1
00:00:14,390 --> 00:00:21,050
OK, so let's see if we can complete this lab, were told to configure the Tacacs and Radius server as

2
00:00:21,050 --> 00:00:21,570
follows.

3
00:00:22,940 --> 00:00:31,880
So on the AAA server, we need to enable the AAA service and then we need to specify our clients. First

4
00:00:31,880 --> 00:00:35,570
client is router 1 that's going to use this IP address.

5
00:00:36,290 --> 00:00:38,090
We'll configure the router in a moment.

6
00:00:39,930 --> 00:00:46,300
The secret password that we'll use here is Cisco, the protocol used is Tacacs.

7
00:00:46,710 --> 00:00:56,190
I'm going to click add, to add that client. Next client is router 2 IP address is 10.1.1.203.

8
00:00:57,810 --> 00:01:06,600
The password used is Cisco, and in this case, it needs to be Radius, switch 1 client IP address is

9
00:01:06,720 --> 00:01:12,150
10.1.1.252, secret will be Cisco.

10
00:01:13,990 --> 00:01:15,940
This device is going to use Tacacs.

11
00:01:17,390 --> 00:01:20,900
We then need to add a user, the username is David.

12
00:01:21,020 --> 00:01:22,250
The password is Cisco.

13
00:01:24,250 --> 00:01:30,730
So that's the server configured, server has an IP address once again of 10.1.1.250.

14
00:01:31,810 --> 00:01:36,040
The first device we need to configure is router 1, here's router 1.

15
00:01:37,130 --> 00:01:38,280
It's just booted up.

16
00:01:40,080 --> 00:01:45,080
It's asking us whether we want to enter the initial configuration dialogue, we don't want to do that.

17
00:01:45,090 --> 00:01:50,460
So I'm going to say no, I'll configure the router with a hostname of R1.

18
00:01:54,600 --> 00:02:02,410
So were told to configure AA for login and enable using Tacacs with server 10.1.1.250.

19
00:02:02,970 --> 00:02:07,530
Now, before we can do that, we need to make sure we have IP connectivity.

20
00:02:07,980 --> 00:02:15,390
So I'm going to configure the router with an IP address on gigabit 000 and I'm going to

21
00:02:15,390 --> 00:02:16,800
no shut the interface.

22
00:02:18,880 --> 00:02:26,050
That's per our network topology, and we've been given the IP address of the Tacacs client.

23
00:02:27,010 --> 00:02:31,570
So we know this router needs to be configured with this IP address.

24
00:02:33,180 --> 00:02:39,080
So can the router ping the Tacacs server 10.1.1.250?

25
00:02:39,600 --> 00:02:40,500
Yes, it can.

26
00:02:41,100 --> 00:02:48,610
So before we configure AAA., we need to ensure that we have IP connectivity on our devices.

27
00:02:49,080 --> 00:02:56,950
I'll do something similar while I'm here with router 2, so hostname isrouter 2 interface gigabit

28
00:02:56,950 --> 00:03:05,130
000 no shut IP address 10.1.1.253/24 mask.

29
00:03:06,690 --> 00:03:07,620
Can we ping

30
00:03:08,660 --> 00:03:15,120
the AAA server? We'll have to wait for spanning tree to converge while we are waiting for that.

31
00:03:15,740 --> 00:03:17,300
Let's have a look at our switch.

32
00:03:18,260 --> 00:03:20,600
Switch has no configuration either.

33
00:03:21,320 --> 00:03:30,980
So hostname will be switch 1 interface VLAN 1, no shut IP address of the switch will be 10.

34
00:03:30,980 --> 00:03:33,680
1.1.252.

35
00:03:36,050 --> 00:03:38,990
So all I've done is change the switch name

36
00:03:41,000 --> 00:03:45,650
and configure an IP address on the switch, so can the switch ping

37
00:03:47,590 --> 00:03:50,260
the AAA server? Yes, it can.

38
00:03:51,980 --> 00:03:53,310
What about router 2?

39
00:03:53,960 --> 00:03:55,310
Can it ping the server?

40
00:03:55,340 --> 00:03:56,060
Yes, it can.

41
00:03:58,150 --> 00:04:02,470
So we've got IP connectivity between the devices and the AAA server.

42
00:04:05,190 --> 00:04:08,880
Now, let's configure AAA on router 1.

43
00:04:10,060 --> 00:04:14,260
So in global configuration mode, we need to type AAA new model.

44
00:04:14,830 --> 00:04:17,380
I'm going to create the backup username

45
00:04:18,589 --> 00:04:25,270
called backup, password is going to be Cisco, you don't have to use that username if you don't want

46
00:04:25,270 --> 00:04:33,120
to, in the real world, you'd use something better and you could use any name, in the lab in the exam

47
00:04:33,140 --> 00:04:34,830
follow the instructions given.

48
00:04:35,580 --> 00:04:39,410
Next thing we need to do is enable authentication.

49
00:04:39,410 --> 00:04:41,030
So AAA authentication.

50
00:04:41,690 --> 00:04:43,170
We're going to do it for login.

51
00:04:43,640 --> 00:04:53,840
We're going to do this for all lines, so console, VTY, Auxillary port, TTYs, VTYs any line that

52
00:04:53,840 --> 00:04:55,700
connects to the router.

53
00:04:56,570 --> 00:04:59,720
And we're going to use a group.

54
00:05:01,080 --> 00:05:08,280
Which is a Tacacs group, and then we're going to use local as the backup, we first are going to use

55
00:05:08,280 --> 00:05:14,690
Tacacs as our authentication protocol and then as a backup, we'll use local authentication.

56
00:05:15,390 --> 00:05:17,550
We need to do something similar for

57
00:05:18,510 --> 00:05:19,200
enable.

58
00:05:21,180 --> 00:05:22,710
So for the enable password.

59
00:05:23,700 --> 00:05:24,900
We can use a group,

60
00:05:25,950 --> 00:05:35,130
Tacacs group, and then we're going to use local authentication, so at the moment we have

61
00:05:36,530 --> 00:05:38,720
configured three AAA commands.

62
00:05:40,070 --> 00:05:42,700
The last step is to configure the tech server.

63
00:05:44,160 --> 00:05:50,280
The host is going to be 10 one one to 50, the key will be Sasko.

64
00:05:51,270 --> 00:05:58,980
So, again, this is our triple-A configuration, here's our tech server configuration.

65
00:06:00,190 --> 00:06:07,570
Not properly, and techniques are security protocols and are therefore used to enhance the security

66
00:06:07,570 --> 00:06:09,160
of your network devices.

67
00:06:09,680 --> 00:06:10,720
So you need to be careful.

68
00:06:10,720 --> 00:06:16,660
Now, if you log out of your router and you've made a mistake, you may not be able to log back in to

69
00:06:16,660 --> 00:06:17,200
your router.

70
00:06:17,890 --> 00:06:24,480
So what I'm going to do is I'm going to simply telnet to the border to check if things are working right.

71
00:06:24,910 --> 00:06:27,760
So I'm gonna login as David, Password is Cisco 

72
00:06:28,180 --> 00:06:33,910
and notice I'm now able to login to the router, even though I didn't configure

73
00:06:34,930 --> 00:06:40,630
the VTY lines, so type exit on back on the console of the router.  

74
00:06:41,520 --> 00:06:45,180
Notice only the console is in use, show run

75
00:06:46,930 --> 00:06:55,600
go down all the way, notice line VTY 024  isn't configured by default we are using

76
00:06:55,600 --> 00:06:58,420
AAA for all lines.

77
00:06:59,000 --> 00:07:04,930
As soon as you type this command, we are no longer using the local username and password database.

78
00:07:05,440 --> 00:07:11,800
Everything is going to use Tacacs first and will only use the local username and password database

79
00:07:12,460 --> 00:07:14,710
if the Tacacs server is not available.

80
00:07:16,410 --> 00:07:22,380
So if you're unsure, I suggest you don't save your routers configuration, so if you make a mistake,

81
00:07:22,380 --> 00:07:24,720
you can simply reboot your devices.

82
00:07:26,330 --> 00:07:27,740
But router 1 is working

83
00:07:29,190 --> 00:07:35,070
the next step is to configure router 2 with AAA, but we're using radius in this example.