Authenticating Login IDs from a Central System

Posted: July 10, 2015 in CCNP

Suppose you  want to administer login ID and password information centrally for all routers. i.e your all routers get authentication from a central server.I am not saying that it is not possible to store all information locally on router but if you have a large number of routers,it is extremely time consuming to reconfigure all the routers for a password change or to simply add a new user.So instead of doing the time consuming work we use TACACS+ for AAA authentication.There is a huge benefit of using TACACS+ SERVER for authentication,one of them is that after using TACACS+ authentication none of information is stored on the router.

Whenever a user try to login inside router,the router automatically sends a query to the TACACS+ SERVER to verify the LOGIN CREDENTIALS.And hence it minimizes the configuration on each router and save your time. And, because this query is done each time, the information is always up to date.

 

When you configure AAA authentication on a router, it starts to ignore the locally configured passwords in favor of those provided by the TACACS+ server.

In this example, we have configured the router to consult TACACS+ for both the login and enable passwords.

 

This is a great labor saver because it means that you don’t have to reconfigure all of your routers just because you want to change passwords. Instead, because the passwords are stored on a central server, you can change them once, and the new passwords instantly propagate to all of your routers. If the router can’t reach the TACACS+ server due to a failure of either the network or the server, then it will resort to using the locally configured passwords.

LEARN HOW TO CONFIGURE TACACS+ SERVER:

AAA Authentication server

 

STEP-1:NOW START CONFIGURING ROUTER:

Router(config)#hostname R1

R1(config)#line vty 0 15

R1(config-line)#password redhat

R1(config-line)#login

R1(config-line)#exit

 

STEP-2: NOW GO TO SERVER AND CONFIGURE TACACS+ ON  IT:

tacacs+ server

STEP-3: NOW AGAIN LOGIN TO ROUTER and CONFIGURE IT TO TAKE IT’S LOGIN CREDENTIALS FROM ABOVE TACACS+ SERVER.

 

R1(config)#aaa new-model

R1(config)#aaa authentication login default group tacacs+

R1(config)#aaa authentication enable default group tacacs+

R1(config)#tacacs-server host 1.0.0.2

R1(config)#tacacs-server key 123456789

R1(config)#end

 

 

STEP-4:NOW GO TO YOUR PC AND TELNET ROUTER,YOU WILL SEE IT WILL TAKE AUTHENTICATION FROM TACACS+ SERVER INSTEAD OF ITS OWN LOCAL DATABASE.

 

Packet Tracer PC Command Line 1.0

PC>telnet 1.0.0.1

Trying 1.0.0.1 …Open

User Access Verification

Username: satish

Password:

R1>enable

Username:

Password:

R1#

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s