CCNA Security Lab: Securing Administrative Access Using AAA and RADIUS
Topology
IP Addressing Table
IP Addressing Table
Download WinRadius free. WinRadius is a standard RADIUS server for authentication, accountings.
Device | Interface IP Address | Subnet Mask | Default Gateway | Switch Port |
R1 | FA0/1 192.168.1.1 | 255.255.255.0 | N/A | S1 FA0/5 |
S0/0/0 (DCE) 10.1.1.1 | 255.255.255.252 | N/A | N/A | |
R2 | S0/0/0 10.1.1.2 | 255.255.255.252 | N/A | N/A |
S0/0/1 (DCE) 10.2.2.2 | 255.255.255.252 | N/A | N/A | |
R3 | FA0/1 192.168.3.1 | 255.255.255.0 | N/A | S3 FA0/5 |
S0/0/1 10.2.2.1 | 255.255.255.252 | N/A | N/A | |
PC-A | NIC 192.168.1.3 | 255.255.255.0 | 192.168.1.1 | S1 FA0/6 |
PC-C | NIC 192.168.3.3 | 255.255.255.0 | 192.168.3.1 | S3 FA0/18 |
Device Interface IP Address Subnet Mask Default Gateway Switch Port
Objectives
Part 1: Basic Network Device Configuration
Part 1: Basic Network Device Configuration
- Configure basic settings such as host name, interface IP addresses, and access passwords.
- Configure static routing.
Part 2: Configure Local Authentication
- Configure a local database user and local access for the console, vty, and aux lines.
- Test the configuration.
Part 3: Configure Local Authentication Using AAA
- Configure the local user database using Cisco IOS.
- Configure AAA local authentication using Cisco IOS.
- Configure AAA local authentication using SDM.
- Test the configuration.
Part 4: Configure Centralized Authentication Using AAA and RADIUS
- Install a RADIUS server on a computer.
- Configure users on the RADIUS server.
- Configure AAA services on a router to access the RADIUS server for authentication using Cisco IOS.
- Configure AAA services on a router to access the RADIUS server for authentication using SDM.
- Test the AAA RADIUS configuration.
Background
The most basic form of router access security is to create passwords for the console, vty, and aux lines. A user is prompted for only a password when accessing the router. Configuring a privileged EXEC mode enable secret password further improves security, but still only a basic password is required for each mode of access.
The most basic form of router access security is to create passwords for the console, vty, and aux lines. A user is prompted for only a password when accessing the router. Configuring a privileged EXEC mode enable secret password further improves security, but still only a basic password is required for each mode of access.
In addition to basic passwords, specific usernames or accounts with varying privilege levels can be defined in the local router database that can apply to the router as a whole. When the console, vty, or aux lines are configured to refer to this local database, the user is prompted for a username and a password when using any of these lines to access the router.
Additional control over the login process can be achieved using Authentication, Authorization, and Accounting (AAA). For basic authentication, AAA can be configured to access the local database for user logins, and fallback procedures can also be defined. However, this approach is not very scalable because it must be configured on every router. To take full advantage of AAA and achieve maximum scalability, it is used in conjunction with an external TACACS+ or RADIUS server database. When a user attempts to login, the router references the external server database to verify that the user is logging in with a valid username and password.
In this lab, you build a multi-router network and configure the routers and hosts. You use various CLI commands and SDM tools to configure routers with basic local authentication and local authentication using AAA. You install RADIUS software on an external computer and use AAA to authenticate users with the RADIUS server.
Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T (Advance IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and output produced might vary from what is shown in this lab.
Note: Make sure that the routers and switches have been erased and have no startup configurations.
Instructor Note: Instructions for erasing both the switch and router are provided in the Lab Manual, located on Academy Connection in the Tools section.
Required Resources
- 3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)
- 2 switches (Cisco 2960 or comparable)
- PC-A: Windows XP, Vista, or Windows Server with RADIUS server software available
- PC-C: Windows XP or Vista
- Serial and Ethernet cables as shown in the topology
- Rollover cables to configure the routers via the console
Instructor Note:
This lab is divided into five parts. Each part can be administered individually or in combination with others as time permits. The main goal is to configure various types of user access authentication, from basic local access validation to the use of AAA and then AAA with an external RADIUS server. Both Cisco IOS and SDM methods of configuring the router are covered. R1 and R3 are on separate networks and communicate through R2, which simulates an ISP type situation. Students can work in teams of two for router authentication configuration, one person configuring R1 and the other R3.
This lab is divided into five parts. Each part can be administered individually or in combination with others as time permits. The main goal is to configure various types of user access authentication, from basic local access validation to the use of AAA and then AAA with an external RADIUS server. Both Cisco IOS and SDM methods of configuring the router are covered. R1 and R3 are on separate networks and communicate through R2, which simulates an ISP type situation. Students can work in teams of two for router authentication configuration, one person configuring R1 and the other R3.
Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.
The basic running configs for all three routers are captured after Part 1 and Part 2 of the lab are completed. The running config commands that are added to R1 and R3 in Parts 3 and 4 are captured and listed separately. All configs are found at the end of the lab.
Part 1: Basic Network Device Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.
All steps should be performed on routers R1 and R3. Only steps 1, 2, 3 and 6 need to be performed on R2. The procedure for R1 is shown here as an example.
Step 1: Cable the network as shown in the topology.
Attach the devices shown in the topology diagram, and cable as necessary.
Attach the devices shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for each router.
a. Configure host names as shown in the topology.
b. Configure the interface IP addresses as shown in the IP addressing table.
c. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface.
a. Configure host names as shown in the topology.
b. Configure the interface IP addresses as shown in the IP addressing table.
c. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface.
Step 1: Verify that the system clock and debug time stamps are configured correctly.
a. From the R3 user or privileged EXEC mode prompt, use the show clock command to determine what the current time is for the router. If the time and date are incorrect, set the time from privileged EXEC mode with the command clock set HH:MM:SS DD month YYYY. An example is provided here for R3.
a. From the R3 user or privileged EXEC mode prompt, use the show clock command to determine what the current time is for the router. If the time and date are incorrect, set the time from privileged EXEC mode with the command clock set HH:MM:SS DD month YYYY. An example is provided here for R3.
b. Verify that detailed time-stamp information is available for your debug output using the show run command. This command displays all lines in the running config that include the text “timestamps”.
2 4 | Dec2614:36:42.323:AAA/BIND(000000A5):Bindi/f Dec2614:36:42.323:AAA/AUTHEN/LOGIN(000000A5):Pick method list |
d. From the Telnet window, enter privileged EXEC mode. Use the enable secret password of cisco12345. Debug messages similar to the following should be displayed. In the third entry, note the username (Admin01), virtual port number (tty194), and remote Telnet client address (192.168.3.3). Also note that the last status entry is “PASS.”
2 4 6 8 10 12 14 16 18 20 22 24 | Dec2614:40:54.431:AAA:parse name=tty194 idb type=-1tty=-1 Dec2614:40:54.431:AAA:name=tty194 flags=0x11type=5shelf=0slot=0 Dec2614:40:54.431:AAA/MEMORY:create_user(0x64BB5510) <b>user='Admin01'ruser=' NULL'ds0=0port='tty194'rem_addr='192.168.3.3'</b> authen_type=ASCII service=ENABLE priv=15initial_task_id='0',vrf= Dec2614:40:54.431:AAA/AUTHEN/START(2467624222):port='tty194' Dec2614:40:54.431:AAA/AUTHEN/START(2467624222):non-console enable Dec2614:40:54.431:AAA/AUTHEN/START(2467624222):Method=ENABLE Dec2614:40:54.435:AAA/AUTHEN(2467624222):Status=GETPASS Dec2614:40:59.275:AAA/AUTHEN/CONT(2467624222):continue_login Dec2614:40:59.275:AAA/AUTHEN(2467624222):Status=GETPASS Dec2614:40:59.275:AAA/AUTHEN/CONT(2467624222):Method=ENABLE <b>Dec2614:40:59.287:AAA/AUTHEN(2467624222):Status=PASS</b> Dec2614:40:59.287:AAA/MEMORY:free_user(0x64BB5510)user='NULL' ruser='NULL'port='tty194'rem_addr='192.168.3.3'authen_type=ASCII rf=(id=0) |
e. From the Telnet window, exit privileged EXEC mode using the disable command. Try to enter privileged EXEC mode again, but use a bad password this time. Observe the debug output on R3, noting that the status is “FAIL” this time.
2 4 6 8 | Dec2615:46:54.027:AAA/AUTHEN(2175919868):Status=GETPASS Dec2615:46:54.027:AAA/AUTHEN/CONT(2175919868):Method=ENABLE Dec2615:46:54.039:AAA/AUTHEN(2175919868):password incorrect <b>Dec2615:46:54.039:AAA/AUTHEN(2175919868):Status=FAIL</b> Dec2615:46:54.039:AAA/MEMORY:free_user(0x6615BFE4)user='NULL' port='tty194'rem_addr='192.168.3.3'authen_type=ASCII service=ENABLE rf=(id=0) |
f. From the Telnet window, exit the Telnet session to the router. Then try to open a Telnet session to the router again, but this time try to log in with the username Admin01 and a bad password. From the console window, the debug output should look similar to the following.
2 | Dec2615:49:32.339:AAA/AUTHEN/LOGIN(000000AA):Pick method list |
What message was displayed on the Telnet client screen?
% Authentication failed
g. Turn off all debugging using the undebug all command at the privileged EXEC prompt.
% Authentication failed
g. Turn off all debugging using the undebug all command at the privileged EXEC prompt.
Part 4: Configure Centralized Authentication Using AAA and RADIUS.
In Part 4 of the lab, you install RADIUS server software on PC-A. You then configure router R1 to access the
external RADIUS server for user authentication. The freeware server WinRadius is used for this section of the lab.
external RADIUS server for user authentication. The freeware server WinRadius is used for this section of the lab.
Task 1: Restore Router R1 to Its Basic Settings
To avoid confusion as to what was already entered and the AAA RADIUS configuration, start by restoring router R1 to its basic configuration as performed in Parts 1 and 2 of this lab.
To avoid confusion as to what was already entered and the AAA RADIUS configuration, start by restoring router R1 to its basic configuration as performed in Parts 1 and 2 of this lab.
Step 1: Erase and reload the router.
a. Connect to the R1 console, and log in with the username Admin01 and password Admin01pass.
b. Enter privileged EXEC mode with the password cisco12345.
c. Erase the startup config and then issue the reload command to restart the router.
a. Connect to the R1 console, and log in with the username Admin01 and password Admin01pass.
b. Enter privileged EXEC mode with the password cisco12345.
c. Erase the startup config and then issue the reload command to restart the router.
Step 2: Restore the basic configuration.
a. When the router restarts, enter privileged EXEC mode with the enable command, and then enter global config mode. Use the HyperTerminal Transfer > Send File function, cut and paste or use another method to load the basic startup config for R1 that was created and saved in Part 2 of this lab.
a. When the router restarts, enter privileged EXEC mode with the enable command, and then enter global config mode. Use the HyperTerminal Transfer > Send File function, cut and paste or use another method to load the basic startup config for R1 that was created and saved in Part 2 of this lab.
b. Test connectivity by pinging from host PC-A to PC-C. If the pings are not successful, troubleshoot the router and PC configurations until they are.
c. If you are logged out of the console, log in again as user01 with password user01pass, and access privileged EXEC mode with the password cisco12345.
d. Save the running config to the startup config using the copy run start command.
Task 2: Download and Install a RADIUS Server on PC-A
There are a number of RADIUS servers available, both freeware and for cost. This lab uses WinRadius, a freeware standards-based RADIUS server that runs on Windows XP and most other Windows operating systems. The free version of the software can support only five usernames.
There are a number of RADIUS servers available, both freeware and for cost. This lab uses WinRadius, a freeware standards-based RADIUS server that runs on Windows XP and most other Windows operating systems. The free version of the software can support only five usernames.
Step 1: Download the WinRadius software.
a. Create a folder named WinRadius on your desktop or other location in which to store the files.
a. Create a folder named WinRadius on your desktop or other location in which to store the files.
b. Download the latest version from http://www.suggestsoft.com/soft/itconsult2000/winradius/. The publisher asks that you provide your email address and send them feedback after you install and try WinRadius. You may skip the survey if desired.
c. Save the downloaded zip file in the folder you created in Step 1a, and extract the zipped files to the same folder. There is no installation setup. The extracted WinRadius.exe file is executable.
d. You may create a shortcut on your desktop for WinRadius.exe.
Step 2: Configure the WinRadius server database.
a. Start the WinRadius.exe application. WinRadius uses a local database in which it stores user information. When the application is started for the first time, the following messages are displayed Please go to “Settings/Database and create the ODBC for your RADIUS database. Launch ODBC failed.
a. Start the WinRadius.exe application. WinRadius uses a local database in which it stores user information. When the application is started for the first time, the following messages are displayed Please go to “Settings/Database and create the ODBC for your RADIUS database. Launch ODBC failed.
b. Select Settings > Database from the main menu and the following screen is displayed. Click the Configure ODBC automatically button and then click OK. You should see a message that the ODBC was created successfully. Exit WinRadius and restart the application for the changes to take effect.
c. When WinRadius starts again, you should see messages similar to the following displayed.
d. On which ports is WinRadius listening for authentication and accounting? The authentication port is 1812, and the accounting port is 1813.
Step 3: Configure users and passwords on the WinRadius server.
Note: The free version of WinRadius can support only five usernames. The usernames are lost if you exit the application and restart it. Any usernames created in previous sessions must be recreated. Note that the first message in the previous screen shows that zero users were loaded. No users had been created prior to this, but this message is displayed each time WinRadius is started, regardless of whether users were created or not.
a. From the main menu, select Operation > Add User.
b. Enter the username RadUser with a password of RadUserpass. Remember that passwords are casesensitive.
b. Enter the username RadUser with a password of RadUserpass. Remember that passwords are casesensitive.
c. Click OK. You should see a message on the log screen that the user was added successfully.
Step 4: Clear the log display.
From the main menu, select Log > Clear.
From the main menu, select Log > Clear.
Step 5: Test the new user added using the WinRadius test utility.
a. A WinRadius testing utility is included in the downloaded zip file. Navigate to the folder where you unzipped the WinRadius.zip file and locate the file named RadiusTest.exe.
a. A WinRadius testing utility is included in the downloaded zip file. Navigate to the folder where you unzipped the WinRadius.zip file and locate the file named RadiusTest.exe.
b. Start the RadiusTest application, and enter the IP address of this RADIUS server (192.168.1.3), username RadUser, and password RadUserpass as shown. Do not change the default RADIUS port number of 1813 and the RADIUS password of WinRadius.
c. Click Send and you should see a Send Access_Request message indicating the server at 192.168.1.3, port number 1813, received 44 hexadecimal characters. On the WinRadius log display, you should also see a message indicating that user RadUser was authenticated successfully.
d. Close the RadiusTest application.
Task 3: Configure R1 AAA Services and Access the RADIUS Server Using Cisco IOS
Note: If you want to configure AAA using SDM, go to Task 5.
Step 1: Enable AAA on R1.
Use the aaa new-model command in global configuration mode to enable AAA.
Use the aaa new-model command in global configuration mode to enable AAA.
Step 2: Configure the default login authentication list.
a. Configure the list to first use RADIUS for the authentication service, and then none. If no RADIUS server can be reached and authentication cannot be performed, the router globally allows access without authentication. This is a safeguard measure in case the router starts up without connectivity to an active RADIUS server.
a. Configure the list to first use RADIUS for the authentication service, and then none. If no RADIUS server can be reached and authentication cannot be performed, the router globally allows access without authentication. This is a safeguard measure in case the router starts up without connectivity to an active RADIUS server.