• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Menu
  • About
  • Must Read
      • IIS Performance Boost
      • RFID Security
      • Web App Security Testing
      • How to Secure Home Network
      • Prevent Cross-Site Scripting Attacks
      • Renew Self-Signed Certificates
      • Penetration Testing Tools
      • VPN Concentrator
      • Forensic Investigation Tools
      • Digital Certificates
      • Cloud Security Issues
      • Advanced Evasion Prevention
      • Firewall Types
      • Tips to Prevent Data Exfiltration
      • Classified Info Handling
      • MySQL Security
      • Definition of 7 Types of Malware
      • VOIP Security
      • Why Antivirus Software Fails
      • 15 Network Security Vulnerabilities
      • Web App Security
      • IT Security Standards
      • Types of Virtualization
      • Android Security
      • Digital Signature
      • Advanced Malware Protection
    • Close
  • Consultancy
  • Contact

How to Configure AAA (TACACS+) on Packet Tracer for User Authentication

by wing

AAA functionality in Cisco switch can be used as a centralized solution to secure and control user access to switches. Cisco switches are capable of implementing AAA functionality with either TACACS+ protocol (Cisco proprietary) or RADIUS protocol. To use AAA you need to enable it and then connect it to an AAA service hosted in a server.         

The following are the three generic steps:

  1. Enable AAA
  2. Define AAA authentication protocol
  3. Define AAA server host IP and set secret key which will be shared between the switch and the AAA server.
  4. Assign the authentication in the VTY line so that when users try to Telnet/SSH to the switch, they are challenged for a username and password.

packet tracer setup with AAA and Cisco switch

Authentication configuration

Switch(config)# aaa new-model

Switch(config)# username cisco password cisco

Note: this is a username and password setup on the switch’s local database. You need to configure username and password on the AAA as well, which can be different than the local username and password.

Switch(config)# enable password mycisco

Switch(config)# aaa authentication login myauth group tacacs+   local

Note: when TACACS server becomes unreachable, you use switch’s local database for authentication.

Switch(config)# tacacs-server host 10.1.1.10 key mykey

Note: the key string ‘mykey’ will be used to encrypt the session the key ‘mykey’ should only be known to the server and the switch.

Switch(config)# interface Vlan1

Switch(config-if)# ip address 10.1.1.20 255.0.0.0

Switch(config-if)# exit

Switch(config)# line vty 0 4

Switch(config-line )#  login authentication myauth

 

On the packet tracer, you need to add a generic server to the switch and set the IP to 10.1.1.10. Next click on the server icon and click on service and then click on AAA tab. Make sure service state is selected as ‘on’ as shown below screenshot.

AAA server configuration on Packet Tracer

Under the network section, type the client name, which will be the name of your switch? Next set the client IP. Here your switch is the client to the AAA server. The IP of  VLAN1  is the client IP. Finally, select the server type as tacacs and click on add button.

In the user setup section, type a username and password and click on add. Remember that when you telnet or SSH to the switch, use this username and password, which will be verified by the AAA server.

 

Authorization configuration

This configuration will define what you can do once you get onto the switch after a successful authentication. When you configure authorization in cisco switch, it always queries the AAA server (RADIUS or TACACS+ server)

Switch(config)# aaa authorization exec default group tacacs+

Note: the above command will determine whether a user is allowed to EXEC mode. If you need to configure command level, network level or any other level of authorization, you need to replace the ‘exec’ by the appropriated command.

After defining the authorization, you need to apply the authorization to a line so that the users get authorized to specific task by the AAA sever every time they logon to the switch using that specific line. But the packet tracer 7 does not have any option to apply authorization to a specific line. So, you can use the following command to allow the switch to use AAA authorization for all lines.

Switch(config)#aaa authorization exec default group tacacs+ local

Packet tracer 7 allows to debug authentication process. To enable type the following command on EXEC mode

Switch# debug aaa authentication

Related Posts:

  • VRRP Configuration(virtual router redundancy protocol)

Filed Under: Network Security Tips Tagged With: AAA, packet tracer, RADIUS, switch, TACACS

Primary Sidebar

CISSP Sample Test

Take a CISSP Sample Test

CISA IT governance Sample test



Twitter Follow @securitywing

Categories

  • AWS
  • containers
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Network Security Tips
  • Off Track
  • Telecom
  • Tutorial

Pages

  • About
  • Best IT Security Certification Exam
  • CISA IT governance Sample test
  • CISA Sample Test
  • CISSP Sample Test Online
  • Consultancy
  • Contact

Popular Posts

  • 3 Steps to Install Miniku...
  • How to install a new Goda...
  • 63 Web Application Securi...
  • How to Renew Self-Signed...
  • How to Setup AWS CloudFro...
  • Host Based IDS vs Network...
  • 8 Effective Ways to Impro...
  • Active vs Passive FTP Mod...
  • Top 10 RFID Security Conc...
  • Yahoo Mail Security Setti...

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

antivirus audit AWS backup browser check cisco cloud computer cyber data database encryption firewall home hsrp ids informaiton internet intrusion it kubernetes linux load balancing malware network protection putty risk router security security tips server ssh SSL switch tools virus vpn vulnerability web webserver website windows wordpress

Copyright © 2010-2023 ·All Rights Reserved · SecurityWing.com