Solving a AAA lockout: Do you know what to do when you get locked out? | Cisco CCNA 200-301

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] and welcome everybody to the channel my name is Keith Barker it is great to have you here to share tools and tips today to help you get your CCNA and the tip I have today is hands-on practice please please it's really important to do hands-on practice to get really good at pretty much anything that you need to learn if that involves doing something in fact recently very recently I like to share a picture with you very recently I'm having this used to be a workshop area and I'm having it redone I'm gonna make a recording studio out it's gonna be super super fun I'm so excited now these gentlemen and shout out to Zack Rob and mark are amazing technicians and what they did Alicia another picture after the fact here they they moved the water softener and the sink out of this space so that I can have it in the garage and then I can have my workshop be here for recording anyway they were great it was so fun to watch their expertise I thought to myself you know what I bet ya the joke we had was not that it wasn't their first rodeo they had done this before many many times and they had a lot of experience in doing it and that's what we need to have with Cisco devices the fundamentals making sure we configure things like IP routing and things like switching and VLANs and trunks and ether channel and all those cool things now practicing configuring them and practicing them and including Triple A so I created a while back I created this video right here called locked out and it was about Triple A and troubleshooting Triple A and I also added some NTP to it and there's some SSH as well and a lot of people responded like yeah nailed it it was like yes yes even if you're not completely ready if you tackle the lab and you practice it you can come up against roadblocks which are great could be they become stepping stones is you can look something up and say okay how does this work or why doesn't it work or join us on discord and we can talk about it it's fantastic so my hats off it's already off my hat's off to everybody who attempted this lab already and somebody asked in the discord server they said hey can you do a walk-through and so I'm gonna do a walk-through a solution for this lab so spoiler alert if you still want to do it just stop now and do the lab first and then come back and check out the walkthrough for any pieces you had challenges with alright so to download this lab also by the way it is this lab right here to be clear Cisco Petey triple a SSH and NTP t shoot 20 2005 16 so that's the actual lab you can download this at the Keith Barker comm will have links below so it's there it's not going anywhere if you want to practice with it alright so I have that lab open and here it is and here's the instructions Bob the employee once we need to have Bob the employee on this employee device be able to SSH to this multi-layer switch so I can see that this there's no radio frequency waves in packet tracer here so he's not connected to the Wi-Fi network so I'm gonna take a couple shortcuts and I'm gonna tackle the issue of okay can anybody SSH to this multi-layer switch and so let's start there so here it's the multi-layer switch and I'll open this up a little bit also it's a logon because I didn't intend to do it but in this lab the logon is admin and the default password for admin here in this lab is capital C is EO exclamation mark 2 3 and that password is also specified right here capital C is e o exclamation mark 2 3 so if if we wanted to verify that a user like Bob but SSH to this device on a vty line and so a new user connects to a remote Bisco device remotely they're really connecting they're connecting ontological vty lines then using the protocol telnet unsecure insecure or SSH more secure and we could test it right here that's what I'm saying we can just test it right here and see if SSH even works to do that we do SSH space - L for login and then we put Bob's name and a space and then the IP address we want to SSH to I'm just going to hover here and we have these addresses 10 10 0 1 10 10 0 10 2001 we could go to any of those addresses so all I'm doing is I'm SSA tching from the local switch - itself just to verify the SSH works and so we'll put in the IP address 10.0 that one and it says ant gone so we're gonna let's solve this first before we start going off to the Wi-Fi network which looks like it might be down so let's do the show run and let's take a look at the v2i lines and right here on the vty lines that says transport input none that means no go no ssh no telnet no nothing so let's fix that so line b2i 0 through 4 which is the 5 vty lines on this device and will say transport input ssh or we can say all but we were on ssh to work then now that we've done that we'll try our ssh again with this SHL username bob 10 1001 press Enter now it's asking for a password capital C is e o exclamation mark 2 3 ah okay right one more time