1
00:00:00,750 --> 00:00:09,660
At the moment in this GNS3 topology, we can log in to Router 1 with the username David and Password

2
00:00:09,660 --> 00:00:10,260
Cisco.

3
00:00:11,310 --> 00:00:15,810
The ACS server, however, only has a username of admin.

4
00:00:16,770 --> 00:00:22,710
So once we integrate R1 with the ACS server, David will no longer be able to log in.

5
00:00:23,340 --> 00:00:31,280
So let's configure R1 to talk to the authentication server. At the moment

6
00:00:31,680 --> 00:00:39,570
please note that on the console, when we use the command login, we have the option login, enter or

7
00:00:39,570 --> 00:00:45,270
carriage return, which means that the password on the line is used for authentication

8
00:00:46,320 --> 00:00:53,940
or we can specify that a local username and password database is used for authentication, one of the

9
00:00:53,940 --> 00:01:01,410
first commands we going to use with triple A is triple A new model.

10
00:01:02,540 --> 00:01:06,920
This will enable new access control commands and functions

11
00:01:08,140 --> 00:01:18,580
and disable old commands, so we've entered a new model now when we go onto the console and type log

12
00:01:18,580 --> 00:01:21,570
in notice, the options have changed.

13
00:01:22,360 --> 00:01:29,950
Previously we had login local or log and enter, but if we type login enter, that doesn't work

14
00:01:30,790 --> 00:01:31,990
or login local.

15
00:01:33,200 --> 00:01:40,610
That also doesn't work, so the authentication commands have changed and now we have the options of

16
00:01:40,630 --> 00:01:49,220
login authentication and we can specify a word or the default option, I'm not going to enter that now.

17
00:01:49,970 --> 00:01:53,720
By default, the authentication used is default

18
00:01:55,380 --> 00:02:02,130
and I'll show you where that's configured in a moment. So all we've done thus far is specify

19
00:02:03,580 --> 00:02:04,420
a new model.

20
00:02:05,360 --> 00:02:12,920
We need a local username and password as backup, but that was configured previously, so we've got

21
00:02:12,920 --> 00:02:16,160
two usernames and passwords here, David and Mary.

22
00:02:16,940 --> 00:02:23,930
So what we'll do now is specify Tacacs, you could use Radius, but in this example, I'm going to specify

23
00:02:23,930 --> 00:02:27,740
a Tacacs  host of 10.1.1.1.

24
00:02:28,460 --> 00:02:31,670
That is this ACS server.

25
00:02:33,420 --> 00:02:39,090
ACS server has an IP address of 10.1.1.1.

26
00:02:40,140 --> 00:02:43,440
So as an example, ping 10.1.1.1

27
00:02:44,410 --> 00:02:51,730
the router can ping the ACS server, we need to specify a password that's going to be used for encryption.

28
00:02:52,210 --> 00:03:00,940
So we use the command tech server key and then specify a password for the encryption or key for the

29
00:03:00,940 --> 00:03:01,510
encryption.

30
00:03:02,090 --> 00:03:03,250
I'll use Cisco here

31
00:03:03,610 --> 00:03:07,270
and now we need to specify triple A options.

32
00:03:07,810 --> 00:03:12,700
We have authentication, authorization and accounting.

33
00:03:13,150 --> 00:03:15,400
I'm going to specify authentication.

34
00:03:16,950 --> 00:03:20,130
What are we going to authenticate in our example?

35
00:03:20,160 --> 00:03:22,920
We're going to authenticate login attempts to the Router.

36
00:03:25,150 --> 00:03:32,800
So triple A. authentication login, you could also use triple A for PPP sessions, in other words, Chappe

37
00:03:32,800 --> 00:03:39,730
or Pappe, or when someone uses the enabled command to go to the enable mode, but you will simply do

38
00:03:39,730 --> 00:03:40,860
it for login.

39
00:03:41,650 --> 00:03:47,380
We can use a word or default, and that's where that default option comes in.

40
00:03:48,100 --> 00:03:54,840
Default means that this authentication method is going to be applied to all lines on the router.

41
00:03:55,210 --> 00:04:01,540
That means the console, the auxiliary port VTY lines and TTY lines.

42
00:04:02,230 --> 00:04:08,200
We didn't apply authentication on the auxiliary port in this router, but by using AAA, it's a lot

43
00:04:08,200 --> 00:04:15,880
easier to apply an authentication on every line on the device and not miss some of the lines.

44
00:04:16,230 --> 00:04:18,610
So it's a lot better than doing things locally.

45
00:04:20,029 --> 00:04:26,300
We can then specify what's going to be used for authentication in our example, we want to specify a

46
00:04:26,300 --> 00:04:35,120
group which is going to be Tacacs because we're using the Tacacs protocol and then as a backup authentication

47
00:04:35,120 --> 00:04:36,470
method, we can use local.

48
00:04:37,190 --> 00:04:44,480
What that means is that if the router is unable to connect to the Tacacs server because the network

49
00:04:44,480 --> 00:04:51,470
is down or the server is down, a local username and password database will be used as an alternate

50
00:04:51,470 --> 00:04:53,960
method for authenticating the user.

51
00:04:54,680 --> 00:05:02,390
Now please note authentication failures to the Tacacs server doesn't mean that the local database will be used.

52
00:05:02,900 --> 00:05:08,060
The local database is only used if the server is unavailable.

53
00:05:09,530 --> 00:05:18,170
So that was the configuration, show run will allow us to see that, so we specified AAA new model, we specified

54
00:05:18,170 --> 00:05:23,810
our authentication default method is going to be using Tacacs and then a local database.

55
00:05:25,270 --> 00:05:30,490
These were configured previously, but you would need to configure a local username and password as

56
00:05:30,490 --> 00:05:31,030
a backup.

57
00:05:33,110 --> 00:05:35,480
Here's our Tacacs server information

58
00:05:36,550 --> 00:05:44,560
and notice on the lines, we no longer see a log in local, the console is using the default, which

59
00:05:44,560 --> 00:05:49,660
is to use Tacacs and if that fails, to use a local database.

60
00:05:50,800 --> 00:05:57,850
So when we try and log back into the router with a username of David and password of Cisco, it works

61
00:05:57,850 --> 00:06:04,600
at the moment because the router isn't connected to the Tacacs server, we still have to configure the Tacacs

62
00:06:04,600 --> 00:06:09,760
server to allow the router to communicate with the server.

63
00:06:10,180 --> 00:06:15,460
At the moment, we have some other devices here, but the GNS3 router isn't configured.