Packet Tracer file (PT Version 7.1): https://goo.gl/eTvXLq
Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN
Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course).
For lots more content, visit http://www.davidbombal.com – learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.
Two prominent security protocols used to control access into networks are Cisco TACACS+ and RADIUS. The RADIUS specification is described in RFC 2865 leavingcisco.com, which obsoletes RFC 2138 leavingcisco.com. Cisco is committed to supporting both protocols with the best of class offerings. It is not the intention of Cisco to compete with RADIUS or influence users to use TACACS+. You should choose the solution that best meets your needs. This document discusses the differences between TACACS+ and RADIUS, so that you can make an informed choice.
Cisco has supported the RADIUS protocol since Cisco IOS® Software Release 11.1 in February 1996. Cisco continues to enhance the RADIUS Client with new features and capabilities, supporting RADIUS as a standard.
Cisco seriously evaluated RADIUS as a security protocol before it developed TACACS+. Many features were included in the TACACS+ protocol to meet the needs of the growing security market. The protocol was designed to scale as networks grow, and to adapt to new security technology as the market matures. The underlying architecture of the TACACS+ protocol complements the independent authentication, authorization, and accounting (AAA) architecture.
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Okay, so let’s see if we can complete this lab.
We’re told to configure the TACACS and radius server as follows.
So on the AAA server, we need to enable the AAA service and then we need to specify our clients. First client is router 1, that’s going to use this IP address, we will configure the router in a moment. The secret password that we’ll use here is cisco. The protocol used is TACACS. I’m going to click add to add that client.
Next client is router 2, IP address is 10.1.1.253
The password used is cisco and in this case, it needs to be radius. Switch 1, client IP address is 10.1.1.252 secret will be cisco. This device is going to use TACACS.
We then need to add a user, the user name is David the password is cisco. So that’s the server configured. Server has an IP address once again of 10.1.1.250
The first device we need to configure is router 1. Here’s router 1. It’s just booted up. It’s asking us whether we want to enter the initial configuration dialog. We don’t want to do that. So I’m going to say no. I’ll configure the router with a hostname of R1.
So we’re told to configure AAA for login and enable using TACACS with server 10.1.1.250
Now before we can do that, we need to make sure we have IP connectivity. So I’m going to configure the router with an IP address on gigabit 0/0/0 and I’m going to no shut the interface. That’s per our network topology and we’ve been given the IP address of the TACACS client. So we know the router needs to be configured with this IP address.
So can the router ping the TACACS server 10.1.250? Yes it can.
So before we configure AAA , we need to ensure that we have IP connectivity on our devices.
I’ll do something similar while I’m here with the router 2. So host name is router 2 interface gigabit 0/0/0 no shut, IP address is 10.1.1.253 /24 mask.
Can we ping the AAA server?