1
00:00:12,310 --> 00:00:27,680
So in Router 2, CONFT AAA new model username, backup password, Cisco, you want that in

2
00:00:27,680 --> 00:00:34,220
case you have a problem with communication to your AAA server, if there's a problem communicating with

3
00:00:34,220 --> 00:00:39,860
your AAA server and you haven't configured a local authentication method.

4
00:00:42,350 --> 00:00:51,200
You won't be able to log in to your router, so we want to have a backup here of local that's only

5
00:00:51,200 --> 00:00:54,320
used if the server is not available.

6
00:00:54,710 --> 00:00:58,670
So going back to router 1, as an example if I try and telnet

7
00:00:59,960 --> 00:01:09,680
to the router and login with the username backup password Cisco, that's denied because the AAA server is

8
00:01:09,680 --> 00:01:16,370
available, but if the AAA server is not available, we'd be able to log in using that backup method

9
00:01:17,570 --> 00:01:19,390
and I'll demonstrate that in a moment.

10
00:01:20,790 --> 00:01:33,090
So thus far, we've configured AAA new model and a log in a default using radius, so AAA authentication.

11
00:01:34,830 --> 00:01:45,630
Enable default group is going to be radius local backup, the radius server is host

12
00:01:47,990 --> 00:01:55,490
and again, just use question mark if you're not sure, 10.1.1.250, the key is going

13
00:01:55,490 --> 00:01:56,210
to be Cisco.

14
00:01:57,200 --> 00:02:00,340
Obviously in the real world, you're going to use better keys than that.

15
00:02:01,010 --> 00:02:04,370
So show run include AAA,

16
00:02:04,850 --> 00:02:07,010
there's our AAA configuration

17
00:02:07,880 --> 00:02:10,430
here's our radius configuration.

18
00:02:11,000 --> 00:02:13,490
So let's telnet to ourselves

19
00:02:17,060 --> 00:02:21,470
and see if we can log in. Now, have had problems with Packet Tracer

20
00:02:22,440 --> 00:02:24,540
up to the moment, it's taking a long time.

21
00:02:25,960 --> 00:02:32,650
But eventually I've been able to log in, so that looks good, Packet Tracer should display the username

22
00:02:32,650 --> 00:02:33,670
here but it doesn't

23
00:02:33,820 --> 00:02:34,600
it's just a problem in

24
00:02:34,600 --> 00:02:40,960
Packet Tracer. I'll exit the telnet session packet tracer is a simulator once again.

25
00:02:41,320 --> 00:02:50,020
So it's not perfect, but it does a great job in this lab allowing us to learn and practice AAA authentication

26
00:02:50,740 --> 00:02:56,740
I'll save the router's configuration, last device to configure is switch1 it's going to be using

27
00:02:57,710 --> 00:02:58,910
Radius authentication.

28
00:03:01,370 --> 00:03:10,070
So on switch 1 new model username, backup password Cisco, 

29
00:03:11,990 --> 00:03:23,910
AAA Authentication login, default group Tacacs, in this example, local backup AAA

30
00:03:24,110 --> 00:03:24,980
authentication,

31
00:03:26,770 --> 00:03:30,490
enable default group

32
00:03:32,150 --> 00:03:32,900
Tacacs, 

33
00:03:34,130 --> 00:03:36,140
backup is going to be local.

34
00:03:38,460 --> 00:03:42,670
Tacacs server is going to be 10.1.1.250.

35
00:03:43,230 --> 00:03:45,600
The key is going to be Cisco.

36
00:03:46,720 --> 00:03:53,350
So again show run type include AAA, there's our AAA configuration, here's our Tacacs

37
00:03:53,350 --> 00:03:57,070
configuration. Let's telnet to ourselves

38
00:03:57,640 --> 00:04:03,210
make sure that we can log in before I savethe configuration.

39
00:04:04,240 --> 00:04:05,170
So that looks good.

40
00:04:05,810 --> 00:04:07,640
Save the switches configuration.

41
00:04:08,470 --> 00:04:13,300
So now we've got AAA configured on these three devices.

42
00:04:14,870 --> 00:04:25,340
These devices don't have a username configured of David in the local username and password database,

43
00:04:25,890 --> 00:04:34,430
but notice I should be able to log in via the console using the username David and the password Cisco

44
00:04:34,670 --> 00:04:35,480
and there you go.

45
00:04:35,870 --> 00:04:37,090
I can login to Router1,

46
00:04:37,880 --> 00:04:38,930
Router 1 is an example

47
00:04:38,950 --> 00:04:48,770
should be able to telnet to Router 3 and also log in using the same username and password, even

48
00:04:48,770 --> 00:04:54,740
though that user is not configured on the devices.

49
00:04:57,390 --> 00:05:03,600
Try that again, username is David, Password is Cisco, so I can log into router 1, router 2

50
00:05:03,600 --> 00:05:11,970
and switch 1 using username David, we then need to create another user and test that that works as

51
00:05:11,970 --> 00:05:12,320
well.

52
00:05:13,430 --> 00:05:15,020
So on the AAA server,

53
00:05:16,150 --> 00:05:23,140
I'm going to create a user called Peter Pan and Click ad, so all I've done is create another user on

54
00:05:23,200 --> 00:05:24,250
the AAA server.

55
00:05:25,250 --> 00:05:37,190
But that means that when router 1 telnet to router 2, we should be able to log in with the user, Peter

56
00:05:37,190 --> 00:05:38,760
Pan, which we can.

57
00:05:39,620 --> 00:05:41,660
This is the advantage of AAA.

58
00:05:42,050 --> 00:05:50,600
Rather than having to create users on every device, we can simply create new users

59
00:05:52,690 --> 00:05:54,280
on the AAA server

60
00:05:55,740 --> 00:05:57,840
and as soon as I've done that

61
00:05:58,870 --> 00:05:59,890
I'll be able to

62
00:06:00,870 --> 00:06:05,100
log in to the device using that username and password.