1
00:00:14,420 --> 00:00:20,540
In this lab, you need to configure both Tacacs and Radius authentication on router 1, router

2
00:00:20,540 --> 00:00:24,700
2 and switch 1 in this packet tracer topology

3
00:00:25,040 --> 00:00:31,970
we have a tacacs and radius server, which you need to configure AAA authentication.

4
00:00:33,480 --> 00:00:41,670
So on the AAA server you need to enable the AAA service and you need to configure router 1, router 2 

5
00:00:41,670 --> 00:00:50,700
and switch 1 as clients on the AAA server. In this lab router 1 and switch 1 will use the 

6
00:00:50,700 --> 00:00:51,270
Tacacs

7
00:00:51,390 --> 00:00:55,890
protocol router 2 will be configured to use radius.

8
00:00:56,850 --> 00:01:04,239
So you need to add the three clients with the details, as well as add a user name for authentication.

9
00:01:04,950 --> 00:01:09,930
Use your own name as the username and password of Cisco, in this solution video

10
00:01:09,930 --> 00:01:14,760
as an example, I'm simply going to use my name David as the username.

11
00:01:16,440 --> 00:01:24,030
Make sure that you configure router 1 for authentication for both login and enable using Tacacs

12
00:01:24,330 --> 00:01:27,960
with the AAA server 10.1.1.250.

13
00:01:29,310 --> 00:01:35,280
This server is configured with this IP address, so that's the IP address you need to configure router

14
00:01:35,280 --> 00:01:40,530
1 with for authentication, both login and enable authentication.

15
00:01:40,960 --> 00:01:47,190
So when you test this, you should be prompted for your username when you log in to the console as well

16
00:01:47,190 --> 00:01:53,490
as when you type enable make sure that you use a local authentication as a backup in case the server

17
00:01:53,490 --> 00:01:54,330
is not available.

18
00:01:54,810 --> 00:01:58,530
Use a backup username of backup and a password of Cisco.

19
00:01:59,220 --> 00:02:03,020
You then need to test or that you can log in using your own name.

20
00:02:03,870 --> 00:02:11,520
So essentially on all three devices, you're going to configure the AAA server and ensure that you can log

21
00:02:11,520 --> 00:02:19,200
in to these three servers using your username and password, which is not configured on these devices,

22
00:02:19,350 --> 00:02:22,540
but is configured on the Tacacs and Radius server.

23
00:02:23,490 --> 00:02:30,690
So make sure that you can log in to router 1, do something similar with router 2 but use radius

24
00:02:30,690 --> 00:02:32,580
as the authentication protocol.

25
00:02:33,420 --> 00:02:36,330
You'll also configure which one using Tacacs

26
00:02:36,810 --> 00:02:41,040
and again, make sure that you can log in with your username and password.

27
00:02:41,790 --> 00:02:45,960
So for verification, you should be able to login too all devices using your own name

28
00:02:46,910 --> 00:02:48,050
as configured

29
00:02:49,170 --> 00:02:50,550
on the server.

30
00:02:52,070 --> 00:03:00,110
Once you've done that, create another user on the AAA server and verify that the user can also log in to

31
00:03:00,110 --> 00:03:00,900
the devices.

32
00:03:01,460 --> 00:03:08,900
So note both your name as well as the new user are not configured on the network devices.

33
00:03:09,460 --> 00:03:15,190
There will be no local database on the devices that have those two usernames.

34
00:03:15,800 --> 00:03:18,440
The usernames are stored on the server.

35
00:03:19,220 --> 00:03:25,850
You need to verify that the local backup user cannot log in while the AAA servers reachable.

36
00:03:26,540 --> 00:03:34,400
In other words, as long as these devices can contact the AAA server, the local backup user should not

37
00:03:34,400 --> 00:03:37,430
be able to log in to the network devices

38
00:03:38,560 --> 00:03:47,620
but test that the local user can log in if IP connectivity is broken between the network devices and

39
00:03:47,890 --> 00:03:48,980
the AAA server.

40
00:03:49,840 --> 00:03:58,090
So to simulate that, disable the support on your switch and then check that the backup user can

41
00:03:58,090 --> 00:04:07,360
log in to the three network devices while IP connectivity is broken and then test what happens when

42
00:04:07,360 --> 00:04:08,830
the port is a re-enable.

43
00:04:09,430 --> 00:04:17,560
So re-enable the port and then verify that the backup user can now no longer log in, but your username

44
00:04:17,560 --> 00:04:18,300
can login.

45
00:04:18,910 --> 00:04:25,210
So in other words, make sure that you understand which user accounts are valid when the AAA server is

46
00:04:25,210 --> 00:04:27,520
available and when it's not available.

47
00:04:28,090 --> 00:04:35,260
And then once you've done to that use simulation mode in packet tracer and verify that when you log

48
00:04:35,260 --> 00:04:42,820
in with your user account that Tacacs and Radius messages are sent between the switch and the server.

49
00:04:44,500 --> 00:04:51,100
So in other words, when you log in to router 1, you should see a text message being sent to the

50
00:04:51,100 --> 00:04:57,940
Tacacs server and a reply going back to your router, on router 2, you should see something similar for

51
00:04:57,940 --> 00:05:01,090
Radius and Tacacs on switch 1.

52
00:05:01,660 --> 00:05:08,530
So can you complete this lab? It's quite a lot to do, but do you understand how to configure both Radius

53
00:05:08,530 --> 00:05:09,280
and Tacacs?

54
00:05:09,850 --> 00:05:14,890
Download the packet tracer file and see if you can complete the lab yourself.

55
00:05:15,220 --> 00:05:18,850
Otherwise, watch the next video where I complete the lab.