1
00:00:01,090 --> 00:00:07,870
Now, the main difference between the old way of doing it and the new way is that we can create groups,

2
00:00:08,170 --> 00:00:11,890
so use the command Tacacs server and you give your server a name.

3
00:00:12,430 --> 00:00:16,900
You specify the IP address and key of the Tacacs server.

4
00:00:17,200 --> 00:00:22,810
Previously, you type those two commands, but now you configure the configuration as follows.

5
00:00:23,500 --> 00:00:28,090
You also create groups which you can use to provide different services.

6
00:00:28,510 --> 00:00:37,180
So you type AAA group server in this case Tacacs, and create a group which then maps back to the server

7
00:00:37,180 --> 00:00:38,530
previously created.

8
00:00:40,740 --> 00:00:49,050
And now when you specify your login, you point to this ACS group here, rather than pointing simply

9
00:00:49,050 --> 00:00:53,880
to Tacacs, this gives you more flexibility than what you had previously.

10
00:00:54,860 --> 00:01:03,500
This router is running iOS V version 15.6 of iOS, so it's a lot newer version

11
00:01:04,250 --> 00:01:05,360
and then the other routers.

12
00:01:06,330 --> 00:01:12,810
Notice 15.6.2, so I'll configure this router using the new method.

13
00:01:14,110 --> 00:01:23,830
Which is the method that you need to know for the CCNA exam CONFT AAA new model, now before I

14
00:01:23,830 --> 00:01:24,550
enter that.

15
00:01:26,000 --> 00:01:33,200
At the moment, please note that there's no authentication to login, but what I'll do now is enable

16
00:01:33,500 --> 00:01:34,190
AAA new model.

17
00:01:35,800 --> 00:01:39,520
Specify a backup username of David.

18
00:01:41,600 --> 00:01:45,350
With a positive Cisco, note once again, that

19
00:01:48,130 --> 00:01:55,870
the console has no authentication configured on it, and neither do the other lines, such as the aux

20
00:01:55,870 --> 00:02:05,410
and VTY lines, Tacacs and the difference now is we have space server and now we can specify a name.

21
00:02:05,710 --> 00:02:07,750
So ACS or whatever name you want.

22
00:02:08,860 --> 00:02:10,600
This gives us different options.

23
00:02:10,600 --> 00:02:14,290
But as an example, we can specify the IPv4

24
00:02:15,890 --> 00:02:24,530
address of the server and the key that's going to be used, so we've specified to the address of the

25
00:02:24,530 --> 00:02:32,770
server and the key for the encryption to the server, type exit and now we can use the command

26
00:02:32,860 --> 00:02:33,500
AAA group.

27
00:02:34,990 --> 00:02:41,620
Server, in our example, it's going to be Tacacs and we'll just give it a name of ACS group.

28
00:02:43,110 --> 00:02:49,440
Various options are available, but now we can specify server and the name of the server, which we

29
00:02:49,440 --> 00:02:54,660
created previously, so this is referring back to the server that we created.

30
00:02:55,260 --> 00:02:58,410
So these commands are subcommands as follows

31
00:02:59,920 --> 00:03:05,470
type exit, and now we can type AAA authentication login.

32
00:03:06,500 --> 00:03:12,590
We're going to use a default list to apply it to all the lines, and now we're going to specify a group

33
00:03:12,890 --> 00:03:19,280
which in our case is going to be ACSgroup, and then we'll use local as a backup mechanism.

34
00:03:26,990 --> 00:03:31,460
Now, the IP address on Gigabit 00 is 10.1.1.204.

35
00:03:32,450 --> 00:03:39,260
So back in ACS, we need to specify router 4 10.1.1.204,

36
00:03:41,090 --> 00:03:48,380
click submit and apply what is now being added, so now on the console of the router.

37
00:03:49,460 --> 00:03:55,370
Notice we are prompted for a username, specify Admin, specify password Cisco.

38
00:03:57,930 --> 00:04:01,320
Try that again, so Admin Cisco,

39
00:04:04,500 --> 00:04:09,020
try the local username and password that works so there's a problem

40
00:04:11,570 --> 00:04:17,089
between the router and the ACS server and we'll just confirm our configuration.

41
00:04:18,120 --> 00:04:24,750
So we've created a group called ACS Group, which is the same over here that's failing at the moment,

42
00:04:24,750 --> 00:04:27,390
and we're getting a local authentication.

43
00:04:28,520 --> 00:04:30,680
The server that we pointing to is ACS.

44
00:04:35,310 --> 00:04:41,520
Which we can see over here, password is Cisco for the communication to this ACS server.

45
00:04:42,420 --> 00:04:45,550
Let's confirm that we did that right on the ACS server.

