This tutorial will guide you through the configuration of AAA on Cisco routers. AAA stands for authentication, authorization and accounting. AAA provides the access control, which is a method to specify who can have access to the network and what can be accessed from the network once access is granted.

Let’s quickly discuss each of them before we jump to the AAA tasks and topology details.

Authentication provides a method to identify the users. The user is first identified before the access is allowed.

Authorization describes what a user is allowed to perform.

Accounting provides a method that allows users to identify what resources of the network are accessed and for how long. This information can be used later for billing, for example.

AAA uses some protocols to manage its security functions. Among others, a couple of them are very common: RADIUS and TACACS.

For more information about AAA, I advise you visit Cisco’s website as it contains useful information for in-depth understanding of the AAA.

Coming back to simulation, I created two files for this exercise:

  • configuring_aaa_init.pkt: – this is the starting point. All hosts/servers have reachability between them through OSPF that is running on all routers. The TACACS and RADIUS servers are preconfigured and you should configure only the routers according to the tasks.
  • configuring_aaa_final.pkt: – this file contains the solutions. You can use it to compare with your configuration.

Regarding the topology on the subnets where a PC is connected, the router’s interface has an IP address whose last octet is .1 and last octet of the PC’s IP address is .100. The default gateway of the PC is the router’s IP address.

For instance, on the subnet with PC_1: PC_2 has the IP address of 10.10.20.100/24 and R1’s interface IP address is 10.10.20.1/24.

Each router has a loopback address in the form of 1.1.1.X/32, where X is the router number. For instance, the loopback address of R3 is 1.1.1.3/32.

Also, each subnet between the routers is written on the topology and every router is using (WORD MISSING?) as the last octet of its router number. For instance, on the subnet 10.10.12.0/24, R2 has 10.10.12.2/24 and R1 has 10.10.12.1/24.

All three routers are running OSPF in area 0 so that the end host and the server will have connectivity between them.

The goals of this simulator are

  1. use RADIUS server when you want to connect, telnet from the PC or console by clicking the router icon, to R1.
  2. use TACACS server when you want to connect, telnet from the PC or console by clicking the router icon, to R3.

    In order to test this, a few things were preconfigured on:

  3. all routers: a username for backup reason. The username/password details are: super/cisco. This user is to be used when you cannot login with the usernames configured on RADIUS/TACACS servers so you can troubleshoot.
  4. RADIUS server: a username to test AAA. The username/password details are: operator/key_radius. This user can be used for console or telnet access.
  5. TACACS server: a username to test AAA. The username/password details are: operator/key_tacacs. This user can be used for console or telnet access.

Task 1 requirements

  1. on R1 configure a RADIUS server with the IP address of 10.10.20.100
  2. on R1 configure the RADIUS key R1_PASS
  3. on R1 enable AAA
  4. on R1 configure all logins to use the RADIUS server. If the RADIUS server is not available, use the local database
  5. on R1 configure a new method for telnet connection that will use the RADIUS server and fallback to local database in case the server is not available
  6. on R1 configure the console line to use the default AAA authentication method
  7. on R1 configure the vty lines to use the TELNET authentication method

Task 1 verification

  1. From PC_1, do a telnet to 10.10.12.1 and confirm that you are asked for a username and password to access R1.
  2. Close the window where you are configuring R1 and click one more time on R1 icon to connect to R1 using the console. Confirm that you are asked for a username and a password.

Task 1 hints

  1. Use the command ‘radius-server host 10.10.20.100’ to configure the RADIUS server
  2. Use the command ‘radius-server key R1_PASS’ to configure the key
  3. Use the command ‘aaa new-model’ to enable AAA
  4. Use the command ‘aaa authentication login default group radius local’ to configure all logins to use the RADIUS server
  5. Use the command ‘aaa authentication login TELNET group radius local’ to configure a new AAA method to be used for telnet authentication
  6. Use the command ‘login authentication default’ under console line configuration to use the default AAA authentication method
  7. Use the command ‘login authentication TELNET’ under vty lines to use the TELNET authentication method

Task 2 requirements

  1. on R3 configure a TACACS server with the IP address of 10.10.10.100
  2. on R3 configure the TACACS key R3_PASS
  3. on R3 enable AAA
  4. on R3 configure all logins to use the TACACS server. If the TACACS server is not available, use the local database
  5. on R3 configure a new method for telnet connection that will use the TACACS server and fallback to the local database in case the server is not available
  6. on R3 configure the console line to use the default AAA authentication method
  7. on R3 configure the vty lines to use the TELNET method

Task 2 verification

  1. From PC_1, do a telnet to 10.10.23.3 and confirm that you are asked for a username and password to access R3.
  2. Close the window where you are configuring R3 and click one more time on R3 icon to connect to R3 using the console. Confirm that you are asked for a username and a password.

Task 2 hints

  1. Use the command ‘tacacs-server host 10.10.10.100’ to configure the TACACS server
  2. Use the command ‘tacacs-server key R3_PASS’ to configure the key
  3. Use the command ‘aaa new-model’ to enable AAA
  4. Use the command ‘aaa authentication login default group tacacs+ local’ to configure all logins to use the TACACS server
  5. Use the command ‘aaa authentication login TELNET group tacacs+ local ‘ to configure a new AAA method to be used for telnet authentication
  6. Use the command ‘login authentication default’ under console line configuration to use the default AAA authentication method
  7. Use the command ‘login authentication TELNET’ under vty lines to use the TELNET authentication method

As you can see the AAA configuration on Cisco routers is pretty straightforward. Actually this is because the features supported on Packet Tracer are limited. Real devices have more options and the configuration can become cumbersome sometimes.

But if you understand the basics explained in this tutorial then you have a good start regarding AAA.