Cisco CCNP ISCW Exam Tutorial

The Importance Of Finishing What You Start With AAA

By Chris Bryant, CCIE #12933

Learning the ins and outs of AAA authentication is an important part of your CCNP certification studies, especially for the ISCW exam. AAA commands can be long, but it's the shortest AAA command of all that gets you started - and that's also the one that can prevent you from logging back in to a router that you previously had access to!

We'll use this network to illustrate:

These routers are directly connected at their S1 interfaces, and R3 is configured with a vty password of tuco.  To allow users to enter privilege mode 15 (exec mode), we'll use an enable secret of CCNP.  

No username is configured on R3 for vty access, so when we telnet to R3 from R1, we will be prompted only for the vty password.  When we run the enable command, we'll be prompted for the enable secret password.

R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification

Password:    (vty password of tuco)
R3>en
Password:    (enable secret password of CCNP)
R3#

And all is well!  Now we'll start configuring AAA on R3 via the telnet connection.  The first step is to run the aaa new-model command.

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#aaa new-model

At this point, we're interrupted for some reason and need to leave, so we save the config on R3 before logging out. (Never physically leave a telnet connection alone.)

R3#wr
Building configuration...
[OK]
R3#logout

[Connection to 172.12.13.3 closed by foreign host]

R1#

Once lunch -- I mean, the interruption is over, we'll log back in to R3 from R1.

R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification

Username:

Hmm... we weren't asked for a username when we previously telnetted to R3.   Let's try both the vty and enable passwords for that username.

R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification

Username:
% Username:  timeout expired!
Username: tuco
Password:
% Access denied

Username: CCNP
Password:
% Access denied

[Connection to 172.12.13.3 closed by foreign host]

A couple of things to note...

One authentication attempt timed out in the time it took me to cut and paste that configuration.

When a username/password authentication attempt failed - here, two of them did - we were not told whether it was the username, password, or both that were bad.

Finally, we were denied access to a router we could log into before the interruption.

The problem here is that we're being asked for a username that doesn't actually exist!

Once you enable AAA, you've got to define the authentication methods immediately afterwards.  Right now, no one can successfully telnet to that router, and someone's going to have to connect to it via the console port and finish the configuration.

We'll finish that configuration in the next installment of my CCNP ISCW exam tutorial series -- and in the meantime, purchase your copy of my ISCW Study Package or The Ultimate CCNP Study Package Bundle, which covers all four CCNP exams, and be totally prepared for CCNP exam success!

To your success,

Chris Bryant

CCIE #12933

chris@thebryantadvantage.com