In any network setup, ensuring secure access to devices like routers and switches is paramount to prevent potential security vulnerabilities. Failure to secure access could leave networks vulnerable to unauthorized access and malicious attacks.
There are two primary methods to secure access to network devices. First, we can utilize the device’s local database to store authentication details. Alternatively, an external server, known as an AAA server, can store these authentication details. When employing an external server, it’s essential to configure authentication protocols such as Radius or TACACS+ to manage communication between the AAA server and the secured devices.
The acronym “AAA” stands for Authentication, Authorization, and Accounting, reflecting the server’s role in handling user authentication, authorization, and activity logging.
Configuring an AAA server involves two main approaches: utilizing the Radius authentication protocol or the TACACS+ authentication protocol.
In this post, we’ll demonstrate how to configure an AAA server using both methods. However, for detailed configuration instructions for each method, refer to our dedicated posts for Radius and TACACS+ authentication protocols. You can find more information through the provided links below;
- How to Configure TACACS+ Server in Cisco Packet Tracer
- How to Configure Radius Server in Cisco Packet Tracer
Network Topology
The network topology that we will be using to demonstrate how to configure the AAA server is shown below. As you can see, it comprises a router, an AA server, a switch, and two PCs. Our objective in this demonstration is to enable AAA services on the server, configure access authentication between the router and the Radius server, and create users for both PC1 and PC2. PC1 will utilize a console connection to access Router 1, while PC2 will use Telnet.
AAA Server Configuration Using Radius
To configure the AAA server using the Radius Authentication Protocol, First Radius AAA services are enabled on the server;
Then two users: one for PC1 and the other for PC2 is created as shown below;
After that, the following configuration needs to be completed on the router, whose access is being secured. This is R1 in our network topology.
R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco
R1(config)#aaa authentication login RADIUS group radius
R1(config)#radius-server host 192.168.12.254 auth-port 1645 key 123456
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#login authentication RADIUS
R1(config-line)#exit
If you need detailed explanation of the above commands, do check out our post on How to Configure Radius Server in Cisco Packet TracerĀ
AAA Server Configuration Using TACACS+
To configure the AAA server using the TACACS Authentication Protocol, First TACACS AAA services are enabled on the server;
Then two users: one for PC1 and the other for PC2 are created as shown below;
After that, the following configuration needs to be completed on the router, whose access is being secured.
R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco
R1(config)#aaa authentication login TACACS+ group tacacs+
R1(config)#tacacs-server host 192.168.12.254 key 123456
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#login authentication TACACS+
R1(config-line)#exit
If you need a detailed explanation of the above commands and their functions in AAA server configuration, read our post on How to Configure TACACS+ Server in Cisco Packet Tracer
Verifying AAA server Configuration
Wheather your AAA server configuration was done through TACACs+ or Radius, the steps to verify wheather is working is same. It is involves connecting the PCs to router and checking if you will be required to provides password before you can acces the CLI of the router.
On PC1:
Console connects to R1. You will be asked for a password and username before you can access the router.
Console to R1
User Access Verification
Username: admin
Password: cisco
R1>enable
Password: cisco
R1#
User Access Verification
Username: user1
Password: cisco
% Login invalid
Username: user2
Password: cisco
% Login invalid
On PC2
When you connect to the router, you will be asked for a password and username before you can access the router configuration terminal.
C:\>telnet 192.168.12.1
Trying 192.168.12.1 ...Open
User Access Verification
Username: admin
Password: cisco
% Login invalid
Username: user1
Password: cisco
R1>enable
Password: cisco
R1#
Username: user2
Password: cisco
R1>enable
Password: cisco
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below