46
00:04:46,140 --> 00:04:52,770
Notice I forgot to put a key in some specify key of Cisco click, submit and apply

47
00:04:53,880 --> 00:04:55,170
and now we'll try again.

48
00:04:56,990 --> 00:05:03,050
So your username is Admin, password is Cisco, we are straight in, so that works.

49
00:05:04,030 --> 00:05:11,590
If we try, David, in other words, the local username and password that should fail, and it does

50
00:05:12,250 --> 00:05:16,510
because that user is once again not configured in ACS.

51
00:05:17,550 --> 00:05:21,210
So on our reports, failed attempts.

52
00:05:23,140 --> 00:05:26,200
We can see that David's authentication failed

53
00:05:27,100 --> 00:05:30,220
for this router 10.1.1.204.

54
00:05:31,400 --> 00:05:33,560
So let's copy this configuration

55
00:05:34,780 --> 00:05:44,200
and I'll configure this iOSV layer 2 switch with that configuration at the moment, the switch has

56
00:05:44,200 --> 00:05:47,050
no configuration, so I'll create an IP address

57
00:05:47,680 --> 00:05:50,620
10.1.1.205.

58
00:05:53,490 --> 00:05:56,400
On the switch, can it ping 

59
00:05:58,480 --> 00:06:00,280
the ACS server?

60
00:06:01,540 --> 00:06:02,290
Yes, it can.

61
00:06:02,980 --> 00:06:08,490
So now we can paste that exact configuration into the switch and there you go.

62
00:06:09,900 --> 00:06:17,490
Back on the ACS server, we need to add our switch, so switch 1, 10.1.1.20

63
00:06:17,490 --> 00:06:20,010
5, password Cisco,

64
00:06:21,270 --> 00:06:22,120
submit that

65
00:06:22,320 --> 00:06:23,250
so there we go.

66
00:06:24,870 --> 00:06:33,210
So now when we exit out of the switch and log back in, we are prompted for our username and password

67
00:06:33,540 --> 00:06:34,350
and admin

68
00:06:34,350 --> 00:06:37,290
cisco succeeds, where as

69
00:06:39,010 --> 00:06:42,250
a user of David and Cisco fails

70
00:06:43,160 --> 00:06:46,620
because that username is not configured on the ACS server.

71
00:06:47,060 --> 00:06:50,310
So once again, Admin Cisco succeeds.

72
00:06:51,200 --> 00:06:57,020
So this is the advantage we've got 1.2.3.4.5 devices using a centralized ACS

73
00:06:57,020 --> 00:06:57,520
server.

74
00:06:58,070 --> 00:07:07,610
If someone else joined the company, we could create another user account such as Peter and click Add.

75
00:07:10,540 --> 00:07:12,490
Specify Peter's password, 

76
00:07:14,400 --> 00:07:15,150
click submit.

77
00:07:16,350 --> 00:07:19,980
So we now have Admin Peter and user 1 configured.

78
00:07:21,060 --> 00:07:24,960
On the switch notice, there is no username

79
00:07:29,190 --> 00:07:30,000
called Peter

80
00:07:31,240 --> 00:07:32,950
there's only a user called David.

81
00:07:34,660 --> 00:07:40,720
But if we log in with a new user of Peter, they can log in

82
00:07:41,690 --> 00:07:50,000
and we can do that on any of the devices, so as an example, on router 3 we can log in without

83
00:07:50,000 --> 00:07:50,480
a problem.

84
00:07:50,900 --> 00:07:54,350
We could even telnet to say router 2

85
00:07:56,410 --> 00:07:58,960
and login as Peter

86
00:08:00,020 --> 00:08:06,480
by configuring ACS, we don't have to configure multiple databases of usernames and passwords.

87
00:08:07,040 --> 00:08:14,150
We don't have to configure the VTY, AUX and console ports on every individual device.

88
00:08:14,950 --> 00:08:22,460
The authentication of all those ports will be handled through AAA and will leverage a central database.

89
00:08:23,240 --> 00:08:30,950
In my example, I'm using a Cisco ACS server that's integrated throughGNS3 and is providing

90
00:08:30,950 --> 00:08:36,620
the authentication for all of these devices centrally using a local database.

91
00:08:37,010 --> 00:08:45,230
But ACS could point to an Active Directory database and use the usernames and passwords stored in windows

92
00:08:45,530 --> 00:08:51,380
for authentication to network devices as soon as you have many devices in your network.

93
00:08:51,530 --> 00:09:01,130
It makes sense to use a radius or tacacs server such as Cisco ACS for your centralized authentication,

94
00:09:02,150 --> 00:09:08,510
authorization and accounting, in this example, I was demonstrating Tacacs, but you could also use

95
00:09:08,930 --> 00:09:14,810
radius as the protocol between the router or switch and ACS server.