Securing Administrative Access Using AAA And RADIUS: Configuration Guide

Author:

April 18th, 2025

Objective

In this lab, you will perform the following tasks:

Part 1: Configure Basic Device Settings

• Configure basic settings such as host name, interface IP addresses, and access passwords

• Configure static routing.

Part 2: Configure Local Authentication

• Configure a local database user and local access for the console, vty, and aux lines.

• Test the configuration.

Part 3: Configure Local Authentication Using AAA

• Configure the local user database using Cisco IOS.

• Configure AAA local authentication using Cisco IOS.

• Test the configuration.

Part 4: Configure Centralized Authentication Using AAA and RADIUS

• Install a RADIUS server on a computer.

• Configure users on the RADIUS server.

• Use Cisco IOS to configure AAA services on a router to access the RADIUS server for authentication.

• Test the AAA RADIUS configuration

Task 1: Configure Basic Device Settings

The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software

In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.

All steps should be performed on routers R1 and R3. Only steps 1, 2, 3 and 6 need to be performed on R2.

The procedure for R1 is shown here as an example.

Step 1: Deploy router in GNS3 network. Attach the devices, as shown in the topology diagram, and connection as necessary.

Step 2: Configure basic settings for each router.

a. Configure host names as shown in the topology plus your student ID.

b. Configure interface IP addresses as shown in the IP Addressing Table

R1 Config R1-S0000#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1-S0000(config)#interface f0/1

R1-S0000(config-if)#ip address 192.168.1.1 255.255.255.0

R1-S0000(config-if)#no shutdown

R1-S0000(config-if)#exit

R1-S0000(config)#interface s0/0

R1-S0000(config-if)#ip address 10.1.1.1 255.255.255.252

R1-S0000(config-if)#no shutdown

R1-S0000(config-if)#exit

R1-S0000(config)#exit

R1-S0000#copy running-config

startup-config Destination filename [startup-config]?

R3 Config R3-S0000#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3-S0000(config)#interface f0/1

R3-S0000(config-if)#ip address 192.168.3.1 255.255.255.0

R3-S0000(config-if)#no shutdown

R3-S0000(config-if)#exit

R3-S0000(config)#interface s0/1

Part 1: Configure Basic Device Settings

R3-S0000(config-if)#ip address 10.2.2.1 255.255.255.252

R3-S0000(config-if)#no shutdown

R3-S0000(config-if)#exit

R3-S0000(config)#exit

R3-S0000#copy running-config startup-config

Destination filename [startup-config]?

R2 Config

R2-S0000#conf

t Enter configuration commands, one per line. End with CNTL/Z.

R2-S0000(config)#interface s0/0

R2-S0000(config-if)#ip address 10.1.1.2 255.255.255.252

R2-S0000(config-if)#no shutdown

R2-S0000(config-if)#exit

R2-S0000(config)#interface s0/1

R2-S0000(config-if)#ip address 10.2.2.2 255.255.255.252

R2-S0000(config-if)#no shutdown R2-S0000(config-if)#exit

R2-S0000(config)#exit

R2-S0000#copy running-config startup-config

Destination filename [startup-config]?

c. Configure a clock rate for routers with a DCE serial cable attached to their serial interface.

R1-STUDENTID is shown here as an example.

R1-S0000# Conf t

R1-S0000(config)# interface S0/0

R1-S0000(config-if)# clock rate 64000

R1-S0000# Exit R1-S0000# Exit R3:

R3-S000 # Conf t R3-S0000(config)# interface S0/1

R3-S0000(config-if)# clock rate 64000

R1-S0000# Exit R1-S0000# Exit R2:

R2-S000 # Conf t R2-S0000(config)# interface S0/0

R2-S0000(config-if)# clock rate 64000

R2-S0000(config-if)# exit

R1-S0000(config)# interface SO/1

R1-S0000(config-if)# clock rate 64000

R1-S0000# Exit

d. To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. R1-STUDENTID is shown here as an example.

R1-STUDENTID(config)# no ip domain-lookup

R2-STUDENTID(config)# no ip domain-lookup

R3-STUDENTID(config)# no ip domain-lookup

Step 3: Configure static routing on the routers. a. Configure a static default route from R1 to R2 and from R3 to R2. R1:

R1-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z.

R1-S0000(config)#ip route 0.0.0.0 0.0.0.0 S0/0 R1-S0000(config)#end

R3: R3-S0000#conf t

Enter configuration commands, one per line.

End with CNTL/Z.

R3-S0000(config)#ip route 0.0.0.0 0.0.0.0 S0/1

R3-S0000(config)#end b. Configure a static route from

R2 to the R1 LAN and from R2 to the R3 LAN. R2:

R2-S0000#conf t Enter configuration commands,

one per line. End with CNTL/Z.

