Configure AAA Authentication | Cisco CCNA 200-301

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] [Music] [Music] and welcome to the Keith Barker channel my name is what is the quotas again Keith Barker it's great to have you here have you ever been locked out of your house or locked out of some gear I have in might the first time that was really critical for me was back in 2003 yeah I say 2003 how do you remember that I was doing my CCIE lab for security and I locked myself out of the system by implementing triple-eight commands so I've been a triple-a member the Automobile Association of America for like says here 20 years which is a great service I love their service but Triple A in a cisco environment refers to authentication authorization and accounting what I like to do in this video is provide some overview of those pieces and then focus on authentication as part of Triple A so you can better understand it and also hopefully not lock yourself out of gear or if you're pursuing certification and they ask you to look at the config and say what's going to happen based on this configuration if somebody tries to log in I'd like to be able to go ahead and say oh based on this here's what's gonna happen so that's we're gonna share with you in this video so we're gonna do three basic things number one an overview of Triple A number two the methods for choosing how to authenticate and then third probably the most important thing you can do to really master Triple A so stick around for the end this would be a fairly short video and I'll show that with you as well alright let's take a look at this topology to start with and one of the questions I get all the time is hey Keith what does that pen use to draw on top of all your screens and it is epic pen there it is right there and as many times as I do this I always fail I have a checklist I should have the toy checklist alright so here's a packet tracer lab and the objective in this lab is for Bob so put Bob up here Bob and Bob in this case is going to be an administrator a and Bob is logging in through his mobile devices wireless device and the goal is for Bob to be able to manage this sort of the switch it's a multi-layer switch MLS one using SSH that's the whole objective of this lab and in doing so I cannot like to share with you the options than how triple-a works and then I'm gonna turn you loose on the lap so we want Bob to be able to go ahead and ssh into this device sounds pretty simple and and if you're up for it bonus points I also love you to go ahead and troubleshoot why this multi-layer switch is not synchronizing with the NTP server so the server's right here it's acting as DNS web what else triple-a NTP it's just doing a host of things and a server thing with a server thing of things and our goal is to get NTP working as well there if you can I think you can do it I think you can do whatever you're using for your major course of study the information and all those techniques ntp and also setting up SSH and getting access via SSH that's going to be in your major course of study so whatever that course of study is brief refer to that research on that and then go ahead and you can apply the skills here in lab ok let me share with you some options for Triple A so let's start off with some of the basics Triple A then in fact let me bring up effect let's bring up a device let's go to a console on this multi-layer switch [Laughter] uh this is allowed that I've provided that you can play with and the first challenge is how do you log on to this and I realized when I set this up my intention was not my intention was not to have login requirements at the console but I did a couple things that forced it so I'm going to share with you right now with that password is you can log in as admin so if you have this lab or you shared this with a friend tell them that you can log in as admin and the password for everything it says that here too yeah the password is capital C is CEO exclamation mark 2 3 don't use that in production too easy to crack but for the lab that's what the password is okay so for triple a triple a stands for doing 3 basic logical things and they are and you already know this if you've been around Cisco for a little bit or studying it stands for authentication an authentication is who are you who are you that's that that that's not good who put my wife's a professional singer she's gonna say Keith we should work on that okay so I'll pass on the singing but I will focus on my enunciation she'll love that so she can hear every word I say and so can you so the authentication is proving who you are so part of the authentication would be for Bob at this device as he's connecting via SSH to require a login that Bob can say my name is Bob and then be subsequently asked for a password now or I have some notes here to keep me on track so for the authentication there are several ways we could do it one we could use a local user what I mean like somebody who is here in Las Vegas that's where I am there's a local user know a local user is a user account that's on this local device for connecting to so if it's a multi-layer switch if we have a user name called Bob and a password or a secret set for Bob and his privilege level that would be using the local user database at the local database or authentication that's certainly one option we could also use a server that's another option for authentication ser V e are nailed it nailed it so we could log in or we can authenticate against the server so what that means if we're using a server a triple a server when Bob connects to log in this multi-layer switch is going to talk over to the Triple A server and say I gots me trying to log in thumbs up or thumbs down and so the language of love between a device like this switch and a triple a server could be radius or it could be Cisco's tac-x TAC a CES and it's officially tech x+ but we call it tactics and so radius or TAC X could be used traditionally if we have administrators who are logging in like Bob if he's an administrator we're probably gonna be using tax to authenticate administrators and for users like a guest device or some of the devices just going or another user going through the network it's very likely we'll use radius but in either case if we want to train this device the multi-layer switch to use tac-x for radius we have to do two things we have to tell the multi-layer switch hey use a tax server or use a radius server based on the protocol we're using and we also have to tell the server hey please expect this client multiplier switch one to come in and if it's radius what port is he coming in on and if it's tax that he's the Tax Act tech X clients and we