Make a device consult/ask/query a 'boss' about someone credential, "Boss, is it valid or not valid?"
Slightly hard or complex to setup it just because it had many steps. So, be patience.
Summary steps
1. Configure a device so it know who is the 'boss' and how to authenticate user.
2. Configure the boss to know who is his employee.
3. Try telnet to that device
So there are 3 components of this system, such as
1. The boss or employer or radius-server in this case.
2. Employee or switch or router in this case.
3. And user or PC.
We call radius-server as employer or the 'boss' in this case and a network-device as employee and user that wants to telnet to that network-device or employee as user.
On any network-device or employee setup below:
R1(config)# radius-server 192.168.2.2 aloh@
R1(config)# aaa new-authentication
R1(config)# aaa authentication login RADIUS group radius local
R1(config)# line vty 0 15
R1(config-line)# login authentication RADIUS
R1(config-line)# end
And, on the 'boss'/employer setup this by:
1. Click on Server icon
2. Click on tab Config
3. Click on menu AAA
4. And start to fill it like this:
Now, on the user setup this by:
1. Click on PC2 Icon
2. Click menu Command Prompt
3. Type this: telnet 192.168.4.1
4. And fill it like this:
Username: Totz
Password: Perjuangan9
Just like below picture:
Off course the fundamental thing to the system is the employee(s) or R1 in this case need to be sucessfully ping to the RADIUS server at first. Otherwise, RADIUS system will fail and user authentication will revert to each local device's username and password authentication method.
So, try to ping the 'boss/employer' RADIUS server from R1 or any network device employee at first like below:
And when you get that result/output, you are safe. Otherwise you need to troubleshoot why it fail.
And second step, make sure there is nothing that block your connection to the 'boss' on port 1654.
We already solve/mitigate/prepare for this issue by adding a keyword 'local' on the authentication list definition (step 3). Without this 'local' keyword, authentication will just fail without any second method/plan in ready/avaliable to our system/network. So in effect without keyword 'local', user will unable to enter/telnet into the router (R1) until the RADIUS server is back online/pingable again.
By the way, to simulate the down of the RADIUS server, you can put into 'off' the AAA service (look for picture 1) and when User try to enter/telnet/ssh into the router and fill in the username and password, the login process will return: % Login invalid.
And here is the pkt file: https://drive.google.com/open?id=0B5Sl0ZstVGYFYnNlTVBYVnFBVzQ
Slightly hard or complex to setup it just because it had many steps. So, be patience.
Summary steps
1. Configure a device so it know who is the 'boss' and how to authenticate user.
2. Configure the boss to know who is his employee.
3. Try telnet to that device
So there are 3 components of this system, such as
1. The boss or employer or radius-server in this case.
2. Employee or switch or router in this case.
3. And user or PC.
We call radius-server as employer or the 'boss' in this case and a network-device as employee and user that wants to telnet to that network-device or employee as user.
On any network-device or employee setup below:
R1(config)# radius-server 192.168.2.2 aloh@
R1(config)# aaa new-authentication
R1(config)# aaa authentication login RADIUS group radius local
R1(config)# line vty 0 15
R1(config-line)# login authentication RADIUS
R1(config-line)# end
And, on the 'boss'/employer setup this by:
1. Click on Server icon
2. Click on tab Config
3. Click on menu AAA
4. And start to fill it like this:
 |
| Picture 1 |
Now, on the user setup this by:
1. Click on PC2 Icon
2. Click menu Command Prompt
3. Type this: telnet 192.168.4.1
4. And fill it like this:
Username: Totz
Password: Perjuangan9
Just like below picture:
Off course the fundamental thing to the system is the employee(s) or R1 in this case need to be sucessfully ping to the RADIUS server at first. Otherwise, RADIUS system will fail and user authentication will revert to each local device's username and password authentication method.
So, try to ping the 'boss/employer' RADIUS server from R1 or any network device employee at first like below:
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
And when you get that result/output, you are safe. Otherwise you need to troubleshoot why it fail.
And second step, make sure there is nothing that block your connection to the 'boss' on port 1654.
We already solve/mitigate/prepare for this issue by adding a keyword 'local' on the authentication list definition (step 3). Without this 'local' keyword, authentication will just fail without any second method/plan in ready/avaliable to our system/network. So in effect without keyword 'local', user will unable to enter/telnet into the router (R1) until the RADIUS server is back online/pingable again.
By the way, to simulate the down of the RADIUS server, you can put into 'off' the AAA service (look for picture 1) and when User try to enter/telnet/ssh into the router and fill in the username and password, the login process will return: % Login invalid.
And here is the pkt file: https://drive.google.com/open?id=0B5Sl0ZstVGYFYnNlTVBYVnFBVzQ
No comments:
Post a Comment