Here we'll try to authenticate a session between two routers. One side of the router will use RADIUS while the other will use TACACS+. The side using RADIUS will be configured using a AAA server group. The TACACS+ server will be globally configured. Both RADIUS and TACACS+ use "cisco" as the password.
Router 1
1. Configure a new AAA model
aaa new-model
2. By default, the "aaa new-model" command will require local authentication on the console port. To override this, and save us from locking ourselves out, we must configure specific console authentication and the easiest way to do that is by using "none".
aaa authentication login CONSOLE none
!
line vty 0 4
login authentication CONSOLE
3. Configure a RADIUS server group called MY_RADIUS_GROUP and ensure that the RADIUS server at 192.168.1.1 only applies to this group.
aaa group server radius MY_RADIUS_GROUP
server-private 192.168.1.1 key cisco
4. Configure AAA to authenticate PPP sessions against the RADIUS server group and if that fails it should try the local database.
aaa authentication ppp PPP_AUTH group MY_RADIUS_GROUP local
5. Configure the phyiscal interface to use the AAA authentication session
interface s0/0
ppp authentication PPP_AUTH
Router 2
1. Configure a new AAA model
aaa new-model
2. By default, the "aaa new-model" command will require local authentication on the console port. To override this, and save us from locking ourselves out, we must configure specific console authentication and the easiest way to do that is by using "none".
aaa authentication login CONSOLE none
!
line vty 0 4
login authentication CONSOLE
3. Configure a TACACS+ server group globally at 192.168.1.2
tacacs-server host 192.168.1.2 key cisco
4. Configure AAA to authenticate PPP sessions against the TACACS+ server and if that fails it should try the local database.
aaa authentication ppp default group tacacs local
5. Configure the phyiscal interface to use the AAA authentication session
interface s0/0
ppp authentication PPP_AUTH
Very nice and simple. Clear basic concept for aaa. Thanks.
ReplyDelete