Hands-On Labs |
65 |
Hands-On Labs
This section will have you configure a Cisco 2600 router with AAA. If you don’t have a Cisco router, please check www.routersim.com for a SECUR router simulator.
The labs in this chapter include the following:
Lab 2.1: Setting the Line Passwords
Lab 2.2: Setting the Enable Passwords
Lab 2.3: Encrypting Your Passwords
Lab 2.4: Creating Users and Logging In
Lab 2.5: Configuring AAA on the NAS
Lab 2.1: Setting the Line Passwords
This lab has you log in and set the character-mode passwords on your router.
1.Connect to your router and press Enter.
2.Type the command enable.
3.Type the command config t.
4.Set your hostname to “NAS” using the following command:
Router(config)#hostname NAS
5.Set the console, VTY, and AUX line passwords using the following commands:
NAS(config)#line con 0
NAS(config-line)#login
NAS(config-line)#password console
NAS(config-line)#line vty 0 4
NAS(config-line)#password telnet
NAS(config-line)#line aux 0
NAS(config-line)#password todd
6.Press Ctrl+Z and then type copy running-config startup-config.
Lab 2.2: Setting the Enable Passwords
This lab has you configure the enable passwords on your router.
1.Log in to the your router.
2.Type config t to enter global configuration mode. You should see the following output:
NAS#config t
Enter configuration commands, one per line. End with CNTL/Z. NAS(config)#
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
66 Chapter 2 Introduction to AAA Security
3.Set the enable password to “routersim” using the following command:
NAS(config)#enable password routersim
4.Set the enable secret password to “globalnet” using the following command:
NAS(config)#enable secret globalnet
5.Press Ctrl+Z and then type copy running-config startup-config.
6.Type show running-config and notice that the enable secret password is encrypted, but that the enable password and the line passwords are not.
Lab 2.3: Encrypting your Passwords
This lab has you configure password encryption on your router.
1.Log in to your router.
2.Go to the global configuration mode.
3.Type the following command:
NAS(config)#service password-encryption
NAS(config)#^Z (Ctrl+Z)
4.From the privilege mode prompt, type show running-config and verify that your passwords are indeed now encrypted.
5.Enter the global configuration mode and type the following commands:
NAS#config t
Enter configuration commands, one per line. End with CNTL/Z. NAS(config)#no service password-encryption
NAS(config)#^Z
NAS#
This turns off the encryption service from running in the background on your router.
Lab 2.4: Creating Usernames and Logging In
This lab has you create a user on your router and then log in using the username and password.
1.Log in to your router.
2.Enter the global configuration mode and create a user and password. Here’s an example:
NAS#config t
Enter configuration commands, one per line. End with CNTL/Z. NAS(config)#username todd password lammle
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Hands-On Labs |
67 |
3.Under each line, add the command login local so that the username and password are prompted when connecting to user-mode access.
NAS(config)#line con 0
NAS(config-line)#login local
NAS(config-line)#line aux 0
NAS(config-line)#login local
NAS(config-line)#line vty 0 4
NAS(config-line)#login local
4.Press Ctrl+Z and then exit.
5.Press Enter. You should be prompted for your username and password.
Lab 2.5: Configuring AAA Authentication on the NAS
This lab has you enable AAA on the NAS and use the local database on the NAS router for authentication.
1.Log in to your router.
2.Enter the global configuration mode and enable AAA globally on the NAS with the following command:
NAS#config t
Enter configuration commands, one per line. End with CNTL/Z. NAS(config)#aaa new-model
3.Set the AAA authentication to authenticate with the local username and password using the following command:
NAS(config)#aaa authentication login default local
4.Set the AAA authentication under the console, VTY, and AUX lines with the following commands:
NAS(config)#line console 0
NAS(config-line)#login authentication ?
WORD Use an authentication list with this name. default Use the default authentication list.
NAS(config-line)#login authentication default
NAS(config-line)#line aux 0
NAS(config-line)#login authentication default
NAS(config-line)#line vty 0 4
NAS(config-line)#login authentication default
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
68 Chapter 2 Introduction to AAA Security
5.Type the following command from the privileged mode:
NAS#debug aaa authentication
6.Log out of the router.
7.Notice that the authentication takes place from the debug output.
8.Turn off debugging with the undebug all command.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |