Usually, a Cisco IOS device implements authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of the multiple users that use the network resources. The solution to this is AAA. This allows an administrator to configure granular user access and audit ability to an IOS device. We must first use the ‘aaa new-model’ command to enable this more advanced and granular control in IOS.
Below is the latest configuration guide for a Cisco router or switch using Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) in implementing AAA in network devices to allow network access to trusted users.
RADIUS Configuration
RADIUS is an access server AAA protocol. To configure it, first, we need to define the IP address of the RADIUS server in our Cisco router.
R1(config)#radius-server host 192.168.1.10
Configure AAA Cisco command on the device in global configuration mode, which gives us access to some AAA commands.
R1(config)#aaa new-model
Now let us configure the RADIUS servers that you want to use.
R1(config)#radius server RADIUS_SERVER1 R1(config-radius-server)#address ipv4 192.168.1.10 R1(config-radius-server)#key STUDY_CCNA1 R1(config)#radius server RADIUS_SERVER2 R1(config-radius-server)#address ipv4 192.168.1.11 R1(config-radius-server)#key STUDY_CCNA2
Configure AAA authentication command with the group group-name method to specify a subset of RADIUS servers to use as the login authentication method. To specify and define the group name and the group members, use the aaa group server command. For example, use the aaa group server command to first define the members of STUDY_CCNA.
R1(config-radius-server)#aaa group server radius STUDY_CCNA R1(config-sg-radius)#server name RADIUS_SERVER1 R1(config-sg-radius)#server name RADIUS_SERVER2
We have two authentication methods. All users are authenticated using the Radius server (the first method). If the Radius server doesn’t respond, then the router’s local database is used (the second method). For the local authentication process, define the username name and password:
R1(config-sg-tacacs+)#aaa authentication login default group STUDY_CCNA local R1(config)#username AdminBackup secret STUDYCCNA
TACACS+ Configuration
For AAA Cisco TACACS+ configuration, we need to define first the IP address of the TACACS+ server.
R1(config)#tacacs-server host 192.168.1.10
Configure a local user in case of connectivity to the AAA server is lost.
R1(config)#username AdminBackup secret STUDYCCNA
Enable AAA command on the device in global configuration mode which gives us access to some AAA commands.
R1(config)#aaa new-model
Now let us configure the TACACS+ servers that you want to use.
R1(config)#tacacs server TACACS_SERVER1 R1(config-server-tacacs)#address ipv4 192.168.1.10 R1(config-server-tacacs)#key STUDY_CCNA1 R1(config)#radius server TACACS_SERVER2 R1(config-server-tacacs)#address ipv4 192.168.1.11 R1(config-server-tacacs)#key STUDY_CCNA2
Use the aaa authentication login command to configure login authentication. Indicate it with the group group-name method to specify a subset of RADIUS servers to use as the login authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of STUDY_CCNA.
R1(config-tacacs-server)#aaa group server tacacs+ STUDY_CCNA R1(config-sg-tacacs+)#server name RADIUS_SERVER1 R1(config-sg-tacacs+)#server name RADIUS_SERVER2 R1(config-sg-tacacs+)#aaa authentication login default group STUDY_CCNA local
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
