This is the best practice in securing control planes in CCNA security
Let’s get started…
Lab 2: AAA via ACS (TACACS+)Task
* Set the IP address for R1 to 10.0.0.3/2* Set the IP address for R2 to 10.0.0.4/24* Configure the Switch: Vlan 10, and add the following ports to Vlan 10. Also configure Interface Vlan 10 on SW using IP address 10.0.0.3/24. * Configure the R4 and Enable Secret [email protected] * Input all* Configure V4 line Vty Vty 0-4. * Configure R4 with username Uninets, password [email protected], and Privilege Level 15.
ExplanationCISCO ACCESS CONTROL SERVER (ACS) provides authentication, accounting, and management to arrange network devices. It includes switches, Cisco PIX firewalls and system get-to servers. Two AAA conventions are supported by Cisco Secure Access Control Server: RADIUS and TACACS+. Cisco ACS unifies authentication and authorization (what you are allowed to access), and accounting (the logging and accounting of when you signed in and out and what you were granted access to). This was initially required only for dial-up clients using modem telephone lines. Later, it was required for Internet VPN clients. Cisco ACS variant 4.0 is a new version of ACS that performs similar verification, approval, bookkeeping, and bookkeeping functions for NAC-empowered systems.
Configuration
Switch Configuration
Router Configuration
Ethernet interface 0/0
10.0.0.3 255.255.255.0
No shutdown
!
Interface Ethernet0/0
ip address 10.0.0.4 255.255.255.0
No shutdown
!
R2#ping 10.0.0.1
To abort, type escape sequence
Sending 5, 100-bytes of ICMP Echos (to 10.0.0.1), timeout is 2 seconds
!!!! !
100 percent success rate (5/5), round trip min/avg/max = 1/1/ms
R2#ping 10.0.0.1
To abort, type escape sequence
Sending 5, 100-bytes of ICMP Echos (to 10.0.0.1), timeout is 2 seconds
Success rate is 100% (5/5), round trip min/avg/max = 1//1 ms
!!!! !
Configuration of the PC: Access the WIN computer via VNC and enter the IP address:
Configure the ACS
To access CLI: Username: admin, password: [email protected] Once you are done, try accessing ACS via a Windows machine. It will ask you for your User name and password. Username: ACSadmin Password is default. Once it is done, it will ask for your password change: [email protected] To get started, you can also install the License.
Configure Following on R4
aaa new-model
aaa authentication login UNINETS_TACACS group tacacs+ local
aaa authorization exec UNINETS_Exec_via_TACACS group tacacs+ local
username admin privilege 15 secret [email protected]
tacacs server host 10.0.0.10 key [email protected]
Line vty 0 4.
authorization exec UNINETS_Exec_via_TACACS
login authentication UNINETS_TACACS
All Transport input
enable secret [email protected]
We now need to configure ACS. The first step is creating a device group. Navigate to Network Resources > Device Groups > Device Type, and click Create.
Configure the Device, and add it to the Device Group.
Configure users Group: Now, we have created a group for network devices and added router R4 (ACS client) to this group. Next, create a user group and then create users in those groups. We will create an admin group. These groups can be created by going to Users and Identity Stores > IdentityGroups and clicking Create.
Configure users with usernames and passwords and place them in user groups. These new groups have no users by default and no special permissions from Default. First, create a couple of u