CCNP BCMSN Security TACACS+

Document Sample
CCNP BCMSN Security TACACS+ Powered By Docstoc
					                                                                             BCMSN LAB 10
                                            Configuring IOS Security Part 2: TACACS+

    Lab 10: Configuring IOS Security Part 2: TACACS+
    Objective
    Configure ASWs to authenticate to a TACACS+ server.
    Lab Topology
    For this lab, your network design will include two pods of devices. Pod 2 will be configured upon
    the initial loading of the lab. You will be responsible for configuring Pod 1. After you complete the
    configuration in this lab, you can verify the lab using the Pod 2 devices. The Pod 2 devices will be
    configured with the same IP addressing scheme as those in Pod 1. For all labs that require more
    than one pod, your pod will be represented as Pod 1, and the remote pod will be Pod 2.
    The Topology diagram below represents the NetMap in the Simulator. To access each of the devices
    from within the Simulator, select the device name from the appropriate menu in the Simulator. For
    example, to access P1ASW1, click the eSwitches button and select P1ASW1 from the drop-down menu.


                                     VLAN 11                                               VLAN 12
                                    172.16.11.1                                           172.16.12.1

                                         P1PC1                                                 P2PC2




                            P1ASW1                                               P2ASW2
172.16.1.150                 172.16.1.10                                             172.16.1.20


   ACS




                            P1DSW1                                              P2DSW2
                            172.16.1.100                                        172.16.1.200
          BCMSN LAB 10
            Configuring IOS Security Part 2: TACACS+

Command Summary
                      Command                                                    Description
configure terminal                                           enters global configuration mode
enable                                                      enters privileged EXEC mode
exit                                                        exits current mode
end                                                         returns to privileged EXEC mode
interface fastethernet slot/port                            enters interface configuration mode for the specified Fast
                                                            Ethernet interface
ip address ip_address subnet_mask                           assigns an IP address to an interface
ping ip_address                                             sends an ICMP echo request
shutdown; no shutdown                                       disables an interface; enables an interface
aaa authentication login {default | list-name}              enables Authentication, Authorization, and Accounting
method1 [method2…]                                          (AAA) login
aaa new-model                                               enables AAA
line [aux | console | vty] beginning_line_number            enters line configuration mode
[ending_line_number]
login authentication {default | list_name}                  enables login to a TACACS+ server
action [drop | forward]                                     defines action for matched traffic in a VLAN map
tacacs-server host ip_address single-connection             configures a TACACS+ server to communicate with
tacacs-server key                                           defines the TACACS key string
username name password password                             creates a local user name and password pair

Lab Tasks
                       Setting                                                      Value
TACACS+ server IP address                                  172.16.1.150
TACACS+ server key                                         bcmsn
TACACS+ server user name                                   PC1
TACACS+ server password                                    cisco

              1. Disable the VLAN filter you created in the previous lab on P1DSW1. Verify that you can
                 ping and telnet to P1ASW1 from P1PC1.
              2. Configure P1ASW1 to use the AAA features.
              3. Define the TACACS+ server to use.
              4. Configure the key string for the TACACS+ server.
              5. Configure the primary authentication method to try TACACS+ first, then local.
              6. Apply the primary authentication method to the vty ports.
                                                                     BCMSN LAB 10
                                     Configuring IOS Security Part 2: TACACS+

   7. Configure a local user name and password pair. Use the user name admin and the
       password cisco. This will allow you to log in even if the TACACS+ server is unavailable.
       In a production environment, you should always have this configured to enable you to
       access your switch even when the TACACS+ server is unavailable.
   8. Attempt to telnet to P1ASW1 from P1PC1. When prompted for authentication, use
       the TACACS+ server username and password. This attempt should fail because the
       username and password have not been added to your TACACS+ server yet. Try to telnet
       again, but use the local username and password instead. This attempt should work
       because this username and password pair have been configured on P1ASW1.
   9. Add the username PC1 and password cisco to the TACACS+ server. Set the TACACS+
       server key to bcmsn as well.
   10. Try to telnet to P1ASW1 from P1PC1 again. Use the TACACS+ server username and
       password. This attempt should succeed.

Lab Solutions
   1. P1DSW1(config)#no vlan filter vlan_map vlan-list 11
       C:>ping 172.16.1.10
       C:>telnet 172.16.1.10
   2. P1ASW1(config)#aaa new-model
   3. P1ASW1(config)#tacacs-server host 172.16.1.150 single-connection
   4. P1ASW1(config)#tacacs-server key bcmsn
   5. P1ASW1(config)#aaa authentication login primary group tacacs+ local
   6. P1ASW1(config)#line vty 0 4
      P1ASW1(config-line)#login authentication primary
   7. P1ASW1(config)#username admin password cisco
   8. C:>telnet 172.16.1.10
      Trying 172.16.1.10 ... Open
      User Access Verification
      Username: PC1
      Password:
      % Authentication failed.
      Username: admin
      Password:
      P1ASW1>
   9. C:> tacacs user PC1 password cisco
      User pc1 has been added with the password cisco
      C:> tacacs key bcmsn
   10. C:>telnet 172.16.1.10
       Trying 172.16.1.10 ... Open
       User Access Verification
       Username: PC1
       Password:
       P1ASW1>
           BCMSN LAB 10
              Configuring IOS Security Part 2: TACACS+

