Sie sind auf Seite 1von 36

Rohit Pardasani CCIE # 21282

CCNA Security V3 Lab Guide


AuthorRohit Pardasani Triple CCIE # 21282 (R/S , SP and Security)
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

A Note from the Author I would like to take this opportunity to thank you for participating in the CCNA Security training from ACIT Education Pvt Ltd. I have based the book pattern on the CCNA Security Blueprint. It is broken down into 5 Modules. There are in total 66 lab exercises. These labs give you the foundation to attempt the CCNA Security Exam. This book also contains a complete Solution video in which I have configured and explained each topic in detail.

Rohit Pardasani CCIE # 21282 ( R/S, SP, Security) rohitp@acit.in

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

ACIT Bootcamps

Instructed by a Well-known Triple CCIE Instructor. 5 days of intense CCNA Security Training. Covers all the topics listed in the CCNA Security Blue Print. Each topic will be discussed in the class room environment by our expert instructor. Mock Test will be conducted and graded during the last day to analyze your knowledge and readiness. Includes our CCNA Security Lab Guide for free. Access to our expert instructor staff after the CCNA Security BootCamp. For a group of eight or more, we can bring this bootcamp to your office anywhere in the world. Excellent Retake Policy, which allows you to retake this course for free for up to one year, as far as there is a seat available in the class. Compliant with latest CCNA Security changes announced by Cisco systems.

For International Customers


ACIT is offering attractive and convenient travel package for our customers traveling from around the world to attend our training programs. ACIT will assign a dedicated account manager to work with our delegates travel needs. Single point of contact will make your travel and learning experience unique and easy. Please check our online schedule and contact us for any training requirements in international locations.

Disclaimer
CCNA, Cisco IOS, Cisco Systems, the Cisco logo, and Networking Academy are registered trademarks or trademarks of Cisco Systems Inc. .
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Table of Contents:
Module 1:
Basic Router Configuration. Control Administrative Access for Routers. Configure Administrative Roles. Create Banners on Routers. Configure SSH access. Create various privileges. SDM access.

Module 2:
Rip Authentication NTP Syslog ACS with Tacacs and Radius authentication using CLI and SDM

Module 3:
Eigrp Authentication CBAC Zone-Based Firewall using SDM IOS IPS

Module 4:
Site to Site VPN using CLI Site to Site VPN using SDM Easy VPN Server using CLI Easy VPN Server using SDM

Module 5:
Port-Security Storm-Control SPAN One Step LockDown.

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

CCNA Security Lab Guide


Module 1:

Objective
1.1 Assign Router1 a hostname of R1

Solution:
R1 Router>enable Router#config terminal Router(config)#hostname R1
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R1(config)#

1.2

Configure ip address on R1 router on int ser0/0 with 12.0.0.1/24. Verify if clock rate is required.

Solution:
R1# conf terminal R1(config)#interface Serial0/0 R1(config-if)#ip add 12.0.0.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#exit R1#show controllers serial0/0 Interface Serial0/0 Hardware is PowerQUICC MPC860 DTE V.35 clocks stopped. (Since it is DTE , no clock rate is required.)

1.3

Configure Router2 with a hostname R2

Solution:
R2 Router>enable Router#Config Terminal

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Router(config)#hostname R2 R2(config)#

1.4

Configure ip address on R2 on int ser0/0 with 12.0.0.2/24

Solution:
R2(config)#interface Serial0/0 R2(config-if)#ip add 12.0.0.2 255.255.255.0 R2(config-if)#no shut R2(config-if)#exit R2(config)#exit

1.5

Configure R2 serial0/0 with clock rate 64000 as R2 is DCE. Verify before adding it with the command sh controller s serial0/0 on R2.

Solution:
R2#show controllers serial0/0 Interface Serial0/0 Hardware is PowerQUICC MPC860 DCE V.35, no clock (Since it is DCE , clock rate is required) R2#config terminal R2(config)#interface serial0/0 R2(config-if)#clock rate 64000

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R2(config-if)#exit R2(config)#exit

1.6

Save both R1 and R2 by issuing the wr command in privilege mode.

Solution:
R1# wr R2#wr

1.7

Configure enable password cisco on both routers

Solution:
R1#conf t R1(config)# enable password cisco R1(config)#exit R1#exit R2#conf t R2(config)# enable password cisco R2(config)#exit R2#exit

1.8

Verify where it is used.