provide a secret so that they can secure they can talk to each other so that's the other option here so a local user here on the actual switch itself the multi-layer switch or use a triple a server and let me check my notes to make sure I'm getting everything yeah another option for authenticating users when they connect is we could just say we want to use the enable secret and the key word for that is enable so we'd say hey once we connects make sure prompt them for a password and the password we're looking for is you enable secret and then once they get logged in they've been enable and they enable secret again to get into privilege mode assuming you're using the defaults so we could have the local user we can have a triple a server to find user where a Bob's account is kept over here on the triple a server or we keep the enable secret or one of my other favorites is none as in no login required and by the way that if you go to a vty line and say no login that's what that means it means no longer no no login is required so these are options for authenticating a person an administrator in our case Bob who's trying to connect to this device to go ahead and login so that's the one of the three things I wanted to chat with you about is the overview of the APS the authentication piece and some of our options for authenticating users now the the second day is for authorization what they can do and the last day is accounting what they did do so we're focusing just on the authentication piece right here as far as identifying who the user is who's trying to connect alright so the second thing I wanted to share with you is how can we train a device like the switch on what should he use should it use a triple-a server should it use the local database should it use no password at all should use the enable secret and the answer to that is we are going to enable triple a new model and also we are going to go ahead and specify methods think of a method like a fact let me show you and then let's talk about it I'm gonna go ahead and clear off my markings here I'm gonna login as admin and the password is capital C is CEO I I hope it is capital C is e oh my gosh capital C is e o exclamation mark 2 3 oh thank goodness alright show users alright so what this indicates is that I'm logged in as admin and I'm connected on the console through the magic of packet tracer ok that's a huge stepping stone in the right direction so let's do a show run short for running config and I was gonna scroll back up to the part I want to share with you here so the question is how do we control how a user is going to go ahead and authenticate and what we can do is we can issue the command triple a new - model that says we wanted to play by the new rules of using specific authentication authorization and accounting pieces and what we do is create some lists and let me ring up the pin so what this is right here let's pick let's pick this one as an example boom right there so tripoli this has triple-a authentication login now in english what that means is okay regarding logins to this device here's the playbook here's here's i wanted to it's like the the quarterbacks hang okay we're gonna run this method called method two and the whole team knows exactly what's going on so this method called method two says i want to check the local database first so if Bob tries if this is in force this one right here I'll just go ahead and well focus on this line right here if Bob tries to connect via SSH on the vty lines and method two is in force is first of all gonna look at the local database the switches and say do I have any users here do I have a user called Bob now if we don't have any user accounts in the local database it's not going to be used and then it goes to the next option which is option 2 in this line here which is group tech acts plus what does that mean group means we could have two or three or four different pack acts plus servers and all this is saying is go ahead and use one in that group or authenticating Bob and so what happened is Bob connects he gets the prompt tries to authenticate and this server would be using tack acts if this was being used group tack acts and it would go to the tech act server and say hey Bob starting to log in here's this information and then the tac-x server responds saying thumbs up little mint or nope I don't know who that user is now what happens if we can't reach the tac-x server so if we can reach the tac-x server and the tac-x server says no that's it Bob's done it's over Bob's not logging in because of this line but if the tech X server cannot be reached there's a short time I say short time out there's a time out that happens and after that time out and it gives up on a tak server it then goes to the next method in this method list which in this example is none and so what would happen is the switch after Bob's connecting and it like takes a long time and finally it prompts him for his user and password information and he he actually I take it back if there is no local users and it can reach a tax server after an extended period of time of having it try and not being tac-x river none would just let him in like okay you're in now all of that now this is a method list now look check this out this is really important we have already method listed we have here let's count together we've got one two three four five six different method lists and regarding the vty lines vty 0 space 4 which is our 4 which is our 5 vty lines by default on a router a switch will have like 15 0 16 0 through 15 um depending on what we have applied here it depends how we're gonna authenticate Bob so I love this I just want to give you a quick heads-up on the logic of how this works though there's two options for applying a method list to a vty line we could go into vty line configuration mode for 0 through 4 and say login authentication and then we could specify a method list that works like a champ it's great and that would that would be used on that vty line or all those vty lines or or we could specify we really like you know this method method - we could go ahead and do a triple a authentication login default and specify method - and then if the vty lines didn't have a more specific method assigned to them they would just use that default method so it's important to look at the vty lines and see if they have a method list associated with them and then follow those rules or if there's no specific list and triple a new model is enabled we'd then go ahead and take a look at the default and realize that those apply so alright covering our objectives number one I wanted to share with you an overview of our options for authenticating a user with triple