Configure AAA - HackMD

# Configure AAA ###### tags: `cisco` ``` [1]. Configure line password and password encryption R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#line vty 0 4 R1(config-line)#password my_password R1(config-line)#do sh run | include password no service password-encryption password my_password R1(config-line)#exit R1(config)#service password-encryption R1(config)#do sh run | include password service password-encryption password 7 020B1D641B071C325B411B1D R1(config)# [2]. Telnet without password R1(config)#line vty 0 4 R1(config-line)#no login R1(config-line)# [3]. Configure local user account R1(config)#username tom R1(config)#username tom ? aaa AAA directive access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in one-time Specify that the username/password is valid for only one time password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links view Set view name <cr> R1(config)#username tom password tom_password R1(config)#username tom secret tom_secret ERROR: Can not have both a user password and a user secret. Please choose one or the other. R1(config)#no username tom password tom_password R1(config)#username tom secret tom_secret R1(config)#do sh run | include secret username tom secret 5 $1$49F5$TenEANb5klaKhVvODHRiz1 [4]. Configure tacacs+ and radius R1(config)#aaa new-model R1(config)#tacacs-server host 192.168.1.110 R1(config)#tacacs-server key my_key Or R1(config)#tacacs-server host 192.168.1.110 key my_key R1(config)#aaa new-model R1(config)#radius-server host 192.168.1.120 R1(config)#radius-server key my_key Or R1(config)#radius-server host 192.168.1.120 key my_key [5]. Configure method list and apply on interface R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. dot1x Set authentication lists for IEEE 802.1x. enable Set authentication list for enable. eou Set authentication lists for EAPoUDP fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication login ? WORD Named authentication list (max 31 characters, longer will be rejected). default The default authentication list. R1(config)#aaa authentication login my_login ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login my_login local R1(config)#line vty 0 4 R1(config-line)#login authentication my_login R1(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login default group tacacs+ local R1(config)#aaa authentication login default group tacacs+ local none ```