Lab 047 How to Configure AAA Authentication

Learn to configure AAA authentication on Cisco devices using a RADIUS server for secure access control. Aligns with CCNA Blueprint 5.8. #CCNA #NetworkSecurity

CCNA 200-301 Chapter 5 Security Fundamentals Lab 047 How to Configure AAA Authentication, Authorization, and Accounting

Watch Full Demo on YouTube:

Lab Objective:

AAA (Authentication, Authorization, and Accounting) is a critical security framework used to control access to network devices, enforce policies, and log user activities.
In this lab, you will configure AAA authentication on Cisco devices using a RADIUS server for centralized user management.
This lab aligns with CCNA Blueprint 5.8, which focuses on configuring and verifying device access control using local and remote authentication methods.

By the end of this lab, you will understand how to implement AAA authentication, integrate it with an external RADIUS server, and secure device access.

Lab Topology:

CCNA 200-301 Lab Chapter 5 Security Fundamentals Lab 047 How to Configure AAA Authentication – Topology

Equipment Required:

  • 1 x Cisco Router (e.g., CISCO2811/K9)
  • 1 x Cisco switch (e.g., Cisco Catalyst series)
  • 1 x PC or laptop with NIC
  • 1 x Server with NIC
  • Console Cable
  • Ethernet Cable for connections between devices
  • Computer with Terminal emulation software e.g. PuTTY

IPv4 Address Table:

A. Router IP Address Table:

Device NameInterface IDIP AddressSubnet-Mask
R1Gig0/0/010.10.10.1255.255.255.0
SW1Gig0/0/110.10.10.2255.255.255.0

B. Hosts IP Address Table:

Device NameInterface IDIP AddressSubnet-MaskGateway
MGMTFa010.10.10.101255.255.255.010.10.10.1
Main-RADIUS-ServerFa010.10.10.10255.255.255.010.10.10.1

List of Command Summary:

CommandCommand Description
enableenters privileged EXEC mode.
configure terminalenters global configuration mode from privileged EXEC mode.
hostname [hostname]assign a device name to router.
show interfaces statusprovides a summary of the current status of all interfaces on a Cisco switch. This command displays important information about each interface, including: Port: The interface identifier (e.g., Gi1/0/1). Name: The name or description assigned to the interface, if any. Status: The operational status of the interface (e.g., connected, notconnect, err-disabled). Vlan: The VLAN that the interface is assigned to. Duplex: The duplex mode of the interface (e.g., full, half, auto). Speed: The speed of the interface (e.g., 10, 100, 1000 Mbps, auto). Type: The type of interface (e.g., 10/100/1000BaseTX, SFP). This command is useful for quickly assessing the operational state and configuration details of all interfaces on the switch.  
aaa new-modelThis command enables the Authentication, Authorisation, and Accounting (AAA) feature on a Cisco device. It is required to configure any AAA-related authentication, such as local login, RADIUS, or TACACS+ authentication. Without this command, AAA features cannot be used.
radius server MAIN-RADIUD-SERVERCreates a RADIUS server configuration with the name MAIN-RADIUS-SERVER. This is used for centralised authentication, authorisation, and accounting
address ipv4 [RADIUS Server IP Address]Specifies the IPv4 address of the RADIUS server, allowing the device to communicate with it for authentication requests
key [secret key]Configures a shared secret key between the device and the RADIUS server for secure authentication.
aaa authentication login default group radiusconfigures AAA authentication for user login on a Cisco device. It specifies that the default authentication method should use a RADIUS server for user verification. If the RADIUS server is unreachable, the login will fail unless additional fallback methods (like local authentication) are configured.
aaa authentication enable default group radiusconfigures AAA authentication for privileged EXEC (enable) mode access. It specifies that the device should use a RADIUS server to verify user credentials before granting access to privileged mode. If the RADIUS server is unavailable, the authentication will fail unless a fallback method (like local authentication) is configured.
show usersDisplays a list of users currently logged into the device, including connection details.
show aaa sessionsShows active AAA authentication and authorisation sessions, useful for troubleshooting authentication issues.
ip domain-name [domain name]Sets the domain name for the device. This is required when generating cryptographic keys for SSH.
crypto key generate rsa [key model size]Generates an RSA key pair for secure communications, typically used for SSH. The [key model size] defines the key strength (e.g., 1024, 2048 bits).
ip ssh version 2Forces the device to use SSH version 2, which is more secure than version 1.
copy running-config startup-configused to save the currently running configuration (stored in the RAM) to the startup configuration (stored in the NVRAM)
endexit configuration mode.
exitexits one level in the menu structure command.

