Professional Documents
Culture Documents
Lab Topology
The Topology diagram below represents the NetMap in the Simulator:
VLAN 11
172.16.11.1
VLAN 12
172.16.12.1
P1PC1
P2PC2
P1ASW1
172.16.1.10
P2ASW2
172.16.1.20
172.16.1.150
ACS
P1DSW1
P2DSW2
172.16.1.100
172.16.1.200
Command Summary
Command
Description
aaa new-model
line vty 0 15
login
password password
ping ip-address
shutdown; no shutdown
telnet ip-address
Lab Tasks
Task 1: Congure P1ASW1 to Authenticate to a TACACS+ Server
Setting
Value
172.16.1.150
boson
P1PC1
cisco
1.
Enable Telnet on P1ASW1, and specify a password of cisco. Verify that you can ping and telnet to
P1ASW1 from P1PC1.
2.
3.
4.
5.
Congure the primary authentication method to try TACACS+ rst and to try the local authentication
method if TACACS+ fails.
6.
7.
On P1ASW1, congure a local user name and password pair. Specify the user name admin and the
password cisco. This will allow you to log in even if the TACACS+ server is unavailable. In a production
environment, you should always congure a local user name and password pair to enable you to access
your switch even when the TACACS+ server is unavailable.
8.
Attempt to telnet to P1ASW1 from P1PC1. When prompted for authentication, use the TACACS+ server
user name and password. This attempt should fail because the user name and password have not been
added to your TACACS+ server yet. Try to telnet again, but use the local user name and password instead.
This attempt should work because this user name and password pair have been congured on P1ASW1.
9.
On ACS, which is the TACACS+ server, add the user name P1PC1 and the password cisco. Set the
TACACS+ server key to boson.
10.
On P1PC1, try to telnet to P1ASW1 again. Use the TACACS+ server user name and password. This
attempt should succeed.
Lab Solutions
Congure P1ASW1 to Authenticate to a TACACS+ Server
1.
You should issue the following commands to enable telnet on P1ASW1 and to specify a password of
cisco:
You should issue the following commands to verify that you can ping and telnet to P1ASW1 from P1PC1:
!"# $# #
!"# $# #
!"# $# #
### &
'
!"# $# #
2.
You should issue the following command to congure P1ASW1 to use the AAA features:
,
3.
You should issue the following command to dene the TACACS+ server that should be used:
*
4.
You should issue the following command to congure the key string for the TACACS+ server:
-
5.
!"# $# #
You should issue the following command to congure the primary authentication method to try TACACS+
rst and to try the local authentication method if TACACS+ fails:
. *
6.
You should issue the following command to congure a local user name and password pair. Specify the
user name admin and the password cisco:
.
8.
You should issue the following commands to apply the primary authentication method to the vty ports:
. *
7.
You should issue the following command to attempt to telnet to P1ASW1 from P1PC1. When prompted for
authentication, use the TACACS+ server user name P1PC1 and password boson. This attempt should fail
because the user name and password have not been added to your TACACS+ server yet.
%
0
!"# $# #
!"# $# #
### &
,
)
1 2
Try to telnet again, but use the local user name and password instead. This attempt should work because
this user name and password pair have been congured on P1ASW1.
%
0
!"# $# #
!"# $# #
### &
,
,
'
!"# $# #
9.
On ACS, you should issue the following command to add the user name P1PC1 and password cisco to the
TACACS+ server. Set the TACACS+ server key to boson.
.
-
10.
On P1PC1, you should issue the following command to try to telnet to P1ASW1. Use the TACACS+ server
user name and password. This attempt should succeed.
%
0
0
!"# $# #
!"# $# #
### &
3
,
'
!"# $# #
P1ASW1 (continued)
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface Vlan 1
ip address 172.16.1.10 255.255.255.0
no ip route-cache
!
vlan 11 name 11
!
ip default-gateway 172.16.1.100
!
ip classless
no ip http server
!
tacacs-server host 172.16.1.150 single-connection
tacacs-server key boson
!
line con 0
line aux 0
line vty 0 15
login authentication primary
password cisco
!
no scheduler allocate
end
Copyright 19962012 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.