a new model and we talked about local database the enable secret no password or triple a server using radius or tac-x I then wanted to share with you the details on how a method list is used inside of a cisco router and by the way if you're saying well Keith does this apply to CCNA yes it does so 5.3 and the blueprint says configure device access control using local passwords so could we have a method list that's specifying the enable secret which is a local password yes could we specify a method list called that is specifying a user account with a local password the answer is yes all this is totally fair game you've been warned and then the other option at 5.8 in the CCS Cisco blueprint for Cisco CCNA 2 and 301 is differentiate aaaa the authentication authorization and accounting all we're focusing on here and it's enough for this video is the authentication piece and we're focusing on login authentication specifically for users trying to get in so that was the second objective I had and the third objective that I've got for you is to what is the best way what is the best way to really master this content it's going to involve studying a little bit right study our reviewing the concepts of triple a focusing on login authentication here and then probably the best way of nailing it is hands-on practice hands-on practice that's what we need to do and good news this lab I have built just for you so this lab that I'm looking at right here is ready to go let me show you where to get it and then I encourage you to take the action of downloading it launching it in packet tracer and then troubleshooting it because I don't know it's not working so we should probably verify that as well and I'd love for you if you would to go ahead and comment if you've done this lab go ahead in the comments below for the actual video which is gonna remain on youtube go ahead and comment saying did it did the homework did this lab solved it now and you might want to avoid saying what the specific issues or challenges were but just let me know that you did it because at the end of the day that's the most important thing that you and I can do it's hands-on practice we can watch these things all day and all night but when you start lapping it up and think why didn't this work and why didn't that work that starts our brains going that starts just looking at documentation that starts us chatting with other people in discord subscribing to this channel so you get more details and having a good time mastering it then once you master it you're good to go ok so let's go to ah I was gonna say let's go to the employee device up here he he's not even connected to the Wi-Fi network all right so the goal is going back here Bob the employee device on this employ device Wireless can't access MLS one via SSH and login can you help and the answer is you might have to travel show you basic connectivity first this is very real-world before you add on some new feature or function make sure the infrastructure is working and this will reinforce many of the concepts in CCNA as well let's go to PC one just for a moment and I just want to verify whether or not I do a couple basic things this is what if I was doing this lab for the first time I'd want to verify some bait I've get the wireless working which is important we also have a couple videos on the wireless LAN controller and wireless LAN troubleshooting this all good stuff and if we go to a command prompt and we get two IP config the multi-layer switch is our default gateway to verify can ping it 10.10 0.1 all right good all right so I can ping it from the PC is wired in and let's also do an SSH so this here's the syntax for SSH its SSH space - L which represents login and then we'll put in Bob and then we'll go ahead and put the target of and that one we just ping 10.0 that one yeah didn't get too far but that's what we want to do on the employee devices SSH - L username Bob - any IP address on the multi-layer switch and you can look at the config and it's got at least three interfaces that you could connect to layer 3 switch virtual interfaces and that's it so have some fun and then for bonus points and this is where I really know that you just like taking it to the next level for bonus points I would love you to solve the MTP problem I don't know what is MTP it's not working the the NT the multiplier switch is not successfully able to synchronize its time with the NTP server I want it to I really wanted to but it's not happening and I know it was working earlier before I broke the lab so I'd love to do is have you troubleshoot that as well and that they'll get you bonus points ok that's it all our objectives here are covered my call to action is go ahead and download the lab oh let me share with you where to get that real quick my bad and here's where you can get it the keith barker comm just go to that cell so i'll put that in the notes as well there's that keith Barker comm scroll down a little bit and down here on the download section tons of packet tracer labs including this bad boy right here Cisco PT 4 packet tracer triple a SSH and NTP t shoot 20 2005 16 and you'll have the link for that in the description of this video so that's your call to action go ahead if you haven't already click on subscribe click on the alert Bell get all the updates every Sunday at 11 a.m. we have a quiz that's going to combine the concepts of OSPF that was last week's the concepts of CCNA whether it's OSPF or subnetting or ntp or triple-a whatever's and gamification and we use Kahoot we can support up to 2000 people so mark your calendars 11:00 a.m. Pacific time on Sundays join us in the game it's a safe space for you to practice and get insights on the concepts of CCNA so until our next live event thank you for joining me here on the keith barker channel to help get you the best tools and tips today helping you get your CCNA I'm glad I'm glad you're here and I'll catch you next time bye everybody [Music] don't get out what you put this
Info
Channel: Keith Barker
Views: 21,335
Rating: undefined out of 5
Keywords: ccna, cisco, 200-301, Cisco CCNA, Cisco Certification, ogit, Keith Barker, cisco ccna 200-301, ccna 200-301, wireless lan controller, packet tracer, cisco training, 200-301 ccna, 200-301 cisco, 200-301 videos, 200-301 ccna certification, cisco aaa, cisco aaa configuration, cisco aaa tacacs+ configuration, cisco aaa authentication, cisco aaa radius, cisco aaa radius configuration example, cisco aaa commands, cisco aaa tacacs, aaa, radius, troubleshoot aaa, tacacs, tacacs radius
Id: tXprJgbEWXg
Channel Id: undefined
Length: 20min 33sec (1233 seconds)
Published: Sat May 16 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.