indos ista or 8indos D$ it #ay be necessary to rightclic: on the CC' icon or #en& ite#$ and choose Run as administrator  . ã In order to r&n CC'$ it #ay be necessary to te#porarily disable antivir&s progra#s and 4)S firealls. a:e s&re that all pop&p bloc:ers are t&rned off in the broser. !art ): *asic Net&or$ Device Con iguration In 'art 1 of this lab$ yo& set &p the netor: topology and config&re basic settings$ s&ch as the interface I' addresses$ static ro&ting$ device access$ and passords. All steps sho&ld be perfor#ed on ro&ters R1 and R0. 4nly steps 1$ 2$ 0 and * need to be perfor#ed on R2. %he proced&re for R1 is shon here as an e3a#ple. Step ): Cabe the net&or$ as sho&n in the topoogy/  Attach the devices shon in the topology diagra#$ and cable as necessary. Step +: Con igure basic settings or each router/ Config&re host na#es as shon in the topology.  All contents are Copyright © 12!2 12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.'age 0 of 2(  CCNA Security Config&re the interface I' addresses as shon in the I' addressing table.Config&re a cloc: rate for the ro&ters ith a CE serial cable attached to their serial interface. R1(config)# interface S0/0/0 R1(config-if)# clock rate 64000 %o prevent the ro&ter fro# atte#pting to translate incorrectly entered co##ands as tho&gh they ere host na#es$disable ,S loo:&p. R1(config)# no ip domain-lookup Step 3: Con igure static routing on the routers/ a.Config&re a static defa&lt ro&te fro# R1 to R2 and fro# R0 to R2.Config&re a static ro&te fro# R2 to the R1 ?A, and fro# R2 to the R0 ?A,. Step ,: Con igure !C host I! settings/ Config&re a static I' address$ s&bnet #as:$ and defa&lt gateay for 'CA and 'CC$ as shon in the I' addressing table. Step 0: 1eri y connectivity bet&een !C2A and R3/ a.'ing fro# R1 to R0.8ere the ping res&lts s&ccessf&lH  If the pings are not s&ccessf&l$ tro&bleshoot the basic device config&rations before contin&ing. b.'ing fro# 'CA on the R1 ?A, to 'CC on the R0 ?A,.8ere the ping res&lts s&ccessf&lH  If the pings are not s&ccessf&l$ tro&bleshoot the basic device config&rations before contin&ing. Note:  If yo& can ping fro# 'CA to 'CC$ yo& have de#onstrated that static ro&ting is config&red and f&nctioning correctly. If yo& cannot ping b&t the device interfaces are &p and I' addresses are correct$ &sethe show run  and show ip route  co##ands to help identify ro&ting protocolrelated proble#s. Step : Save the basic running con iguration or each router/ 5se the Trans er 4 Capture te5t  option in ;yper%er#inal or so#e other #ethod to capt&re the r&nning configs for each ro&ter. Save the three files so that they can be &sed to restore configs later in the lab. Step 6: Con igure and encrypt pass&ords on R) and R3/ Note:  'assords in this tas: are set to a #ini#&# of 1 characters b&t are relatively si#ple for the benefit of perfor#ing the lab. ore co#ple3 passords are reco##ended in a prod&ction netor:. For this step$ config&re the sa#e settings for R1 and R0. Ro&ter R1 is shon here as an e3a#ple.a.Config&re a #ini#&# passord length.5se the   security passwords  co##and to set a #ini#&# passord length of 1 characters. R1(config)# security passwords min-length 10 b.Config&re the enable secret passord on both ro&ters. R1(config)# enable secret cisco1234 c.Config&re the basic console$ a&3iliary port$ and vty lines.d.Config&re a console passord and enable login for ro&ter R1. For additional sec&rity$ the e!ec-timeout  co##and ca&ses the line to log o&t after ( #in&tes of inactivity. %he logging synchronous  co##and prevents console #essages fro# interr&pting co##and entry.  All contents are Copyright © 12!2 12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.'age @ of 2(

20141023.pdf

Jul 23, 2017
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks