How to Configure AAA Server in Packet Tracer

In any network setup, ensuring secure access to devices like routers and switches is paramount to prevent potential security vulnerabilities. Failure to secure access could leave networks vulnerable to unauthorized access and malicious attacks.

There are two primary methods to secure access to network devices. First, we can utilize the device’s local database to store authentication details. Alternatively, an external server, known as an AAA server, can store these authentication details. When employing an external server, it’s essential to configure authentication protocols such as Radius or TACACS+ to manage communication between the AAA server and the secured devices.

The acronym “AAA” stands for Authentication, Authorization, and Accounting, reflecting the server’s role in handling user authentication, authorization, and activity logging.

Configuring an AAA server involves two main approaches: utilizing the Radius authentication protocol or the TACACS+ authentication protocol.

In this post, we’ll demonstrate how to configure an AAA server using both methods. However, for detailed configuration instructions for each method, refer to our dedicated posts for Radius and TACACS+ authentication protocols. You can find more information through the provided links below;

  1. How to Configure TACACS+ Server in Cisco Packet Tracer
  2. How to Configure Radius Server in Cisco Packet Tracer

Network Topology

The network topology that we will be using to demonstrate how to configure the AAA server is shown below. As you can see, it comprises a router, an AA server, a switch, and two PCs. Our objective in this demonstration is to enable AAA services on the server, configure access authentication between the router and the Radius server, and create users for both PC1 and PC2. PC1 will utilize a console connection to access Router 1, while PC2 will use Telnet.

network topology for TACACS+ SERVER COFNIGURATION

AAA Server Configuration Using Radius

To configure the AAA server using the Radius Authentication Protocol, First Radius AAA services are enabled on the server;

Configuring Radius Server

Then two users: one for PC1 and the other for PC2 is created as shown below;

Configuring Radius Server 2

After that, the following configuration needs to be completed on the router, whose access is being secured. This is R1 in our network topology.

R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco
R1(config)#aaa authentication login RADIUS group radius
R1(config)#radius-server host 192.168.12.254 auth-port 1645 key 123456
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit

R1(config)#line vty 0 4
R1(config-line)#login authentication RADIUS
R1(config-line)#exit

If you need detailed explanation of the above commands, do check out our post on How to Configure Radius Server in Cisco Packet Tracer 

 

AAA Server Configuration Using TACACS+

To configure the AAA server using the TACACS Authentication Protocol, First TACACS AAA services are enabled on the server;

Configuring TACACS+ Server

Then two users: one for PC1 and the other for PC2 are created as shown below;

Configuring TACACS+ Server (1)

After that, the following configuration needs to be completed on the router, whose access is being secured.

R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco
R1(config)#aaa authentication login TACACS+ group tacacs+
R1(config)#tacacs-server host 192.168.12.254 key 123456
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit

R1(config)#line vty 0 4
R1(config-line)#login authentication TACACS+
R1(config-line)#exit

If you need a detailed explanation of the above commands and their functions in AAA server configuration, read our post on How to Configure TACACS+ Server in Cisco Packet Tracer

Verifying AAA server Configuration

Wheather your AAA server configuration was done through TACACs+ or Radius, the steps to verify wheather is working is same. It is involves connecting the PCs to router and checking if you will be required to provides password before you can acces the CLI of the router.

On PC1:

Console connects to R1. You will be asked for a password and username before you can access the router.

Console to R1

User Access Verification

Username: admin
Password: cisco
R1>enable
Password: cisco
R1#

User Access Verification

Username: user1
Password: cisco
% Login invalid

Username: user2
Password: cisco
% Login invalid

On PC2

When you connect to the router, you will be asked for a password and username before you can access the router configuration terminal.

C:\>telnet 192.168.12.1
Trying 192.168.12.1 ...Open


User Access Verification

Username: admin
Password: cisco
% Login invalid

Username: user1
Password: cisco
R1>enable
Password: cisco
R1#

Username: user2
Password: cisco
R1>enable
Password: cisco

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top