Computer Network | AAA (authentication) configuration (locally)

Prerequisite – AAA (Authentication, Authorization and Accounting)
To provide security to access network resources, AAA is used. AAA is a standard based framework used to control who is permitted to use network resources (through authentication), what they are authorised to do (through authorization) and capture the actions performed while accessing the network (through accounting).

AAA can be implemented by using the local database (running configuration of the device) or by using an external ACS server. Here, we will talk about the AAA configuration on the device locally only.

AAA configuration –
Now, in this example, we are configuring AAA Authentication on router.It includes following steps:-
1. Enable AAA on router

router1(config)#aaa new-model

AAA is enabled by the command aaa new-model .

2. Create default authentication list –

router1(config)#aaa authentication 
                     login default local

It enabled by the command aaa authentication login default local.
In this command, default means we will Use the default method list and local Means we will use the local database.

3. Apply the list to vty lines –

router1(config)#line vty 0 4
router1(config)#login authentication default

After creating the default method list, we have to apply it to the vty lines so that whenever some user try to access the router through SSH or telnet, the user has to provide credentials which are configured.

4. Creating local user on the router –

router1(config)#username GeeksforGeeks 
           privilege 15 password saurabh 

This is the most important step as we have to create a local database in which we provide the username (as geeksforgeeks), privilege level 15 and password (as saurabh).

Note – The default method list we have applied on the vty lines will force the user (who wants to access the router) to enter these credentials when he wants to take remote access through telnet or ssh.

5. Debugging aaa authentication –
we can see the AAA authentication messages through the command ”debug aaa authentication”.

router1#debug aaa authentication 

 router2# telnet 10_1_1_1
Trying 10_1_1_1 .... Open
User Access Verification
Username: geeksforgeeks

Now, we will telnet the router1 (ip address- from router2 (ip address – and it will ask for the credentials as shown in the figure.

As soon as the user enters the credentials, we can see the authentication messages. In addition to this, if we want to apply a banner before asking for credentials, we can apply it using the command shown.

router1(config)#aaa authentication 
        banner " welcome to our network" 

If we want to add username and password prompt, we can apply it by using the command shown below.

router1(config)#aaa authentication 
       username-prompt "enter your username" 
router1(config)#aaa authentication 
       password-prompt "enter your password" 

Also, if we want to show a message when the credentials entered by the user are wrong then we can show that by using the command shown below.

router1(config)#aaa authentication 
 fail-message "wrong username or password. 
  Please try again..." 

Also, we can limit the number of attempts a user can enter wrong credentials. After the 3rd attempt to enter the credentials, the session will be automatically terminated.

router1(config)#aaa authentication 
       attempts login 3

This article is attributed to GeeksforGeeks.org

leave a comment



load comments

Subscribe to Our Newsletter