password capital C is e o exclamation mark two three all right not letting us in but at least SSH is working now we're one step closer so less let's do this next let's do it let me bring this full screen up there we go let's do a show run and let's talk about Triple A for a moment so here we have triple a new model I'll get my pin out so here a triple Nate Triple A new model which says hey there's a new sheriff in town this is a new way of doing authentication authorization and accounting and I also have a default set Triple A authentication log in default the default is going to apply to the vty lines unless we specify a more specific method list to the vty lines so this says Triple A login for login authentication the default method is going to be using a radius server from one of our group of radius servers all right so Bob just couldn't login let's verify that we have connectivity to our radius server so I'm gonna take off my pin here and let's do a shell run pipe include radius that's gonna show me any output in the running config that has the word radius in it and I see our default login authentication and I see a method list that calls it but the problem here is this multi-layer switch doesn't know how to does not know how to reach a radius server it's not defined though if it's a problem so if this if so many SSH is into the switch and the switch needs to talk to a radius server the switch has to know how to reach that radius server and there needs to be a key to find though that they can securely and be willing to talk to each other back and forth and I don't see anywhere on the multiplier switch that we have a radius server to find let's go let's go talk to the radius server and take a look at it so here on the server click on the server icon and right here the description it says that the server purple a dns ntp web server is 10:30 0 to 10 this guy right here let's bring him out here we'll click on services and we'll go to Triple A and ok so here we have oh ok so we have the multi-layer switch is a triple a client using tack axe so this multi-layer switch is set up from the server perspective as a client meaning I mix the Triple A servers expecting request to come in and it's also expecting on this attack axe it's also expecting the wireless LAN controller at 10:30 0 to 2 go ahead and make requests via radius that would be for authentication if it's using the other sumit is for the Wi-Fi networks so we have a couple choices here we could include the wireless LAN the the multiple layer switch as a radius clients here and also at the multi-layer switch or we could just go ahead and tell them all today our switch to use a different method don't use radius you're the volta layer switches already set up as a tack X client so let's just go modify that we'll go back to the switch and see this method list right here your play authentication login method 1 please use a tack X server you can't reach at a kak server then use the local database if there's no users in the local database then go ahead and use the enabled password or enable secret and that'll let you in so let's just tell the vty lines that they should use triple a authentication login method one and then it would use the tech X server and let's make sure we have a tech x over defined he'll run pipe include pack ax our TAC yeah so we have a TAC X server defined and we have a key of Cisco one cisco excavation mark-- two three and this is the key I saw on the server so let's change the method list show run and we just go to our vty lines line vty 0 through 4 alright here we go and we'll specify login authentication this is in the vty lines and we want to use word it's asking for a method list that's what the description says what method list do you want to use I think it was method one let me scroll up and take a look I want make sure we put the right one in we want to use this method list right here called method 1 which will then use tax and for authenticating an administrator who's accessing the device tax is not a bad idea alright so we'll call this M ETH OD one one alright and now that we've done that let's test it locally we'll sort out Bob's wireless device in a moment we'll do a SC ifs in my history here there it is SSH - L Bob with the local IP address on this switch and password capital C is e o exclamation mark - 3 I'm hoping it's going to work and it works all right now for authorization we didn't configure authorization but now it's asking for if we type in enable now see an evil secret great and that worked and I'm a real system we could have accounting records showing that hey Bob logged in and that's it so we've solved part of the challenge the part of the channel does Bob is well Bob can login with SSH oh and also let's go take a look let me pause for a moment here so right here at the switch if we do this show users this is a good one there we go there's the admin that we're logged on right now as I always say where a lot of times Bob right now see this asterisk right here that asterisk is telling us