Lab Task:

  1. Verify Connectivity.
    • Ensure the MGMT PC can successfully ping R1, SW1, and the RADIUS server.
  2. Enable SSHv2 on R1 and SW1:
    • Set the domain name to ieverythingeverywhere.com.
    • Generate RSA keys (minimum 768-bit length) to enable SSHv2.
    • Enable SSH version 2.
    • Restrict VTY lines to allow only SSH connections.
  3. Configure AAA Services for the RADIUS Server:
    • In the Network Configuration section, configure R1 and SW1 with the required attributes.
    • Set the shared secret key to “radius_pass”.
    • Create a local user (admin123/admin123) for device access.
  4. Configure AAA on R1 and SW1:
    • Enable AAA (Authentication, Authorization, and Accounting).
    • Define a RADIUS server named “Main-RADIUS-SERVER”.
    • Set the RADIUS server IP (10.10.10.10) and port (1645).
    • Configure the shared secret key (radius_pass) for encryption.
    • Set up AAA authentication for:
      • Login access (console, SSH, Telnet) via the RADIUS server.
      • Privileged EXEC mode (enable mode) via the RADIUS server.
  5. Verify SSH Access:
    • Initiate an SSH session from the MGMT PC to R1 and R2.

Lab Solution:

1- Verify Connectivity.

  • Ensure the MGMT PC can successfully ping R1, SW1, and the RADIUS server.

You issue the ping command on the MGMT PC via the CLI:

2- Enable SSHv2 on R1 and SW1:

  • Set the domain name to ieverythingeverywhere.com.

On R1:
R1(config)#ip domain-name ieverythingeverywhere.com

On SW1:
SW1(config)#ip domain-name ieverythingeverywhere.com

  • Generate RSA keys (minimum 768-bit length) to enable SSHv2.

On R1:
R1(config)#crypto key generate rsa
The name for the keys will be: R1.ieverythingeverywhere.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 2024
% Generating 2024 bit RSA keys, keys will be non-exportable…[OK]

R1(config)#

On SW1:
SW1(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 2024
% Generating 2024 bit RSA keys, keys will be non-exportable…[OK]

SW1(config)#

  • Enable SSH version 2.

On R1:
R1(config)#ip ssh version 2

On SW1:
SW1(config)#ip ssh version 2

  • Restrict VTY lines to allow only SSH connections.

On R1:
R1(config)#line vty 0 4
R1(config-line)#transport input ssh

On SW1:
SW1(config)#line vty 0 4
SW1(config-line)#transport input ssh

Post checks:

3- Configure AAA Services for the RADIUS Server:

  • In the Network Configuration section, configure R1 and SW1 with the required attributes.
  • Set the shared secret key to “radius_pass”.
  • Create a local user (admin123/admin123) for device access.

4- Configure AAA on R1 and SW1:

  • Enable AAA (Authentication, Authorization, and Accounting).
  • Define a RADIUS server named “Main-RADIUS-SERVER”.
  • Set the RADIUS server IP (10.10.10.10) and port (1645).
  • Configure the shared secret key (radius_pass) for encryption.
  • Set up AAA authentication for:
  • Login access (console, SSH, Telnet) via the RADIUS server.
  • Privileged EXEC mode (enable mode) via the RADIUS server.

On R1:
R1#
R1#configure terminal
R1(config)#aaa new-model
R1(config)#radius server MAIN-RADIUD-SERVER
R1(config-radius-server)#address ipv4 10.10.10.10 auth-port 1645
R1(config-radius-server)#key radius_pass
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
*Feb 02 00:04:46.300: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-radius-server)#
R1(config-radius-server)#exit
R1(config)#aaa authentication login default group radius
R1(config)#aaa authentication enable default group radius
R1(config)#end
R1#

On SW1:
SW1#
SW1#configure terminal
SW1(config)#aaa new-model
SW1(config)#radius server MAIN-RADIUD-SERVER
SW1(config-radius-server)# address ipv4 10.10.10.10
SW1(config-radius-server)# key radius_pass
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
*Feb 02 00:10:31.914: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
SW1(config-radius-server)#!
SW1(config-radius-server)#exit
SW1(config)#aaa authentication login default group radius
SW1(config)#aaa authentication enable default group radius
SW1(config)#end
SW1#

5- Verify SSH Access:

  • Initiate an SSH session from the MGMT PC to R1 and R2.

Conclusion:

In this lab, we successfully configured AAA authentication on a Cisco router using the RADIUS protocol. We learned how to secure both login and enable mode access while verifying the authentication process. Implementing AAA enhances network security by centralising user management and providing detailed logging. Understanding AAA is essential for network engineers working with enterprise-level security policies.

By mastering these concepts, you are well on your way to securing network access in real-world scenarios. Continue practicing to reinforce your understanding of AAA configurations and troubleshooting techniques.

Packet Tracer Lab (Pre/Post configuration):

Download the file below and open the word document to access the Packet Tracer labs.

CCNA 200-301 Lab Chapter 5 Security Fundamentals Lab 047 How to Configure AAA Authentication – Pre and Post LabsDownload

Discover more from IEE

Subscribe to get the latest posts sent to your email.

Previous

Related Posts

Discover more from IEE

Subscribe now to keep reading and get access to the full archive.

Continue reading