Lab - AAA (IOS-XE)

Load base.ipv4.cfg on R1 and R2

#IOS-XE (R1, R2)
config replace flash:base.ipv4.cfg

Configure AAA on R1 using the following guidelines:

  • Configure a RADIUS server at 155.1.1.1 using port 1812 for authentication and CISCO123 for the key. Use a timeout of 3 seconds.

  • Use the RADIUS server for authorization

  • If the RADIUS server is not available, fallback to local passwords for authentication, and the enable password for authorization

    • Create a user name ADMIN with password CISCO123 with privilege level 15

    • Create a user name NOC with password CISCO123 with privilege level 1

    • Create an enable password of CISCO1

  • Use the RADIUS server for accounting for each SSH session that is started

  • Allow telnet on vty lines 0 through 15

Answer

#R1
aaa new-model
!
radius server RAD1
 address ipv4 155.1.1.1 auth-port 1812
 key CISCO123
 timeout 3
!
username ADMIN privil 15 password CISCO123
username NOC privil 1 password CISCO123
enable password CISCO1
!
aaa authentication login VTY radius local
aaa authentication enable default radius enable
aaa authorization exec VTY radius local
aaa accounting exec VTY start-stop radius
!
line vty 0 15
 transport input telnet
 login authentication VTY
 authorization exec VTY
 accounting exec VTY

Explanation

AAA must be enabled using aaa new-model. The “new” method of AAA is to use authentication/authorization/accounting lists to define methods that AAA is performed on interfaces and lines. The first method in a list is evaluated. If it cannot be reached, the next method is checked. It is important to understand that if the first method replies with a “deny” or “reject” result, futher methods are not attempted.

A RADIUS server is defined as follows:

radius server RAD1
 address ipv4 155.1.1.1 auth-port 1812
 key CISCO123
 timeout 3

If you had a group of radius servers, you would use the following configuration. The first radius server will always be attempted first, and subseqent radius servers would only be used if the first failed to respond.

radius server RAD1
 address ipv4 155.1.1.1 auth-port 1812
 key CISCO123
 timeout 3
!
radius server RAD2
 address ipv4 155.1.1.2 auth-port 1812
 key CISCO123
 timeout 3
!
aaa group server radius RAD_GROUP
 server name RAD1
 server name RAD2

The local users and enable password are defined:

username ADMIN privil 15 password CISCO123
username NOC privil 1 password CISCO123
enable password CISCO1

Next, AAA method lists are defined. In this solution we use named lists and then apply the lists to the VTY line, but a default list could have been used instead. For the enable authentication, the only option is a default list.

aaa authentication login VTY radius local
aaa authentication enable default radius enable
aaa authorization exec VTY radius local
aaa accounting exec VTY start-stop radius
!
line vty 0 15
 transport input telnet
 login authentication VTY
 authorization exec VTY
 accounting exec VTY

When we telnet to R1 using the ADMIN user, we are placed immediately into enable mode. Notice that the login process hangs for a few seconds while the radius server is attempted first. Once that fails, the router falls back to the local user database.

When we telnet using the NOC user, we are placed in user mode. To get into enable mode, we must enter the enable password. The enable password prompt also hangs, because the radius server is attempted first.

PreviousLab - MPPNextLab - AAA (IOS-XR)

Last updated