Cisco AAA Radius Server Configuration on GNS3

In this tutorial I will explain shortly what is AAA and how to enable AAA on a Cisco router and some basic AAA authentication configuration. Please note that this is only about the router end configuration.

What is AAA?

AAA services are like a security package, which provides a massive security to a device.

AAA stands for Authentication, authorization and accounting.

Authentication: 

Validate who you are, instead of enable secret now u have username and password to login.

Authorization:  

Tells you what you can do. Define different user’s privileges and access levels. 

Accounting:  

Use for monitoring and for keeping history. Tracks what you did on a device.

By using AAA u can control PPP links, aux port, dialup modem, VTY, VPN access anything that required password.

AAA Protocols:

There are two famous protocols use for AAA services that are

ü  Radius

ü  Tacacs

Radius server is open standard where as Tacacs+ server is Cisco proprietary. You can also use the Microsoft Active directory services as AAA server.  

For AAA demonstration I have created the following topology in which R1 is enabled for AAA authentication. In first step I have created an AAA authentication group named “viki-group” in which I define server-group priority and  radius server address which is not present here but due to priority router first look for an Radius server and then authenticate user from their local database . Second step is enable AAA for your required service in my case I enabled it for VTY access.  

R1 config:

R1(config)#int s1/0

R1(config-if)#ip add 1.1.1.1 255.255.255.0

R1(config-if)#no shut

R1(config)#aaa new-model

R1(config)#aaa authentication login viki-login group radius local                 (Server priority)

R1(config)#radius-server host 192.168.1.1 key password                          (Server Address)

R1(config)#username viki password cisco                                               (Local user Database)

R1(config)#line vty 0 4

R1(config-line)#password cisco

R1(config-line)#login authentication viki-login                       (enable AAA for Telnet access)

R1(config-line)#ex

Radious Configuration:

Radious(config)#int s1/0

Radious(config-if)#ip add

Radious(config-if)#ip address 1.1.1.2 255.255.255.0

Radious(config-if)#no shu

Radious(config-if)#no shutdown

For verification telnet to 1.1.1.1 and now router authenticate you with a user name and password.

Site to Site VPN CLI configuration on Gns3:

What is a VPN?

A Virtual Private Network is a type of a connection that connects remote user s to their central office using internet. An IPSEC VPN is virtual tunnel through your public ISP network. VPN are highly encrypted and  secure connections.

PPTP vs OpenVPN

how to setup a vpn on Cisco:

This article is about the VPN site to site CLI configuration on GNS3, It’s not so much the commands.

 I shall divide these configurations into few parts to make it easy to understand i.e.

1.    Define isakmp policy and transform set:

Isakam is the protocol that allow all of keys exchange to happen automatically no need to manually configure the VPN. In this step we shall define authentication type, encryption type, hash. Lifetime and define what session keys are used.

2.      Create an ACl

Define interesting traffic using an access control list, this ACL is not for deny or permitting some IP addresses but it just says which addresses are encrypted     

3.      Set up cryto Map and assign this to interface: 

      In this step we shall tie up all piece so that we can apply to an interface

For site to site VPN configuration I have created the following lab in gns3, in this US and Pakistan are our end site routers and IPS cloud is representing the internet cloud but don’t confuse with this cloud this is a simple router with 7200 series IOS, I have changed the router symbol from gns3/edit/symbol manager to give real environment look to my topology. Complete configurations are given below. 

Us site config:

US(config)#int s1/0

US(config-if)#ip address 50.0.0.1 255.255.255.0

US(config-if)#no shut

US(config)#int loop 1

US (config-if)#ip address 10.1.1.1 255.255.255.0

US(config)#router rip

US(config-router)#version 2

US(config-router)#network 10.1.1.0

US(config-router)#network 50.0.0.0

US(config-router)#no auto-summary

Step-1 :

US(config)#crypto isakmp policy 7

US(config-isakmp)#authentication pre-share

US(config-isakmp)#encryption aes 128

US(config-isakmp)#group 2

US(config-isakmp)#hash sha

US(config-isakmp)#lifetime 100

US(config-isakmp)#ex

US(config)#crypto isakmp key 0 vpnkey address 192.168.1.1 no-xauth

 

US(config)#crypto ipsec transform-set vpntrans esp-aes 128 esp-sha-hmac

Step-2

US(config)#ip access-list extended vpn-acl

US(config-ext-nacl)# permit ip 50.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255

Step-3

US(config)#crypto map vpn-map 10 ipsec-isakmp

US(config-crypto-map)#set peer 192.168.1.1

US(config-crypto-map)#match address vpn-acl

US(config-crypto-map)#set transform-set vpntrans

 

US(config)#int s1/0

US(config-if)#cry

US(config-if)#crypto map vpn-map

ISP configuration:

ISP#conf t

ISP(config)#int s1/0

ISP(config-if)#ip add 50.0.0.2 255.255.255.0

ISP(config-if)#no shut

ISP(config-if)#ex

ISP(config)#int s1/1

ISP(config-if)#ip add 192.168.1.2 255.255.255.0

ISP(config-if)#no shut

ISP(config)#router ri

ISP(config-router)#version 2

ISP(config-router)#network 50.0.0.0

ISP(config-router)#network 192.168.1.0

ISP(config-router)#no auto-summary

Pakistan site config:

Step-1 :

Pakistan#conf t

Pakistan(config)#crypto isakmp policy 7

Pakistan(config-isakmp)# authentication pre-share
Pakistan(config-isakmp)#encryption aes 128

Pakistan(config-isakmp)# group 2

Pakistan(config-isakmp)# lifetime 100

Pakistan(config-isakmp)#crypto isakmp key 0 vpnkey address 50.0.0.1 no-xauth

Pakistan(cfg-crypto-trans)#ex

Pakistan(config)#crypto ipsec transform-set vpntrans esp-aes  esp-sha-hmac

Step-2

Pakistan(config)#ip access-list extended vpn-acl

Pakistan(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 50.0.0.0 0.0.0.255

Pakistan(config-ext-nacl)#ex

Step-3

Pakistan(cfg-crypto-trans)#crypto map vpn-map 10 ipsec-isakmp

Pakistan(config-crypto-map)# set peer 50.0.0.1

Pakistan(config-crypto-map)# set transform-set vpntrans

Pakistan(config-crypto-map)# match address vpn-acl

Pakistan(config)#interface Serial1/0

Pakistan(config-if)#crypto map vpn-map

Site to site VPN verfication Commands:

Show crypto isakam sa

 
 

Show crypto ipsec sa

Learn about “what is a vpn client“