Welcome

First of all, may I welcome you to my site. My name is Chris and I'm from the UK and work as a Systems Engineer for Cisco. This blog was initially created to post up my subnetting technique but has now got more stuff to do with attaining Cisco certifications. Either way I really hope that the content is sufficent for your needs and I look forward to hearing your feedback. If you find that the content really helps you please feel free to donate using the PayPal link on the right.

To view the index of all my articles please click here.

PPP Authentication - Using AAA

Here we'll try to authenticate a session between two routers. One side of the router will use RADIUS while the other will use TACACS+. The side using RADIUS will be configured using a AAA server group. The TACACS+ server will be globally configured. Both RADIUS and TACACS+ use "cisco" as the password.

Router 1

1. Configure a new AAA model

aaa new-model

2. By default, the "aaa new-model" command will require local authentication on the console port. To override this, and save us from locking ourselves out, we must configure specific console authentication and the easiest way to do that is by using "none".

aaa authentication login CONSOLE none
!
line vty 0 4
login authentication CONSOLE

3. Configure a RADIUS server group called MY_RADIUS_GROUP and ensure that the RADIUS server at 192.168.1.1 only applies to this group.

aaa group server radius MY_RADIUS_GROUP
server-private 192.168.1.1 key cisco

4. Configure AAA to authenticate PPP sessions against the RADIUS server group and if that fails it should try the local database.

aaa authentication ppp PPP_AUTH group MY_RADIUS_GROUP local

5. Configure the phyiscal interface to use the AAA authentication session

interface s0/0
ppp authentication PPP_AUTH

Router 2

1. Configure a new AAA model

aaa new-model

2. By default, the "aaa new-model" command will require local authentication on the console port. To override this, and save us from locking ourselves out, we must configure specific console authentication and the easiest way to do that is by using "none".

aaa authentication login CONSOLE none
!
line vty 0 4
login authentication CONSOLE

3. Configure a TACACS+ server group globally at 192.168.1.2

tacacs-server host 192.168.1.2 key cisco

4. Configure AAA to authenticate PPP sessions against the TACACS+ server and if that fails it should try the local database.

aaa authentication ppp default group tacacs local

5. Configure the phyiscal interface to use the AAA authentication session

interface s0/0
ppp authentication PPP_AUTH

Posted byChris Bloomfield at 14:17  

1 comments:

Unknown said... 26 December 2013 at 07:31  

Very nice and simple. Clear basic concept for aaa. Thanks.

Post a Comment