Solution:
R1>enable
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Here it will ask you for the password which you have set using enable password command. R1# R2>enable Here it will ask you for the password which you have set using enable password command. R2#

1.9

Configure enable secret acitedu on both routers

Solution:
Now set the enable secret password on R1 R1#config terminal R1(config)#enable secret acitedu R1(config)#exit R1#exit Now set the enable secret password on R2 R2#config terminal R2(config)#enable secret acitedu R2(config)#exit R2#exit

1.10 Verify where it is used and which one takes preference. Solution:
R1>enable Here it will ask you for the password which you have set using enable secret
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

command. Enable secret takes preference over enable password command. Try putting cisco as the password ..It will not work Now try putting acitedu as the password. It works. R1# Now try the same on R2 R2>enable Here it will ask you for the password which you have set using enable secret command. Enable secret takes preference over enable password command. Try putting cisco as the password ..It will not work. Now try putting acitedu as the password. It works. R2#

1.11 Change the minimum password length to 10 characters on R1 Solution:


R1#config terminal R1(config)#security password min-length 10 R1(config)#exit R1#

1.12 Verify it by changing the enable password to cisco12345 and enable secret passwords to acitedu123 on R1. Solution:
R1#config terminal
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R1(config)#enable secret acitedu It will not work as the password length is less than 10 R1(config)#enable password cisco It will not work as the password length is less than 10 Now put secret password as acitedu123 And enable password as cisco12345 R1(config)#enable password cisco12345 R1(config)#enable secret acitedu123 R1(config)#exit R1#

1.13 Configure R1 with the line console password as console123 and line vty password to vty1234567 Solution:
This task solution is given together with task 1.14

1.14 Verify where line console and line vty password is used Solution:
R1#config terminal R1(config)#line con 0 R1(config-line)#password console123 R1(config-line)#exit R1(config)#exit R1#exit
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

It will directly reach un privilege mode. It will not ask for a password as you have not given login in the line con 0. Now put login under line con 0 R1#config terminal R1(config)#line con 0 R1(config-line)#login R1(config-line)#exit R1(config)#exit R1#exit Now it will ask you the console password. Now configure vty. R1#config terminal R1(config)#line vty 0 4 R1(config-line)#password vty1234567 R1(config-line)#exit R1(config)#exit R1#exit Telnet from R2 to R1. It will ask for the password .Give vty1234567.It will work without you giving login under the line vty 0 4. As it is default.

1.15 Ensure that all passwords on R1 are stored in encrypted format. Solution:
R1# sh run
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

All passwords will be seen in clear text.. R1#config terminal R1(config)#service password-encryption R1(config)#exit R1#sh run Now you will see all passwords in encrypted format.

1.16 Create a username rohit password acit123456 on R1 Solution:


R1#config terminal R1(config)#username rohit password acit123456

1.17 Ensure that console and telnet connections on R1 are now asking username and password. Solution:
R1#config terminal R1(config)# line vty 0 4 R1(config-line)#login local R1(config-line)#exit R1(config)# line con 0 R1(config-line)#login local R1(config-line)#exit R1(config)#exit R1#exit
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

It will now ask you for username and password. Telnet from R2 to R1. It will ask you for username and password.

1.18 Block telnet attempts on R1 for 2 min if authentication fails 2 times within 1 minute. Log successful attempts and unsuccessful attempts. Solution:
R1#config terminal R1(config)# login block-for 120 attempts 2 within 60 R1(config)#login on-failure log R1(config)#login on-success log R1(config)#exit R1# Now telnet from R2 and give correct username and password .You will see a log on R1.Now again telnet from R2 to R1 and give wrong username and password twice. Now you will be blocked for 2 minutes and a log will also come. You can verify the blocking by doing telnet from R2 to R1 again. Now once you are blocked, no one can telnet R1. Even the administrator will be blocked. Thus we can omit the administrators ip from the blocking by issuing the command below R1(config)#login quiet-mode access-class 101 R1(config)#access-list 101 permit ip host 1.1.1.1 any. You can verify this by creating a loopback on R1 with ip 1.1.1.1/32 and doing telnet from R1 to R1 using source as loopback after R2 has been blocked.
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

i.e R1# telnet 12.0.0.1 /source loop0

1.19 Set the inactivity time to 1 minute 10 secs on console and vty. Solution:
R1#config terminal R1(config)#line con 0 R1(config-line)#exec-timeout 1 10 R1(config-line)#exit R1(config)#line vty 0 4 R1(config-line)#exec-timeout 1 10 R1(config-line)#exit R1(config)#exit R1# Telnet from R2 to R1.Login by giving correct username and password. Wait till 1minute 10 seconds. You will be logged out as you were idle.

1.20 Create a username ccnasec with password ccnasec123 and privilege 3. Solution:
R1#config terminal R1(config)#username ccnasec privilege 3 password ccnasec123

1.21 Assign privilege level 3 the permission to issue show run. Assign privilege level 3 the permission to go to config
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

terminal and to go to interface and to do shut and no shut the interface . Also give privilege level 3 permission to add static routes and remove static route. Solution:
R1(config)#privilege interface level 3 shutdown R1(config)#privilege interface level 3 no shutdown R1(config)#privilege configure level 3 ip route R1(config)#privilege configure level 3 interface R1(config)#privilege configure level 3 no ip route R1(config)#privilege exec level 3 configure terminal R1(config)#privilege exec level 3 show ip route Now telnet from R2 to R1 and log in with username ccnasec and password ccnasec123. Check if you can do show ip route When you do show ? You will see additional commands of show as well. This is because it inherits other basic privileges of level 0 and 1. Check if can go to config terminal. Check if you can add static route by giving the command Ip route 1.1.1.1 255.255.255.255 serial0/0 No Ip route 1.1.1.1 255.255.255.255 serial0/0 Check by going to int fas 0/0 Check by shutting the interface fa0/0 and then doing no shut. You will see that in the int fa0/0 there is no ip address command .This is because we didnt give ip address permission.

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

1.22 Create username ccie with password ccie123456 and assign it to a role called MYVIEW. This user should only have rights to do show ip route and show ip int brief. Solution:
R1#config terminal R1(config)#aaa new-model R1(config)#aaa authentication login default local R1(config)#username ccie view MYVIEW password ccie123456 Now create a view called MYVIEW R1(config)#exit R1#enable view It will ask you for a password. Put the password acitedu. This is your enable secret password. R1#config terminal R1(config)#parser view MYVIEW R1(config-view)#secret view123 R1(config-view)#commands exec include show ip route R1(config-view)#commands exec include show ip int brief R1(config-view)#exit R1(config)#exit R1#wr Now Telnet from R2 to R1. It will ask you for username and password. Put username as ccie and password as ccie123456. Once you log on you will reach unprivileged mode. Since this user does not know the enable password which
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

the administrator will not give him.He will log on with the enable view MYVIEW command which is given below. R1>enable view MYVIEW Put the password of the view which is view123. Now you will be able to only use two commands i.e show ip route and show ip int brief.

1.23 Create an MOTD banner Welcome to MOTD Create an exec banner Welcome to exec Verify both the banners Solution:
R1#conf terminal R1(config)#banner motd $ Welcome to MOTD $ R1(config)#banner exec $ Welcome to MOTD $ R1(config)#exit R1# Now telnet from R2 to R1. You will see the banner message of MOTD. After you log in with username and password you will see the EXEC message.

1.24 Prepare the router for SDM access. Verify if SDM opens. Solution:
R1#config terminal R1(config)#ip http server R1(config)#ip http secure-server (if u want to access router via https) R1(config)#ip http authentication local
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

(Since aaa new-model was enabled earlier) To verify Give ip 10.0.0.1/24 to R1 interface fas0/0 Now connect a PC to R1 fas0/0 and give the PC an ip 10.0.0.110/24 with gateway as 10.0.0.1. Open Internet Explorer and type http://10.0.0.1 You SDM will open after you give username rohit and password acit123456. It will not work as http access requires privilege mode 15. Now assign username rohit with privilege 15. R1(config)#username rohit privilege 15 password acit123456 Now Open Internet Explorer and type http://10.0.0.1 It will work.

1.25 Configure R2 for SSH access. Create username cisco and password as cisco12345. Use domain name acit.in and Configure the RSA keys with 1024 for the number of modulus bits. Verify by doing ssh from R1. Solution:
R2#config terminal R2(config)#username cisco password cisco12345 R2(config)#ip domain-name acit.in R2(config)#crypto key generate rsa general-keys modulus 1024 R2(config)#line vty 0 4 R2(config-line)#login local R2(config-line)#exit

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R2(config)# Now do ssh from R1 to R2 using the following command. R1#ssh l cisco 12.0.0.2 Put the password as cisco12345 and it will work.

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Module 2:

Objective
2.1 Erase all routers before you start your lab.

Solution:
R1#erase startup-config R1#reload R2#erase startup-config R2#reload R3#erase startup-config R3#reload

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

2.2 Configure R1 router with the hostname as R1.Configure interface fastethernet0/0 with ip address as 10.0.0.1/24 and serial 0/0 with ip address as 12.0.0.1/24. Solution:
R1 Router>en Router#config t Router(config)#hostname R1 R1(config)#interface fa0/0 R1(config-if)#ip add 10.0.0.1 255.255.255.0 R1(config-if)#no shutdown R1(config)#interface serial 0/0 R1(config-if)#ip address 12.0.0.1 255.255.255.0 R1(config-if)#no shutdown

2.3 Configure R2 router with the hostname as R2.Configure interface serial 0/0 with ip address as 12.0.0.2/24 and make this interface DCE. Configure interface serial0/1 with the ip address 23.0.0.2/24 and make this interface DCE. Solution:
R2: Router>en Router#config t

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Router(config)#hostname R2 R2(config)#interface serial 0/0 R2(config-if)#ip address 12.0.0.1 255.255.255.0 R2(config-if)#clock rate 64000 R2(config-if)#no shutdown R2(config)#interface serial 0/1 R2(config-if)#ip address 23.0.0.2 255.255.255.0 R2(config-if)#clock rate 64000 R2(config-if)#no shutdown

2.4 Configure R3 router with the hostname as R3.Configure interface loopback0 with ip address 3.3.3.3/32 and serial 0/0 with ip address as 23.0.0.3/24. Solution:
R3: Router>en Router#config t Router(config)#hostname R3 R3(config)#interface loop 0 R3(config-if)#ip address 3.3.3.3 255.255.255.255 R3(config)#interface serial 0/0 R3(config-if)#ip address 23.0.0.3 255.255.255.0 R3(config-if)#no shutdown

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

2.5 Configure RIPv2 as the routing protocol on all routers and configure authentication between R1 and R2 using the strongest possible method with password as ACIT and key id as 1. Configure authentication between R2 and R3 using clear text.Use password as ROHIT. Make sure you are able to ping from R1 to R3. Solution:
R1(config)#router rip R1(config-router)#version 2 R1(config-router)#no auto-summary R1(config-router)#network 12.0.0.0 R1(config-router)#network 10.0.0.0 R1(config-router)#exit R1(config)#key chain RIP12 R1(config-keychain)#key 1 R1(config-keychain-key)#key-string ACIT R1(config-keychain-key)#exit R1(config-keychain)#exit R1(config)#int se0/0 R1(config-if)#ip rip authentication mode md5 R1(config-if)#ip rip authentication key-chain RIP12 R1(config-if)#exit R1(config)#exit R1#wr

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Now Configure R2. R2(config)#router rip R2(config-router)#version 2 R2(config-router)#no auto-summary R2(config-router)#network 12.0.0.0 R2(config-router)#network 23.0.0.0 R2(config-router)#exit R2(config)#key chain RIP12 R2(config-keychain)#key 1 R2(config-keychain-key)#key-string ACIT R2(config-keychain-key)#exit R2(config)#key chain RIP23 R2(config-keychain)#key 1 R2(config-keychain-key)#key-string ROHIT R2(config-keychain)#exit R2(config)#int se0/0 R2(config-if)#ip rip authentication mode md5 R2(config-if)#ip rip authentication key-chain RIP12 R2(config)#int se0/1 R2(config-if)#ip rip authentication mode text R2(config-if)#ip rip authentication key-chain RIP23 R2(config-if)#exit R2(config)#exit

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R2#wr Now Configure R3 R3(config)#router rip R3(config-router)#version 2 R3(config-router)#no auto-summary R3(config-router)#network 23.0.0.0 R3(config-router)#network 3.0.0.0 R3(config-router)#exit R3(config)#key chain RIP23 R3(config-keychain)#key 1 R3(config-keychain-key)#key-string ROHIT R3(config-keychain)#exit R3(config)#int se0/0 R3(config-if)#ip rip authentication mode text R3(config-if)#ip rip authentication key-chain RIP23 R3(config-if)#exit R3(config)#exit R3#wr To Verify if the Rip routes have come properly, issue the show ip route. Make sure your key in the key chain is correctly configured. Issue the show key chain to verify the password.

