1 00:00:00,710 --> 00:00:07,610 On the Cisco ACS server, we need to go to network configuration and add a triple A client. 2 00:00:08,510 --> 00:00:10,880 In other words, we need to add the Cisco router. 3 00:00:12,130 --> 00:00:19,990 We need to specify the hostname of the router, so I'm gonna call this router 1 and then we need to specify 4 00:00:19,990 --> 00:00:21,610 the IP address of the router 5 00:00:23,100 --> 00:00:27,480 10.1.1.201. The key that we used 6 00:00:33,840 --> 00:00:37,070 was Cisco, shown over here. 7 00:00:40,720 --> 00:00:48,070 So we need to specify Siska as the key and we are going to authenticate in this example using Tacacs 8 00:00:48,250 --> 00:00:52,120 Cisco iOS, there are other options such as Radius 9 00:00:52,390 --> 00:00:59,170 but we'll use Tacacs in this example and I'm going to click, submit and apply to apply that configuration. 10 00:01:02,110 --> 00:01:06,520 Once again, under users, we only have a user called Admin. 11 00:01:08,300 --> 00:01:16,400 So now let's test whether we can log back in to Router 1 as David, so well enter David and the password 12 00:01:17,060 --> 00:01:23,000 notice authentication has failed on the Tacacs server going to reports and activity. 13 00:01:23,900 --> 00:01:25,550 We can look at failed attempts 14 00:01:26,500 --> 00:01:33,670 and we can see here that we've got a failed attempt for David, external database user invalid or bad 15 00:01:33,670 --> 00:01:34,480 password. 16 00:01:36,420 --> 00:01:40,530 I'll login as Mary, username Mary, password Cisco. 17 00:01:41,630 --> 00:01:45,620 I'll refresh the logged in failures and notice Mary 18 00:01:46,860 --> 00:01:47,610 has failed. 19 00:01:48,600 --> 00:01:59,040 But if we log in is Admin Cisco, the authentication passes and we are able to access the router show 20 00:01:59,040 --> 00:02:02,070 run pipe include user. 21 00:02:03,230 --> 00:02:11,270 Shows us that we have a user, David, and a user, Mary, with the relevant passwords, but to the 22 00:02:11,270 --> 00:02:14,630 local username and password database 23 00:02:15,710 --> 00:02:26,060 is only used if the Tacacs server is not available. So as an example, if I stop the Tacacs service on 24 00:02:26,060 --> 00:02:27,560 the Tacacs server 25 00:02:28,470 --> 00:02:40,950 and exit out of the router and then log in as David, I can access the broader so I can only use the 26 00:02:40,950 --> 00:02:45,510 local username and password database if the Tacacs server is down. 27 00:02:46,500 --> 00:02:50,400 If, however, the Tacacs server is up, so I'll start the service again. 28 00:02:53,120 --> 00:03:04,250 If I try and log back in as David notice authentication has failed and once again on the server, we 29 00:03:04,250 --> 00:03:07,860 can see that David failed the authentication. 30 00:03:08,810 --> 00:03:11,420 I can, however, log back in as admin. 31 00:03:13,090 --> 00:03:18,970 Now, what's really nice about this is that you can create a centralized user accounts so I could create 32 00:03:18,970 --> 00:03:22,990 a user called user one set to their password 33 00:03:25,770 --> 00:03:36,300 and click submit, so when I look at the available users, I now have a user called User One, and without 34 00:03:36,300 --> 00:03:45,990 making any configuration changes on the router, we can log in as user one so that user doesn't exist 35 00:03:46,410 --> 00:03:51,090 in the local router configuration but exists on the Tacacs server. 36 00:03:51,900 --> 00:03:56,370 If I want to I can disable the user account. 37 00:03:56,970 --> 00:04:00,840 So user 1 is now disabled back on the router. 38 00:04:01,800 --> 00:04:03,450 If we try and log in as user 1 39 00:04:04,710 --> 00:04:11,990 authentication has failed, and once again, looking at the reports on the ACS server. 40 00:04:13,030 --> 00:04:20,860 We can see failed attempts, user 1 account is disabled, so when they try to access this device, 41 00:04:21,430 --> 00:04:22,530 TTY 0, 42 00:04:22,570 --> 00:04:23,740 in other words, the console. 43 00:04:25,000 --> 00:04:26,830 Their login has failed. 44 00:04:27,770 --> 00:04:36,290 If they try to access that router remotely, so they try to Telnet the router and login as user 1, 45 00:04:37,250 --> 00:04:44,110 authentication has failed and refreshing the information on the tacacs server, we can see that user 46 00:04:44,110 --> 00:04:51,430 1 has failed, the authentication account is disabled and they try to access TTY 98. 47 00:04:51,490 --> 00:04:57,580 In other words, one of the VTY lines on the router, we're getting a lot of central information 48 00:04:57,820 --> 00:04:59,410 from the ACS server. 49 00:05:00,290 --> 00:05:02,980 What we can also do is enable some debugging. 50 00:05:06,880 --> 00:05:12,280 So login as admin and then we can use command such as Debug Tacacs 51 00:05:13,840 --> 00:05:17,980 and I'll just enable all of it and debug triple A 52 00:05:21,790 --> 00:05:23,680 and in this case we'll enable authentication. 53 00:05:24,910 --> 00:05:31,510 So when the user tries to access the router, we can see quite a bit of information. 54 00:05:32,530 --> 00:05:40,120 So AAA authentication log in, the users trying to log in, we using the default method note on the 55 00:05:40,610 --> 00:05:41,500 VTY lines. 56 00:05:44,290 --> 00:05:46,660 No authentication methods have been set. 57 00:05:47,580 --> 00:05:51,990 It's inheriting the default method, so default is being used. 58 00:05:53,560 --> 00:05:55,480 authentication start packet created. 59 00:05:56,460 --> 00:06:01,500 We're trying to get a response from the user in this case, the user took too long, so let's try that 60 00:06:01,500 --> 00:06:01,910 again. 61 00:06:05,610 --> 00:06:07,500 I'll put in the username of user 1. 62 00:06:10,040 --> 00:06:13,550 So we can see now it's asking for a password 63 00:06:18,650 --> 00:06:21,290 and notice the response failed. 64 00:06:22,330 --> 00:06:28,970 The server 10.111 has rejected that username, so let's put some spaces there and login with 65 00:06:28,970 --> 00:06:29,320 the 66 00:06:30,640 --> 00:06:31,510 admin user. 67 00:06:33,180 --> 00:06:34,200 Login succeeded. 68 00:06:35,460 --> 00:06:40,890 So in this case, we received a response of pass authentication succeeded. 69 00:06:41,930 --> 00:06:45,230 So go through the full process again. 70 00:06:48,150 --> 00:06:49,410 Telnet to the router. 71 00:06:50,880 --> 00:06:59,790 Default list is being used, we are asking for the user account, so that's admin asking for the password. 72 00:07:02,340 --> 00:07:03,990 Authentication succeeded. 73 00:07:04,950 --> 00:07:08,340 So we can see what's taking place in the background here. 74 00:07:09,460 --> 00:07:10,980 AAA authentication is being used. 75 00:07:16,310 --> 00:07:22,460 The router is told by the AAA server to ask the user for the username and then to ask them for their 76 00:07:22,460 --> 00:07:29,630 password and then to tell the user that they succeeded the authentication and can login. 77 00:07:30,080 --> 00:07:34,550 So that's an example of basic authentication on router 1. 78 00:07:35,570 --> 00:07:40,850 Now, there are two ways to set this up, we're using the older method at the moment because these routers 79 00:07:40,850 --> 00:07:44,480 don't support the newer method where we create a group. 80 00:07:44,480 --> 00:07:45,770 So I'll show you that in a moment. 81 00:07:46,250 --> 00:07:52,910 But before I do that, I'll copy this configuration to router 2, to show you that we can create 82 00:07:52,910 --> 00:07:55,370 a central authentication server. 83 00:07:59,060 --> 00:08:06,660 At the moment, we haven't configured router 2 on the ACS server, so we can still log in as David. 84 00:08:08,020 --> 00:08:14,890 So under network configuration, we need to create an entry for router 2, so router 2 10.1.2 85 00:08:14,890 --> 00:08:19,840 02 is the IP address of the router, show IP Interface brief. 86 00:08:21,360 --> 00:08:22,680 So there's the IP address. 87 00:08:24,410 --> 00:08:30,740 Key used is going to be Cisco and I'm going to click, submit and apply so that router is now being configured. 88 00:08:33,250 --> 00:08:34,510 So try and log in 89 00:08:35,820 --> 00:08:36,630 as David. 90 00:08:38,570 --> 00:08:46,550 Authentication has failed, try and login as admin authentication passes, we've now configured two routers 91 00:08:46,550 --> 00:08:48,440 with centralized authentication. 92 00:08:49,380 --> 00:08:52,410 Under the reports, failed attempts. 93 00:08:54,070 --> 00:09:01,480 We can see that David failed the authentication attempt on the second router, so we seek information 94 00:09:01,480 --> 00:09:06,110 for both router 2 and router 1, let's configure router 3. 95 00:09:06,820 --> 00:09:11,080 I'll take this configuration and paste it into router 3. 96 00:09:14,640 --> 00:09:23,160 On router 3, we can log in as David, so that works, but we can't log in as admin because we still 97 00:09:23,160 --> 00:09:24,960 need to configure the ACS server. 98 00:09:28,510 --> 00:09:38,740 So back on ACS, we'll add router 3 IP address is 10.1.1.203 password or keys, Cisco click 99 00:09:38,740 --> 00:09:40,900 submit the routers now configured. 100 00:09:42,390 --> 00:09:48,300 So previously, we couldn't log in as Admin but now hopefully we should be able to. 101 00:09:49,710 --> 00:09:50,750 Let's try again. 102 00:09:52,790 --> 00:09:53,930 David failed there. 103 00:09:55,710 --> 00:09:57,810 So Admin. 104 00:09:58,890 --> 00:10:00,600 So Admin Cisco works. 105 00:10:04,420 --> 00:10:07,420 David Cisco doesn't work. 106 00:10:08,460 --> 00:10:17,070 Because the router is now communicating with ACS, but Admin Cisco does, so we've now got three routers 107 00:10:17,070 --> 00:10:21,300 configured to communicate with an ACS server. 108 00:10:22,110 --> 00:10:25,440 These routers are using an older version of iOS. 109 00:10:26,990 --> 00:10:34,790 They're using version 12.4, and that version doesn't support Tacacs server groups, which is the 110 00:10:34,790 --> 00:10:38,230 new way of doing things and is what you need to know for the exam.