Objective
In this lab, you will perform the following tasks:
Part 1: Configure Basic Device Settings
• Configure basic settings such as host name, interface IP addresses, and access passwords
• Configure static routing.
Part 2: Configure Local Authentication
• Configure a local database user and local access for the console, vty, and aux lines.
• Test the configuration.
Part 3: Configure Local Authentication Using AAA
• Configure the local user database using Cisco IOS.
• Configure AAA local authentication using Cisco IOS.
• Test the configuration.
Part 4: Configure Centralized Authentication Using AAA and RADIUS
• Install a RADIUS server on a computer.
• Configure users on the RADIUS server.
• Use Cisco IOS to configure AAA services on a router to access the RADIUS server for authentication.
• Test the AAA RADIUS configuration
Task 1: Configure Basic Device Settings
The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.
All steps should be performed on routers R1 and R3. Only steps 1, 2, 3 and 6 need to be performed on R2.
The procedure for R1 is shown here as an example.
Step 1: Deploy router in GNS3 network. Attach the devices, as shown in the topology diagram, and connection as necessary.
Step 2: Configure basic settings for each router.
a. Configure host names as shown in the topology plus your student ID.
b. Configure interface IP addresses as shown in the IP Addressing Table
R1 Config R1-S0000#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1-S0000(config)#interface f0/1
R1-S0000(config-if)#ip address 192.168.1.1 255.255.255.0
R1-S0000(config-if)#no shutdown
R1-S0000(config-if)#exit
R1-S0000(config)#interface s0/0
R1-S0000(config-if)#ip address 10.1.1.1 255.255.255.252
R1-S0000(config-if)#no shutdown
R1-S0000(config-if)#exit
R1-S0000(config)#exit
R1-S0000#copy running-config
startup-config Destination filename [startup-config]?
R3 Config R3-S0000#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3-S0000(config)#interface f0/1
R3-S0000(config-if)#ip address 192.168.3.1 255.255.255.0
R3-S0000(config-if)#no shutdown
R3-S0000(config-if)#exit
R3-S0000(config)#interface s0/1
Part 1: Configure Basic Device Settings
R3-S0000(config-if)#ip address 10.2.2.1 255.255.255.252
R3-S0000(config-if)#no shutdown
R3-S0000(config-if)#exit
R3-S0000(config)#exit
R3-S0000#copy running-config startup-config
Destination filename [startup-config]?
R2 Config
R2-S0000#conf
t Enter configuration commands, one per line. End with CNTL/Z.
R2-S0000(config)#interface s0/0
R2-S0000(config-if)#ip address 10.1.1.2 255.255.255.252
R2-S0000(config-if)#no shutdown
R2-S0000(config-if)#exit
R2-S0000(config)#interface s0/1
R2-S0000(config-if)#ip address 10.2.2.2 255.255.255.252
R2-S0000(config-if)#no shutdown R2-S0000(config-if)#exit
R2-S0000(config)#exit
R2-S0000#copy running-config startup-config
Destination filename [startup-config]?
c. Configure a clock rate for routers with a DCE serial cable attached to their serial interface.
R1-STUDENTID is shown here as an example.
R1-S0000# Conf t
R1-S0000(config)# interface S0/0
R1-S0000(config-if)# clock rate 64000
R1-S0000# Exit R1-S0000# Exit R3:
R3-S000 # Conf t R3-S0000(config)# interface S0/1
R3-S0000(config-if)# clock rate 64000
R1-S0000# Exit R1-S0000# Exit R2:
R2-S000 # Conf t R2-S0000(config)# interface S0/0
R2-S0000(config-if)# clock rate 64000
R2-S0000(config-if)# exit
R1-S0000(config)# interface SO/1
R1-S0000(config-if)# clock rate 64000
R1-S0000# Exit
d. To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. R1-STUDENTID is shown here as an example.
R1-STUDENTID(config)# no ip domain-lookup
R2-STUDENTID(config)# no ip domain-lookup
R3-STUDENTID(config)# no ip domain-lookup
Step 3: Configure static routing on the routers. a. Configure a static default route from R1 to R2 and from R3 to R2. R1:
R1-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z.
R1-S0000(config)#ip route 0.0.0.0 0.0.0.0 S0/0 R1-S0000(config)#end
R3: R3-S0000#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
R3-S0000(config)#ip route 0.0.0.0 0.0.0.0 S0/1
R3-S0000(config)#end b. Configure a static route from
R2 to the R1 LAN and from R2 to the R3 LAN. R2:
R2-S0000#conf t Enter configuration commands,
one per line. End with CNTL/Z.
R2-S0000(config)#ip route 192.168.1.0 255.255.255.0 S0/0
R2-S0000(config)#ip route 192.168.3.0 255.255.255.0 S0/1
R2-S0000(config)#end
Step 4: Configure PC host IP settings.
Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C, as shown in the IP addressing TABLE.
Deploy VPCS A: Connect Switch Port 8 to R1 f0/1
Deploy VPCS C: Connect Switch Port 8 to R3 f0/1
PCA> ip 192.168.1.2/24 192.168.1.
1 PCA> Save Deploy VPCS C: Connect to
R3 f0/1 PCA> ip 192.168.3.2/24 192.168.3.1
PCA> Save
Step 5: Verify connectivity between PC-A and R3.
Part 2: Configure Local Authentication
a. Ping from R1 to R3.
If the pings are not successful, troubleshoot the basic device configurations before continuing.
b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.
If the pings are not successful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from PC-A to PC-C, you have demonstrated that static routing is configured and functioning correctly.