2.6 Configure R2 as the ntp server with stratum value of 2 and configure ntp authentication with password as CISCO. Configure
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R1 from command line as the ntp client of R2. And Configure R3 as the ntp client of R2 using SDM. Change the clock time on R2 as todays date and time. Verify with the clients have synchronized . Solution:
R1(config)#ntp authenticate R1(config)#ntp authentication-key 1 md5 CISCO R1(config)#ntp trusted-key 1 R1(config)#ntp server 12.0.0.2 key 1 R2#configure terminal R2(config)#ntp master 2 R2(config)#ntp authentication-key 1 md5 CISCO R3#config terminal R3(config)#ip http server Access R3 via SDM . Once SDM starts Go to Additional Tasks Open Router Properties and then NTP. Click on ADD Choose Ntp Server ip address as 23.0.0.2 Click on Authentication key Key Number As 1 Key Value as CISCO Click on OK Click on SAVE Tab on the TOP.
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Verify on R3 by doing show run if the ntp configuration has come. Now verify R1 if the time has synchronized with R2 by giving show ntp association detail. You will get the following output: R1#sh ntp associations detail 12.0.0.2 configured, authenticated, our_master, sane, valid, stratum 2 ref ID 127.127.7.1, time D12123E6.20435B6D (21:53:42.126 Tue Mar 8 2011) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 377, sync dist 14.618 delay 28.96 msec, offset 1.5571 msec, dispersion 0.11 precision 2**18, version 3 org time D12123E7.BED7556D (21:53:43.745 UTC Tue Mar 8 2011) rcv time D12123E7.C226B1B9 (21:53:43.758 UTC Tue Mar 8 2011) xmt time D12123E7.BAA98CDE (21:53:43.729 UTC Tue Mar 8 2011) filtdelay = filtoffset = filterror = 28.96 29.19 28.92 28.95 29.02 30.36 28.96 28.98 1.56 0.02 1.68 0.99 1.55 1.97 1.62 2.94 1.69 3.92 0.76 4.90 1.53 5.87 1.52 6.85

Here it show that R1 is authentication R2 and it has synchronized and it is valid. Now check R3 the same way.

2.7 Install Kiwi application on PC1 and give the PC1 an ip of 10.0.0.110/24 with gateway as 10.0.0.1 and configure R1 using CLI to send all informational syslog messages to the Kiwi syslog server. Configure R2 using SDM to send all informational syslog messages to kiwi syslog server. Verify in the kiwi syslog server if they have come.
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Solution:
Install Kiwi software on your PC. Now configure R1 via CLI. R1#config Terminal R1(config)#logging host 10.0.0.110 R1(config)#logging trap informational Now configure Syslog on R2 via SDM Connect to R2 via SDM GO to Additional Tasks Click on Router properties Click on Logging Click on EDIT Enable Logging Level Checkbox and choose level as informational Click on ADD and type the ip address of KIWI which is 10.0.0.110 Disble logging Buffered checkbox and click on OK and apply and then Click on SAVE Button on Top. Now verify if the logs are coming by going to R1 and R2 router and doing shut and no shut to int fas0/1. You will now see logs coming to KIWI syslog server.

2.8 Install ACS server on PC1. Configure R1 with a username rohit and password acit in the local user database . Configure a username called user1 and password user1 in the ACS server. Configure R1 to ask for authentication whenever you connect to console. This authentication should first use Tacacs+ for authentication and if tacacs+ server fails it should use the local
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

database for authentication. USE CLI method to achieve this task. Solution:
Install ACS on your PC R1#config terminal R1(config)#username rohit password acit Now create an account on ACS server. Open ACS and click on User Setup Type the username as user1 and click on Add/Edit Enter the password as user1 and click on Submit R1(config)#aaa new-model R1(config)#aaa authentication login default group tacacs+ local R1(config)#tacacs-server host 10.0.0.110 key cisco Now add R1 as a client on ACS server. Click on Network Configuration Tab Choose AAA server name as ACS123 Choose AAA Server ip address as 10.0.0.110 Type key as cisco Choose AAA server type as CiscoSecure ACS Click on Submit and Apply. Now click on ADD entry on AAA clients Column Choose AAA client hostname as R1 Choose AAA client ip address as 10.0.0.1

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Choose the shared secret as cisco Choose Authenticate using Tacacs+ (Cisco IOS) Click on Submit and Apply Now verify. R1(config)#exit R1#exit Here it will ask for username and password. Try with username rohit and password as acit. It will not work as the tacacs+ server is reachable and it takes preference over local database.Now try with username user1 and password user1. It will work. Now shut interface fas 0/0 of R1 so that the tacscs+ server becomes unreachable. Now try again. This time username user1 will not work as the tacacs+ server is un-reachable but username rohit and password acit would work. Now start the interface Fas0/0 again on R1 before going to next lab.

