笔记：CCNAS_ PTA_AAA

一、题目环境

实验拓扑

地址规划

实验要点

· Configure a local user account on R1 and authenticate on the console and VTY lines using local AAA.
#在R1上配置本地用户帐户，使用本地AAA在控制台和VTY上进行身份验证。
· Verify local AAA authentication from the R1 console and the PC-A client.
#从R1控制台和PC-A客户端验证本地AAA认证。
· Configure a server-based AAA authentication using TACACS+.
#使用TACACS+配置基于服务器的AAA认证。
· Verify server-based AAA authentication from PC-B client.
#从PC-B客户端验证基于服务器的AAA认证。
· Configure a server-based AAA authentication using RADIUS.
#使用RADIUS配置基于服务器的AAA认证。
· Verify server-based AAA authentication from PC-C client.
#从PC-C客户端验证基于服务器的AAA认证。

二、配置过程

1-1.Configure a username of Admin1 and secret password of admin1pa55.
//R1设置用户名为Admin1，加密密码admin1pa55(这里题目要求用secret但没给分点，password就给了)

R1(config)#username Admin1 password admin1pa55

1-2. Enable AAA on R1 and configure AAA authentication for console login to use the local database.
//R1上启用AAA，配置AAA认证使用本地数据库

R1(config)#aaa new-model
R1(config)#aaa authentication login default local

1-3. Enable AAA on R1 and configure AAA authentication for console login to use the default method list.
//启用AAA，在console登录配置为默认方法列表

R1(config)#line console 0
R1(config-line)#login authentication default

2-1. Configure a named list called TELNET-LOGIN to authenticate logins using local AAA.
//配置一个名为TELNET-LOGIN的命名列表，使用本地AAA对登录进行身份验证。

R1(config)#aaa authentication login TELNET-LOGIN local

2-3. Configure the VTY lines to use the named AAA method.
//配置VTY远程登录用创建的TELNET-LOGIN

R1(config)#line vty 0 4
R1(config-line)#login authentication TELNET-LOGIN

3-1. For backup purposes, configure a local username of Admin and secret password of adminpa55.
//R2由于备份的关系。再创建一个本地用户Admin密码为adminpa55

R2(config)#username Admin password adminpa55

3-2. Select the TACACS+ Server. From the Config tab, click on AAA and notice that there is a Network configuration entry for R2 and a User Setup entry for Admin2.
//点开TACACS服务器，在AAA服务中配置添加R2的客户信息及用户添加Admin2(pka默认已经完成)

3-3. Configure the AAA TACACS server IP address and secret key on R2.
//在R2上配置AAA TACACS服务器IP地址和密钥

R2(config)#tacacs-server host 192.168.2.2
R2(config)#tacacs-server key tacacspa55

3-4. Enable AAA on R2 and configure all logins to authenticate using the AAA TACACS+ server and if not available, then use the local database.
//在R2上启用AAA，并将所有登录配置为使用AAA TACACS+服务器进行身份验证，如果不可用，则使用本地数据库。

R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+ local

3-5. Configure AAA authentication for console login to use the default AAA authentication method.
//为console登录配置AAA身份验证，以使用默认的AAA身份验证方法。

R2(config)#line console 0
R2(config-line)#login authentication default

4-1. For backup purposes, configure a local username of Admin and secret password of adminpa55
//R3配置本地用户Admin和adminpa55的密码，以防配错登录不上

R3(config)#username Admin password adminpa55

4-2. Select the RADIUS Server. From the Config tab, click on AAA and notice that there is a Network configuration entry for R3 and a User Setup entry for Admin3.
//点开RADIUS服务器，在AAA服务中配置添加R3的客户信息及用户添加Admin3(pka默认已经完成)

4-3. Configure the AAA RADIUS server IP address and secret key on R3.
//配置RADIUS服务器IP地址和连接密码

R3(config)#radius-server host 192.168.3.2
R3(config)#radius-server key radiuspa55

4-4. Enable AAA on R3 and configure all logins to authenticate using the AAA RADIUS server and if not available, then use the local database.
//在R3上启用AAA，并将所有登录配置为使用AAA RADIUS服务器进行身份验证，如果不可用，则使用本地数据库

R3(config)#aaa new-model
R3(config)#aaa authentication login default group radius local

4-5. Configure AAA authentication for console login to use the default AAA authentication method.
//为控制台登录配置AAA身份验证，以使用默认的AAA身份验证方法。

R3(config)#line console 0
R3(config-line)#login authentication default

三、验证

1. 验证配置本地AAA列表，console登录
Admin1为本地创建用户

Press RETURN to get started!


************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.


User Access Verification

Username: Admin1
Password: 
R1>

2. 验证配置远程本地用户
Admin1为本地创建用户

3.验证配置TACACS+服务器验证登录，console本地登录
Admin2为配置在TACACS+服务器上的用户

Press RETURN to get started!


************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

User Access Verification

Username: Admin2
Password: 
R2>

3.验证配置RADIUS服务器验证登录，console本地登录
Admin3为配置在RADIUS服务器上的用户

Press RETURN to get started!


************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.


User Access Verification

Username: Admin3
Password: 
R3>

实验完整配置文档

R1 running-config
Building configuration…

Current configuration : 1285 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$ mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
aaa new-model
!
aaa authentication login TELNET-LOGIN local
aaa authentication login default local
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username Admin1 password 0 admin1pa55
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
clock rate 128000
!
interface Serial0/0/1
no ip address
clock rate 128000
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
banner motd ^C
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
^C
!
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
login authentication default
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login authentication TELNET-LOGIN
!
!
ntp update-calendar
!
end

R2 running-config
Building configuration…

Current configuration : 1249 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
enable secret 5 $1$ mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
aaa new-model
!
aaa authentication login default group tacacs+ local
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username Admin password 0 adminpa55
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
clock rate 128000
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
banner motd ^C
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.^C
!
tacacs-server host 192.168.2.2
tacacs-server key tacacspa55
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
login authentication default
!
line aux 0
!
line vty 0 4
password ciscovtypa55
!
!
!
end

R3 running-config
Building configuration…

Current configuration : 1283 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
enable secret 5 $1$ mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
aaa new-model
!
aaa authentication login default group radius local
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username Admin password 0 adminpa55
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
banner motd ^C
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
^C
!
radius-server host 192.168.3.2 auth-port 1645
radius-server key radiuspa55
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
login authentication default
!
line aux 0
!
line vty 0 4
password ciscovtypa55
!
!
ntp update-calendar
!
end