R2-S0000(config)#ip route 192.168.1.0 255.255.255.0 S0/0

R2-S0000(config)#ip route 192.168.3.0 255.255.255.0 S0/1

R2-S0000(config)#end

Step 4: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C, as shown in the IP addressing TABLE.

Deploy VPCS A: Connect Switch Port 8 to R1 f0/1

Deploy VPCS C: Connect Switch Port 8 to R3 f0/1

PCA> ip 192.168.1.2/24 192.168.1.

1 PCA> Save Deploy VPCS C: Connect to

R3 f0/1 PCA> ip 192.168.3.2/24 192.168.3.1

PCA> Save

Step 5: Verify connectivity between PC-A and R3.

Part 2: Configure Local Authentication

a. Ping from R1 to R3.

If the pings are not successful, troubleshoot the basic device configurations before continuing.

b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: If you can ping from PC-A to PC-C, you have demonstrated that static routing is configured and functioning correctly.

If you cannot ping but the device interfaces are up and IP addresses are correct, use the show run and show ip route commands to help identify routing protocol-related problems.

Step 6: Save the basic running configuration for each router.

Step 7: Configure and encrypt passwords on R1 and R3.

Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.

For this step, configure the same settings

for R1-S0000 and R3. Router R1-S0000 is shown here as an example.

a. Configure a minimum password length.

Use the security passwords command to set a minimum password length of 10 characters.

R1-S0000(config)#

security passwords min-length 10

R3-S0000(config)# security passwords min-length 10

b. Configure the enable secret password on both routers.

Use the type 9 (SCRYPT) hashing algorithm.

R1-S0000(config)# enable secret cisco12345

R3-S0000(config)# enable secret cisco12345

Step 8: Configure the basic console, auxiliary port, and vty lines. a.

Configure a console password and enable login for router

R1-S0000. For additional security, the exec-timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec timeout can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice

R1-S0000(config)# line console 0

R1-S0000(config-line)# password ciscoconpass

R1-S0000(config-line)# exec-timeout 5 0

R1-S0000(config-line)# login

R1-S0000(config-line)# logging synchronous

R3-S0000# exit

b. Configure a password for the aux port for router R1.

R1-S0000(config)# line aux 0

R1-S0000(config-line)# password ciscoauxpass

R1-S0000(config-line)# exec-timeout 5 0

R1-S0000(config-line)# login

R1-S0000(config-line)# exit

c. Configure the password on the vty lines for router

R1. R1-S0000(config)# line vty 0 4

R1-S0000(config-line)# password ciscovtypass

R1-S0000(config-line)# exec-timeout 5 0

R1-S0000(config-line)# login

R1-S0000(config-line)# exit

d. Encrypt the console, aux, and vty passwords.

R1-S0000(config)# service password-encryption

Part 3: Configure Local Authentication Using AAA

R1-S0000(config)# exit e.

Issue the show run command.

Can you read the console, aux, and vty passwords? Explain

Step 9: Configure a login warning banner on routers R1 and R3.

a. Configure a warning to unauthorized users using a message-of-the-day (MOTD) banner with the banner motd command. When a user connects to the router, the MOTD banner appears before the login prompt.

In this example, the dollar sign ($) is used to start and end the message.

R1-S0000(config)# banner motd $Unauthorized access strictly prohibited!$

R1-S0000(config)# exit

R3-S0000(config)# banner motd $Unauthorized access strictly prohibited!$

R3-S0000(config)# exit

R2-S0000(config)# banner motd $Unauthorized access strictly prohibited!$

R2-S0000(config)# exit

b. Exit privileged EXEC mode by using the disable or exit command and press Enter to get started. If the banner does not appear correctly, re-create it using the banner motd command.

Step 10: Save the basic configurations on all routers.

Save the running configuration to the startup configuration from the privileged EXEC prompt.

R1-S0000# copy running-config startup-config

R3-S0000# copy running-config startup-config

R2-S0000# copy running-config startup-config

Part 2: Configure Local Authentication

In Part 2 of this lab, you configure a local username and password and change the access for the console, aux, and vty lines to reference the router’s local database for valid usernames and passwords. Perform all steps on R1 and R3. The procedure for R1 is shown here.

Step 1: Configure the local user database.

a. Create a local user account with MD5 hashing to encrypt the password. Use the type 9 (SCRYPT) hashing algorithm.

R1-S0000(config)# username user01 secret user01pass

b. Exit global configuration mode and display the running configuration.Can you read the user’s password?

Step 2: Configure local authentication for the console line and login.

a. Set the console line to use the locally defined login usernames and passwords.

R1-S0000(config)# conf t

R1-S0000(config)# line console 0

R1-S0000(config-line)# login local

b. Exit to the initial router screen that displays:

R1-S0000 con0 is now available.

Press RETURN to get started.