2.9 Configure R1 in such a way that it uses Tacacs+ for authentication whenever anyone remotely accesses R1.If Tacscs fails it should use line password for authentication. USE CLI method to achieve this task. Solution:
R1#config terminal R1(config)#aaa authentication login REMOTE group tacacs+ line R1(config)#line vty 0 4
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R1(config-line)#login authentication REMOTE R1(config-line)#password cisco R1(config-line)#exit R1(config)#exit R1# Now Verify R2#telnet 12.0.0.1 Here log in with username user1 and password user1. You will be able to log on. Now shut down int fas 0/0 on R1 so that tacacs+ server is un-reachable. Now try again from R2. This time it will not ask you for username. It will just ask for the password . Put password as cisco. It will work. Now start the interface Fas0/0 again on R1 before going to next lab.

2.10 Configure R3 in such a way that it uses Radius for authentication whenever anyone remotely accesses R3.If Radius fails it should use enable password for authentication. USE CLI method to achieve this task. Solution:
R3(config)#aaa new-model R3(config)#aaa authentication login default group radius enable R3(config)#radius-server host 10.0.0.110 key cisco R3(config)#enable secret cisco
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Now add R3 as a client of the ACs server. Now click on ADD entry on AAA clients Column Choose AAA client hostname as R3 Choose AAA client ip address as 23.0.0.3 Choose the shared secret as cisco Choose Authenticate using RADIUS (Cisco IOS/PIX 6.0) Click on Submit and Apply Now verify. R2#telnet 23.0.0.3 Here log in with username user1 and password user1. You will be able to log on. Now shut down int fas 0/0 on R1 so that radius server is un-reachable. Now try again from R2 This time it will ask you for username and password. Put the username as anyword as it does not matter but put the password as the enable secret password which is cisco. It will work. Now start the interface Fas0/0 again on R1 before going to next lab.

2.11 Ensure that R3 will not ask for any type of authentication for console access. USE CLI method to achieve this task. Solution:
Before you start this Lab log of from R3 and check if you are asked to

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

authenticate. You are asked to authenticate as the command aaa authentication login default group radius enable gets applied to line console 0 automatically. You will see that it ask you for username and password. R3#config terminal R3(config)# R3(config)#aaa authentication login CON none R3(config)#line console 0 R3(config-line)#login authentication CON R3(config-line)#exit R3(config)#exit R3# Now verify by logging out from R3 R3#exit Here it does not ask for username but only enable secret password. R3>

2.12 Configure R2 in such a way that it uses Tacacs+ for authentication for any type of connection. USE SDM to achieve this task. Solution:
Add R2 as a client on ACS server. Click on Network Configuration Tab Now click on ADD entry on AAA clients Column Choose AAA client hostname as R2
Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

Choose AAA client ip address as 12.0.0.2 Choose the shared secret as cisco Choose Authenticate using Tacacs+ (Cisco IOS) Click on Submit and Apply Now log on R2 via SDM Once SDM starts Go to Additional Tasks Click on AAA Click on Enable AAA You will get a error message that you need a username to be created having privilege 15. Create one on R2 R2(config)#username ccnasec privilege 15 password ccnasec Now try again via SDM by clicking on Enable AAA It will add some commands automatically. This is just a prevention so that you do not get locked out of the router. Now Click on AAA servers under AAA tab and click on ADD Choose Server type as Tacacs+ Put Server IP as 10.0.0.110 And Key as cisco Now Click on login under Authentication Policies and click on Edit Click on Add and Choose Group Tacacs+ Move the tacacs+ up and local below . Now do ok. Now verify by logging out of R2

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in

Rohit Pardasani CCIE # 21282

R2#exit Here it will ask for username and password. Use username as user1 and password user1.

Copyrights ACIT Education Pvt Ltd 2010-2011

Website: http://www.acit.in; Email: rohitp@acit.in