If you cannot ping but the device interfaces are up and IP addresses are correct, use the show run and show ip route commands to help identify routing protocol-related problems.
Step 6: Save the basic running configuration for each router.
Step 7: Configure and encrypt passwords on R1 and R3.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.
For this step, configure the same settings
for R1-S0000 and R3. Router R1-S0000 is shown here as an example.
a. Configure a minimum password length.
Use the security passwords command to set a minimum password length of 10 characters.
R1-S0000(config)#
security passwords min-length 10
R3-S0000(config)# security passwords min-length 10
b. Configure the enable secret password on both routers.
Use the type 9 (SCRYPT) hashing algorithm.
R1-S0000(config)# enable secret cisco12345
R3-S0000(config)# enable secret cisco12345
Step 8: Configure the basic console, auxiliary port, and vty lines. a.
Configure a console password and enable login for router
R1-S0000. For additional security, the exec-timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec timeout can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice
R1-S0000(config)# line console 0
R1-S0000(config-line)# password ciscoconpass
R1-S0000(config-line)# exec-timeout 5 0
R1-S0000(config-line)# login
R1-S0000(config-line)# logging synchronous
R3-S0000# exit
b. Configure a password for the aux port for router R1.
R1-S0000(config)# line aux 0
R1-S0000(config-line)# password ciscoauxpass
R1-S0000(config-line)# exec-timeout 5 0
R1-S0000(config-line)# login
R1-S0000(config-line)# exit
c. Configure the password on the vty lines for router
R1. R1-S0000(config)# line vty 0 4
R1-S0000(config-line)# password ciscovtypass
R1-S0000(config-line)# exec-timeout 5 0
R1-S0000(config-line)# login
R1-S0000(config-line)# exit
d. Encrypt the console, aux, and vty passwords.
R1-S0000(config)# service password-encryption
Part 3: Configure Local Authentication Using AAA
R1-S0000(config)# exit e.
Issue the show run command.
Can you read the console, aux, and vty passwords? Explain
Step 9: Configure a login warning banner on routers R1 and R3.
a. Configure a warning to unauthorized users using a message-of-the-day (MOTD) banner with the banner motd command. When a user connects to the router, the MOTD banner appears before the login prompt.
In this example, the dollar sign ($) is used to start and end the message.
R1-S0000(config)# banner motd $Unauthorized access strictly prohibited!$
R1-S0000(config)# exit
R3-S0000(config)# banner motd $Unauthorized access strictly prohibited!$
R3-S0000(config)# exit
R2-S0000(config)# banner motd $Unauthorized access strictly prohibited!$
R2-S0000(config)# exit
b. Exit privileged EXEC mode by using the disable or exit command and press Enter to get started. If the banner does not appear correctly, re-create it using the banner motd command.
Step 10: Save the basic configurations on all routers.
Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1-S0000# copy running-config startup-config
R3-S0000# copy running-config startup-config
R2-S0000# copy running-config startup-config
Part 2: Configure Local Authentication
In Part 2 of this lab, you configure a local username and password and change the access for the console, aux, and vty lines to reference the router’s local database for valid usernames and passwords. Perform all steps on R1 and R3. The procedure for R1 is shown here.
Step 1: Configure the local user database.
a. Create a local user account with MD5 hashing to encrypt the password. Use the type 9 (SCRYPT) hashing algorithm.
R1-S0000(config)# username user01 secret user01pass
b. Exit global configuration mode and display the running configuration.Can you read the user’s password?
Step 2: Configure local authentication for the console line and login.
a. Set the console line to use the locally defined login usernames and passwords.
R1-S0000(config)# conf t
R1-S0000(config)# line console 0
R1-S0000(config-line)# login local
b. Exit to the initial router screen that displays:
R1-S0000 con0 is now available.
Press RETURN to get started.
R1-S0000(config-line)# exit
R1-S0000(config)# exit
R3-S0000# exit
c. Log in using the user01 account and password previously defined. What is the difference between logging in at the console now and previously?
d. After logging in, issue the show run command. Were you able to issue the command? Explain.
Enter privileged EXEC mode using the enable command. Were you prompted for a password? Explain.
Step 3: Test the new account by logging in from a Telnet session.
a. From PC-A, establish a Telnet session with R1.
b. Deploy cloud from End devices and
c. configure interface F0/0 on R1-S0000, set ip address according to your local network
d. download Putty and telent to the R1-S0000
telnet 192.168.x.x
OR Telnet from R2.
R2-S0000> telnet 10.1.1.1
e. Were you prompted for a user account? Explain.
c. Set the vty lines to use the locally defined login accounts and configure the transport input command to allow Telnet.
R1-S0000(config)# line vty 0 4
R1-S0000(config-line)# login local
R1-S0000(config-line)# transport input telnet
R1-S0000(config-line)# exit
d. From PC-A, telnet R1 to R1 again.
PC-A> telnet 192.168.1.1
Were you prompted for a user account? Explain.
e. Log in as user01 with a password of user01pass.
f. While connected to R1 via Telnet, access privileged EXEC mode with the enable command. What password did you use?
g. For added security, set the aux port to use the locally defined login accounts. R1-S0000(config)# line aux 0 R1-S0000(config-line)# login local
h. End the Telnet session with the exit command.
Step 4: Save the configuration on R1. Save the running configuration to the startup configuration from the privileged EXEC prompt. R1# copy running-config startup-config
Step 5: Perform steps 1 through 4 on R3 and save the configuration. Save the running configuration to the startup configuration from the privileged EXEC prompt.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