Sample Configuration Scripts
                         P1ASW1                                  P1ASW1 (Continued)
version 12.1                                     interface FastEthernet0/7
service timestamps debug uptime                  !
service timestamps log uptime                    interface FastEthernet0/8
no service password-encryption                   !
!                                                interface FastEthernet0/9
hostname P1ASW1                                  !
aaa new-model                                    interface FastEthernet0/10
aaa authentication login primary tacacs+ local   !
!                                                interface FastEthernet0/11
username admin password cisco                    !
                                                 interface FastEthernet0/12
!
                                                 !
ip subnet-zero
                                                  vtp Server
spanning-tree extend system-id
                                                  vtp domain bigdomain
!
                                                 !
ip default-gateway 172.16.1.100
                                                 interface Vlan 1
!
                                                   ip address 172.16.1.10 255.255.255.0
interface FastEthernet0/1
                                                   no ip route-cache
  description P1ASW1 to P1DSW1
                                                   no shutdown
  switchport mode trunk
                                                 !
  switchport trunk encapsulation dot1q
                                                 vlan 11 name 11
!
                                                 !
interface FastEthernet0/2
                                                 ip default-gateway 172.16.1.100
  description P1ASW1 to P1DSW1
                                                 ip classless
  switchport mode trunk
                                                 no ip http server
  switchport trunk encapsulation dot1q
                                                 !
!
                                                 tacacs-server host 172.16.1.150 single-connection
interface FastEthernet0/3
                                                 tacacs-server key bcmsn
  description P1ASW1 to P2DSW2
                                                 !
  switchport mode trunk
                                                 line con 0
  switchport trunk encapsulation dot1q
                                                   transport input none
!
interface FastEthernet0/4
                                                 line aux 0
  description P1ASW1 to P2DSW2                   line vty 0 15
  switchport mode trunk                            login authentication primary
  switchport trunk encapsulation dot1q           !
!                                                no scheduler allocate
interface FastEthernet0/5                        end
  description P1PC1 to P1ASW1
  switchport mode access
  switchport access vlan 11
!
interface FastEthernet0/6
!
                                                                    BCMSN LAB 10
                                         Configuring IOS Security Part 2: TACACS+

                         P1DSW1                                P1DSW1 (Continued)
version 12.1                                     interface FastEthernet0/10
service timestamps debug uptime                  !
service timestamps log uptime                    interface FastEthernet0/11
no service password-encryption                     description P1DSW1 to P2DSW2
!                                                  switchport mode trunk
hostname P1DSW1                                    switchport trunk encapsulation dot1q
!                                                !
ip subnet-zero                                   interface FastEthernet0/12
ip routing                                         description P1DSW1 to P2DSW2
spanning-tree extend system-id                     switchport mode trunk
!                                                  switchport trunk encapsulation dot1q
vlan access-map vlan_map 10                      !
  match ip address telnet_list                   interface GigabitEthernet0/1
  action drop                                    !
vlan access-map vlan_map 20                      interface GigabitEthernet0/2
  match ip address all_traffic                    !
  action forward                                   vtp Server
!                                                  vtp domain bigdomain
interface FastEthernet0/1                        !
  description P1DSW1 to P1ASW1                   interface Vlan 1
  switchport mode trunk                            ip address 172.16.1.100 255.255.255.0
  switchport trunk encapsulation dot1q             no ip route-cache
!                                                  no shutdown
interface FastEthernet0/2                        !
  description P1DSW1 to P1ASW1                   interface Vlan0011
  switchport mode trunk                            ip address 172.16.11.100 255.255.255.0
  switchport trunk encapsulation dot1q             no ip route-cache
!                                                  no shutdown
interface FastEthernet0/3                        !
  description P1DSW1 to P2ASW2                   router eigrp 100
  switchport mode trunk                            network 172.16.0.0
  switchport trunk encapsulation dot1q           !
!                                                ip classless
interface FastEthernet0/4                        no ip http server
  description P1DSW1 to P2ASW2                   !
  switchport mode trunk                          ip access-list extended telnet_list
  switchport trunk encapsulation dot1q             permit tcp any any eq telnet
!                                                ip access-list extended all_traffic
interface FastEthernet0/5                          permit ip any any
  switchport mode access                         !
!                                                line con 0
interface FastEthernet0/6                          transport input none
!                                                line aux 0
interface FastEthernet0/7                        line vty 0 4
!                                                !
interface FastEthernet0/8                        no scheduler allocate
!                                                end
interface FastEthernet0/9
!

				
DOCUMENT INFO
Shared By:
Stats:
views:25
posted:9/26/2011
language:English
pages:6
Description: CCNP BCMSN Security TACACS+