Prerequisite – AAA (Authentication, Authorization and Accounting)
To provide security to access network resources, AAA is used. AAA is a standard based framework used to control who is permitted to use network resources (through authentication), what they are authorised to do (through authorization) and capture the actions performed while accessing the network (through accounting).
AAA can be implemented by using the local database (running configuration of the device) or by using an external ACS server. Here, we will talk about the AAA configuration on the device locally only.
AAA configuration –
Now, in this example, we are configuring AAA Authentication on router.It includes following steps:-
1. Enable AAA on router
AAA is enabled by the command aaa new-model .
2. Create default authentication list –
router1(config)#aaa authentication login default local
It enabled by the command aaa authentication login default local.
In this command, default means we will Use the default method list and local Means we will use the local database.
3. Apply the list to vty lines –
router1(config)#line vty 0 4 router1(config)#login authentication default router1(config)#exit
After creating the default method list, we have to apply it to the vty lines so that whenever some user try to access the router through SSH or telnet, the user has to provide credentials which are configured.
4. Creating local user on the router –
router1(config)#username GeeksforGeeks privilege 15 password saurabh
This is the most important step as we have to create a local database in which we provide the username (as geeksforgeeks), privilege level 15 and password (as saurabh).
Note – The default method list we have applied on the vty lines will force the user (who wants to access the router) to enter these credentials when he wants to take remote access through telnet or ssh.
5. Debugging aaa authentication –
we can see the AAA authentication messages through the command ”debug aaa authentication”.
router1#debug aaa authentication
router2# telnet 10_1_1_1 Trying 10_1_1_1 .... Open User Access Verification Username: geeksforgeeks Password: router1>
Now, we will telnet the router1 (ip address-10.1.1.1/24) from router2 (ip address – 10.1.1.2/24) and it will ask for the credentials as shown in the figure.
As soon as the user enters the credentials, we can see the authentication messages. In addition to this, if we want to apply a banner before asking for credentials, we can apply it using the command shown.
router1(config)#aaa authentication banner " welcome to our network"
If we want to add username and password prompt, we can apply it by using the command shown below.
router1(config)#aaa authentication username-prompt "enter your username" router1(config)#aaa authentication password-prompt "enter your password"
Also, if we want to show a message when the credentials entered by the user are wrong then we can show that by using the command shown below.
router1(config)#aaa authentication fail-message "wrong username or password. Please try again..."
Also, we can limit the number of attempts a user can enter wrong credentials. After the 3rd attempt to enter the credentials, the session will be automatically terminated.
router1(config)#aaa authentication attempts login 3