Lab ID: 8.8K312A135.SWP.

SWITCH Lab: Conguring IOS Security Part II:

TACACS+
Objective
Congure ASWs to authenticate to a Terminal Access Controller Access Control System Plus (TACACS+) server.
For this lab, you will be responsible for conguring P1ASW1.

Lab Topology
The Topology diagram below represents the NetMap in the Simulator:

VLAN 11
172.16.11.1

VLAN 12
172.16.12.1

P1PC1

P2PC2

P1ASW1
172.16.1.10

P2ASW2
172.16.1.20

172.16.1.150

ACS

P1DSW1

P2DSW2

172.16.1.100

172.16.1.200

Boson NetSim Lab Manual

Command Summary
Command

Description

aaa authentication login {default | list-name}

method1 [method2]

enables Authentication, Authorization, and Accounting (AAA)

login

aaa new-model

enables the AAA model

line vty 0 15

enters conguration mode for virtual terminal (vty) lines

login

enables password checking

login authentication {default | list-name}

enables login to a TACACS+ server

password password

species the password that is required for a user to log in

ping ip-address

sends an Internet Control Message Protocol (ICMP) echo

request to the specied address

shutdown; no shutdown

disables an interface; enables an interface

tacacs-server host ip-address singleconnection

congures a TACACS+ server to communicate with the

specied host

tacacs-server key key

sets the authentication encryption key used for all TACACS+

communications between the access server and the TACACS+
daemon

tacacs user name password password

used in NetSim to create a user name and password pair on a

workstation congured as a TACACS server

tacacs key case-sensitive-key-phrase

used in NetSim to add a TACACS key to a workstation

congured as a TACACS server

telnet ip-address

starts the terminal emulation program from a PC, router, or

switch; permits the user to access devices remotely over the
network

username name password password

creates a local user name and password pair

Lab Tasks
Task 1: Congure P1ASW1 to Authenticate to a TACACS+ Server
Setting

Value

TACACS+ server IP address

172.16.1.150

TACACS+ server key

boson

TACACS+ server user name

P1PC1

TACACS+ server password

cisco

1.

Enable Telnet on P1ASW1, and specify a password of cisco. Verify that you can ping and telnet to
P1ASW1 from P1PC1.

2.

Congure P1ASW1 to use the AAA features.

3.

On P1ASW1, dene the TACACS+ server that should be used.

Boson NetSim Lab Manual

4.

On P1ASW1, congure the key string for the TACACS+ server.

5.

Congure the primary authentication method to try TACACS+ rst and to try the local authentication
method if TACACS+ fails.

6.

On P1ASW1, apply the primary authentication method to the vty ports.

7.

On P1ASW1, congure a local user name and password pair. Specify the user name admin and the
password cisco. This will allow you to log in even if the TACACS+ server is unavailable. In a production
environment, you should always congure a local user name and password pair to enable you to access
your switch even when the TACACS+ server is unavailable.

8.

Attempt to telnet to P1ASW1 from P1PC1. When prompted for authentication, use the TACACS+ server
user name and password. This attempt should fail because the user name and password have not been
added to your TACACS+ server yet. Try to telnet again, but use the local user name and password instead.
This attempt should work because this user name and password pair have been congured on P1ASW1.

9.

On ACS, which is the TACACS+ server, add the user name P1PC1 and the password cisco. Set the
TACACS+ server key to boson.

10.

On P1PC1, try to telnet to P1ASW1 again. Use the TACACS+ server user name and password. This
attempt should succeed.

Lab Solutions
Congure P1ASW1 to Authenticate to a TACACS+ Server
1.

You should issue the following commands to enable telnet on P1ASW1 and to specify a password of
cisco:

You should issue the following commands to verify that you can ping and telnet to P1ASW1 from P1PC1:

!"# $# #
!"# $# #
!"# $# #
### &
'

!"# $# #

Boson NetSim Lab Manual

2.

You should issue the following command to congure P1ASW1 to use the AAA features:
,

3.

You should issue the following command to dene the TACACS+ server that should be used:
*

4.

You should issue the following command to congure the key string for the TACACS+ server:
-

5.

!"# $# #

You should issue the following command to congure the primary authentication method to try TACACS+
rst and to try the local authentication method if TACACS+ fails:

. *
6.

You should issue the following command to congure a local user name and password pair. Specify the
user name admin and the password cisco:
.

8.

You should issue the following commands to apply the primary authentication method to the vty ports:

. *
7.

You should issue the following command to attempt to telnet to P1ASW1 from P1PC1. When prompted for
authentication, use the TACACS+ server user name P1PC1 and password boson. This attempt should fail
because the user name and password have not been added to your TACACS+ server yet.

%
0

!"# $# #
!"# $# #
### &
,
)

1 2
Try to telnet again, but use the local user name and password instead. This attempt should work because
this user name and password pair have been congured on P1ASW1.

%
0

!"# $# #
!"# $# #
### &
,
,
'

!"# $# #

Boson NetSim Lab Manual

9.

On ACS, you should issue the following command to add the user name P1PC1 and password cisco to the
TACACS+ server. Set the TACACS+ server key to boson.
.
-

10.

On P1PC1, you should issue the following command to try to telnet to P1ASW1. Use the TACACS+ server
user name and password. This attempt should succeed.

%
0
0

!"# $# #
!"# $# #
### &
3
,
'

!"# $# #

Boson NetSim Lab Manual

Sample Conguration Scripts

P1ASW1
P1ASW1#show running-cong
!
Version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname P1ASW1
aaa new-model
!
ip cef
!
aaa authentication login primary group tacacs+ local
!
username admin password cisco
!
ip subnet-zero
spanning-tree extend system-id
!
ip default-gateway 172.16.1.100
!
interface FastEthernet0/1
description P1ASW1 to P1DSW1
switchport mode trunk
!
interface FastEthernet0/2
description P1ASW1 to P1DSW1
switchport mode trunk
!
interface FastEthernet0/3
description P1ASW1 to P2DSW2
switchport mode trunk
!
interface FastEthernet0/4
description P1ASW1 to P2DSW2
switchport mode trunk
!
interface FastEthernet0/5
description P1PC1 to P1ASW1
switchport mode access
switchport access vlan 11
!

P1ASW1 (continued)
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface Vlan 1
ip address 172.16.1.10 255.255.255.0
no ip route-cache
!
vlan 11 name 11
!
ip default-gateway 172.16.1.100
!
ip classless
no ip http server
!
tacacs-server host 172.16.1.150 single-connection
tacacs-server key boson
!
line con 0
line aux 0
line vty 0 15
login authentication primary
password cisco
!
no scheduler allocate
end

Copyright 19962012 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

Boson NetSim Lab Manual