where we're currently viewing this from so we on the console logged in as admin then we SSH as Bob and we did it it came when we came in on vty lines zero and the asterisk shows us that that's our current view and if we did a show SSH it's gonna show us that we have an SSH session so 1.99 don't freak out about that that just means it's capable of like version 1 and version 2 of SSH so there's a long history by it's called 1 9 9 but we're good we're good SSH is working all right so now let's do this let's type in exit and let's go ahead and get SSH working from Bob on the employee device so I'm going to take a look at Bob's computer or his device and let's take a quick I'm config and wireless he is connected to Corp Wi-Fi oh and Corp Wi-Fi is actually using radius for authentication of users to get on the network I noticed that when we looked at the server and ok so why is he not connecting let's let's go let's go take a look at the wireless LAN controller the wireless LAN controller is at 10:30 0 2 so we'll grab a PC that that we can use to get there and on the PC we'll go to desktop open up a browser new HTTP colon wacky whack and 30.0 that too I think that was it yep and we'll login and the instructions in the lab say the username is admin and the password is Cisco 1-2-3 with the capital sorry I said once you've seen I type one two three it's admin and capital C is e o exclamation mark T 3 and enter oh you know I've got a weird situation on my computer it doesn't always happen for everybody but when I'm in packet tracer if I press ENTER it doesn't accept the password so I need to actually click on ok so that time the password was correct alright and clicking login all right fantastic and let's go to wireless LANs and there's our or Wi-Fi and over here it says it's disabled which is a really bad deal so we need to enable it so we'll go edit that wireless land click on the enable checkbox click on apply and if the authentication works we should see a little radio frequency between the employees device and the access point or an access point yeah there it is I was like well what's next okay so a little reminder about wireless LAN controllers and making sure that Wireless and infrastructure works great so Bob let's go up to Bob's computer his mobile device will go to desktop will click on or we're gonna click on we're command prompt and we'll do SSH - L log in as Bob and verify we can log in to the multi-layer switch any any address on that switch will do by the way so IP config and the default gateway we're using is 1030 0 1 that is the actual multi-layer switch - so we'll do a SSH - L login is Bob to 10.30 dot 0 dot one and survey says password Cisco 1 2 3 actually exclamation mark 2 3 and we are we've authenticated so the multiplier switch using the method list we specified on the vty lines checked with the triple a server verified Bob's credentials and then the switch led a man via SSH the the wireless LAN controller also reached out via radius and for SSH we use tax and for radius the wireless LAN controller reached out via radius to the server for the Wi-Fi session for that authentication all great stuff okay are we done are we done are we done um Bob is using a K so Bob can now do Emma SSH to the multi-layer switch fantastic bonus points if you can get multi-layer switch 1 synchronized as an NTP client as well okay well they're right here let's just check I'm gonna hover over the server the server is at 10:30 0 10 right and then they click on the server make sure NTP is running right so NTP is enabled fantastic and oh and we're using authentication that's important so we're application is enabled the key is 1 the passwords capital C is CEO exclamation mark 2 3 and this server believes it is March 2022 the 22nd March 22nd 2022 that's what this so if we sync up timewise that's what the multiplier switch will believe based on UTC time which is how NTP has served up all right and let's go let's go to the switch so here on the switch we'll do a show ntp status lock is unsynchronized that's not good do a show ntp association and i real a real device you can do show association detail for even more nitty-gritty ok so this right here shows us who we're trying to synchronize with that tilde right there means configured so we are trying to reach out to 1.30 to 0 to 10 which is not the IP address of our server we'll do a show run pipe include ntp just show us the ntp output yeah that's wrong wrong address that's gonna hurt so config T no ntp server 1.30 dot 0 dot 10 and before we actually tell it to use the NTP server let's also do a do show clock may okay so this this device thinks it's May 12 2020 2022 and the server effect that's just I'm just gonna play around I don't I check the server 20:23 so August 22nd 2023 just because we can and that way when it changes to August we'll know synchronize we can also do a show and TP status and verify that as well alright so party on here we go back to the switch and let's set up authentication so NTP authentication key that's gonna make me work