R1-S0000(config-line)# exit

R1-S0000(config)# exit

R3-S0000# exit

c. Log in using the user01 account and password previously defined. What is the difference between logging in at the console now and previously?

d. After logging in, issue the show run command. Were you able to issue the command? Explain.

Enter privileged EXEC mode using the enable command. Were you prompted for a password? Explain.

Step 3: Test the new account by logging in from a Telnet session.

a. From PC-A, establish a Telnet session with R1.

b. Deploy cloud from End devices and

c. configure interface F0/0 on R1-S0000, set ip address according to your local network

d. download Putty and telent to the R1-S0000

telnet 192.168.x.x

OR Telnet from R2.

R2-S0000> telnet 10.1.1.1

e. Were you prompted for a user account? Explain.

c. Set the vty lines to use the locally defined login accounts and configure the transport input command to allow Telnet.

R1-S0000(config)# line vty 0 4

R1-S0000(config-line)# login local

R1-S0000(config-line)# transport input telnet

R1-S0000(config-line)# exit

d. From PC-A, telnet R1 to R1 again.

PC-A> telnet 192.168.1.1

Were you prompted for a user account? Explain.

e. Log in as user01 with a password of user01pass.

f. While connected to R1 via Telnet, access privileged EXEC mode with the enable command. What password did you use?

g. For added security, set the aux port to use the locally defined login accounts. R1-S0000(config)# line aux 0 R1-S0000(config-line)# login local

h. End the Telnet session with the exit command.

Step 4: Save the configuration on R1. Save the running configuration to the startup configuration from the privileged EXEC prompt. R1# copy running-config startup-config

Step 5: Perform steps 1 through 4 on R3 and save the configuration. Save the running configuration to the startup configuration from the privileged EXEC prompt.

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Securing Administrative Access Using AAA And RADIUS: Configuration Guide ”

Get high-quality paper

NEW! AI matching with writer

Calculate the price

Make an order in advance and get the best price

Type of paper

Academic level

Deadline

Pages (550 words)

$0.00

*Price with a welcome 15% discount applied.

Pro tip: If you want to save more money and pay the lowest price, you need to set a more extended deadline.

We know how difficult it is to be a student these days. That's why our prices are one of the most affordable on the market, and there are no hidden fees.

Instead, we offer bonuses, discounts, and free services to make your experience outstanding.

How it works

Receive a 100% original paper that will pass Turnitin from a top essay writing service

step 1

Upload your instructions

Fill out the order form and provide paper details. You can even attach screenshots or add additional instructions later. If something is not clear or missing, the writer will contact you for clarification.

step 2

Control the process

Once you place an order with our professional essay writing services, we will email you login details to your account. There, you'll communicate with the writer and support team and track the writer's progress.

step 3

Download your paper on time

As soon as your work is ready, we’ll notify you via email. You'll then be able to download it from your account and request a revision if needed. Please note that you can also rate the writer's work in your account.

Pro service tips

How to get the most out of your experience with Course Scholars

One writer throughout the entire course

If you like the writer, you can hire them again. Just copy & paste their ID on the order form ("Preferred Writer's ID" field). This way, your vocabulary will be uniform, and the writer will be aware of your needs.

The same paper from different writers

You can order essay or any other work from two different writers to choose the best one or give another version to a friend. This can be done through the add-on "Same paper from another writer."

Copy of sources used by the writer

Our college essay writers work with ScienceDirect and other databases. They can send you articles or materials used in PDF or through screenshots. Just tick the "Copy of sources" field on the order form.

Testimonials

See why 20k+ students have chosen us as their sole writing assistance provider

Check out the latest reviews and opinions submitted by real customers worldwide and make an informed decision.

Political science

I like the way it is organized, summarizes the main point, and compare the two articles. Thank you!

Customer 452701, February 12th, 2023

Accounting

Thank you for your help. I made a few minor adjustments to the paper but overall it was good.

Customer 452591, November 11th, 2021

Education

Thank you so much, Reaserch writer. you are so helpfull. I appreciate all the hard works. See you.

Customer 452701, February 12th, 2023

Finance

Thank you very much!! I should definitely pass my class now. I appreciate you!!

Customer 452591, June 18th, 2022

Political science

Thank you!

Customer 452701, February 12th, 2023

Psychology

Thank you. I will forward critique once I receive it.

Customer 452467, July 25th, 2020

Business Studies

Great paper thanks!

Customer 452543, January 23rd, 2023

Psychology

I requested a revision and it was returned in less than 24 hours. Great job!

Customer 452467, November 15th, 2020

Technology

Thank you for your work

Customer 452551, October 22nd, 2021

11,595

Customer reviews in total

96%

Current satisfaction rate

3 pages

Average paper length

37%

Customers referred by a friend

OUR GIFT TO YOU

15% OFF your first order

Use a coupon FIRST15 and enjoy expert help with any task at the most affordable price.

Claim my 15% OFF Order in Chat