here authentication key and let's use key one because you can also we're using key one over on the server so we'll use one everywhere so just to make it easy NTP authentication key one md5 Cisco exclamation mark two three also when you put in passwords on some systems if you put a space a trailing space sometimes that space gets included as the password so just be aware when you're putting in commands or specific passwords that you wanna if you did a space in a question mark and you want to not have that space just back it up before you press Enter regarding passwords because that has bit me more than once all right NTP authentication key then NTP and let's do Rusted key one I'm just going down all the NTP commands here or authentication so NTP trusted key one right and NTP authenticate it's making me type it all out because the other one has the authentication key great let's do a do show history all right so we set the that's the previous part here is for the authentication method we get rid of the NTP server we look to the clock we did NTP authentication II 1 md5 Cisco 1 2 3 ntp trusted key 1 NTP authenticate and I think we just need to add the NTP server which is at the IP address 10:30 0 10 so let's go and do that the NTP server is at 10.30 0.10 question mark e space 1 all righty and now the waiting game begins oh and the CCI lab this is whether like oh so it takes a while on production systems for clocks to synchronize and if we do a debug I don't know if we have debug here or not oh yeah yeah we got some debugs debug ntp oh no debug ntp authentication that that's ok so debug ntp is on so we'll do a show ntp status so it says unsynchronized right here here it says never updated but you notice in the background it's sending ntp messages out and so if we do a up arrow and show ntp status bill on synchronized this what i'm about to show you is one of the big benefits of still uncie it's gonna take a while so the CCI labs like oh oh yeah send it a reminder to come back and check it later it's verify you got everything correct so NTP uses UDP port one two three one two three and TP UDP you and me all right and to see if I yeah still in synchronize so here's my favorite packet tracer trick that I learned from Trevor who is one of our discord admins and it's this this button right down here you can fast forward time it's like oh it's yes 30-second intervals I'm just clicking it many many times now let's go back and take a look yeah there's all our debug messages that happened I think it was every 30 seconds or something but they're all showing up because I accelerated time and let's do an up arrow and we are now synchronized just take long enough to make sure we got it in place and also those they're the update here so authentication is important to be aware of its part NTP is part of the CCNA blueprint and being aware of the commands for authentication I would say are also important to be aware of so thanks for joining me in this this walkthrough of this triple-eight troubleshooting lab we troubleshot wireless we troubleshot ntp we also troubleshot SSH access with triple a with a method list on the server and I would encourage you if you no matter what stage you are in your CCNA journeys take a stab with this lab I've got 16 as of right now on the Keith Barker comm I'll put a link below if you're having done any of those labs yet booth booked some time there's also a special playlist and the keith barker channel just for packet tracer labs that gives you an intro and then all i also add the walkthroughs like this to it as well so you can have some fun with it so again the goal of this channel is to help you and provide some tools and tips today that can help you get your CCNA join us in the discord server we have a great time there as well thank you to all the moderators and admins who did such a great job in supporting their brothers and sisters we're glad to have you and the YouTube channel is all free the discord server is all free we'd like you to come and study and get that CCNA and use it as a really good stepping stone towards whatever you're gonna do in the future with IT it'll be a really good foundation to build on but having said that I'll catch you in the next live event including on Sundays at 11 o'clock a.m. Pacific time we have a quiz and the online quiz we can support up to thousand people so get there get in have some fun and the topics will be announced on social so till next event have a great time and happy happy studies [Music] don't get out what you put in

Info

Channel: Keith Barker

Views: 6,347

Rating: 4.974359 out of 5

Keywords: ccna, cisco, 200-301, Cisco CCNA, Cisco Certification, ogit, Keith Barker, cisco aaa configuration, cisco aaa tacacs+ configuration, cisco aaa authentication, cisco aaa radius, cisco aaa radius configuration example, cisco aaa commands, aaa packet tracer, aaa packet tracer lab, aaa cisco packet tracer, aaa server packet tracer

Id: OzaU0C7HLHs

Channel Id: undefined

Length: 23min 9sec (1389 seconds)

Published: Sat May 23 2020