Re: Download Cisco Packet Tracer Tanpa Login
Kian Trip
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
This document explains how to configure Authentication, Authorization, and Accounting (AAA) on a Cisco router with Radius or TACACS+ protocols. The goal of this document is not to cover all AAA features, but to explain the main commands and provide some examples and guidelines.
Refer to your AAA server documentation for the exact procedure used to configure the previous parameters. If the AAA server is not correctly configured, then AAA requests from the NAS can be ignored by the AAA server and the connection can fail.
The only exception is the default method list (which is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.
These authentication examples use Radius, login and Point-to-Point Protocol (PPP) authentication to explain concepts such as methods and named lists. In all the examples, TACACS+ can be substituted for Radius or local authentication.
The Cisco IOS software uses the first method listed to authenticate users. If that method fails to respond (indicated by an ERROR), the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.
It is important to note that the Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle, that is, if the AAA server or local username database responses are to deny the user access (indicated by a FAIL), the authentication process stops, and no other authentication methods are attempted.
All users are authenticated with the Radius server (the first method). If the Radius server does not respond, then the router local database is used (the second method). For local authentication, define the username name and password:
Because the list default in the aaa authentication login command is used, login authentication is automatically applied for all login connections (such as tty, vty, console and aux).
The CONSOLE list overrides the default method list default on line con 0. After this configuration on line con 0, you need to enter the password cisco to get console access. The default list is still used on tty, vty, and aux.
The aaa authentication ppp command is used to authenticate a PPP connection. It is typically used to authenticate ISDN or analog remote users who want to access the Internet or a central office through an access server.
The access server has an ISDN interface which is configured to accept PPP dial-in clients. We use a dialer rotary-group 0, but the configuration can be done on the main interface or dialer profile interface.
The access-server has an internal modem card (Mica, Microcom or Next Port). Assume that both aaa authentication login and aaa authentication ppp commands are configured.
If a modem user first accesses the router with a character mode exec session (for example, with Terminal Window after Dial), the user is authenticated on a tty line. To launch into a packet mode session, users must type ppp default or ppp. Since PPP authentication is explicitly configured (with aaa authentication ppp ), the user is authenticated at the PPP level again.
The aaa authorization exec command determines if the user is allowed to run an EXEC shell. This facility can return user profile information such as auto command information, idle timeout, session timeout, access-list and privilege and other per-user factors.
The aaa authorization network command runs authorization for all network-related service requests such as PPP, SLIP and ARAP. This section focuses on PPP, which is most commonly used.
The AAA server checks if a PPP session by the client is allowed. Moreover, PPP options can be requested by the client: callback, compression, IP address, and so on. These options have to be configured on the user profile on the AAA server. Moreover, for a specific client, the AAA profile can contain idle-timeout, access-list and other per-user attributes which can be downloaded by the Cisco IOS software and applied for this client.
You can use the AAA server to assign per-user attributes such as IP address, callback number, dialer idle timeout value or access-list, and so on. In such an implementation, the NAS downloads the appropriate attributes from the AAA server user profile.
With this command, a call setup and call disconnect start-stop accounting record tracks the progress of the resource connection to the device. A separate user authentication start-stop accounting record tracks the user management progress. These two sets of accounting records are interlinked with a unique session ID for the call.
Setelah 1 semester cuti, akhirnya saya bisa melanjutkan tulisan seri Cisco IOS ini lagi. Ada 5 jenis password yang akan kita bahas di bab ke tiga ini, yaitu enable password, enable secret, password line vty, password line console, dan password line auxilary.
Saat pertama kali mengakses router/switch, kamu bisa langsung ke user mode (Switch>). Tanpa perlu autentikasi terlebih dahulu, tinggal tekan enter. Begitu juga saat ingin masuk ke privileged mode (Switch#). Tidak ada password secara default.
Jika kamu sudah terlanjur menggunakan enable password dan terpaksa harus mengirim file konfigurasi (misal email) atau sekedar bertanya di internet. Saya sarankan mengekspor running-config melalu perintah show tech-support.
Nomer 3 akan kita bahas di subjudul berikutnya dibawah. Setelah kita mengkonfigurasi password di line (console, vty, dan auxilary), user yang terhubung akan diminta menginputkan password, seperti ini:
Perintah logging synchronous diatas berfungsi agar output yang keluar dari CLI disynchronized, nantinya tidak akan mengganggu kamu saat melalukan konfigurasi, karena apa yang kamu sedang ketik tidak akan diinterupsi oleh output yang sedang berjalan.
Perintah exec-timeout berfungsi untuk menentukan durasi di sesi console. Jika berakhir, user akan ke-logout dari console dan harus mengulang dari user mode. Defaultnya adalah 15 menit (berarti exec-timeout 0 15).
Akses perangkat melalui console bisa dibilang jarang dilakukan. Biasanya hanya saat pertama kali setup, atau ketika ada kegiatan troubleshoot yang memaksa kita berhubungan langsung dengan perangkat. Setelah itu, perangkat diakses secara remote.
Oh ya, ini saya bahas basicnya saja ya, biar engga bikin bingung. Nanti diulas lebih rinci jika sudah sampai ke sesi sekuritas lanjutan. Berikut tahapan (wajib) konfigurasi SSH di router dan switch Cisco IOS.
Nilai modulus untuk menentukan seberapa lebar key yang kita gunakan. Makin besar, maka waktu yang dibutuhkan untuk men-generatenya semakin lama, dan semakin secure. Silakan cek punya masing-masing, maksimal berapa bits modulus yang didukung.
Perintah login local diatas berarti switch akan melihat database (username dan password) di lokalnya untuk autentikasi. (Saya katakan begini karena memungkinkan kita menggunakan server eksternal untuk autentikasi).
Sampai disini, materi konfigurasi password di Cisco IOS sebenarnya sudah selesai. Secara tidak langsung juga saya sudah menunjukkan bahwa metode login di Cisco IOS bisa menggunakan username dan password.
Why? Pertama, tidak aman (tentu). Kedua, manajemen lognya susah. Artinya, jika sesuatu hal terjadi karena changes tertentu, kita tidak tau harus bertanya ke siapa. Karena aksesnya sama, tidak ada identitas unik.
Berbagai tanggapan muncul, yang pada intinya. Bisa, tapi harus menggunakan external server authentication (ldap, tacacs, radius). Nah ini sebenernya out of scope bahasan kali ini. Tapi akan saya tunjukan konfigurasinya, kalau hal ini bisa dilakukan.
Pertama, kita perlu mengaktifkan fitur AAA di switch, karena secara default AAA disabled. Oh ya, cisco switch 2960 di packet tracer tidak mendukung fitur ini. Silakan ganti router atau L3 switch 3560.
Perhatikan opsi-opsi yang tampil dari question mark diatas. Enable artinya untuk masuk ke privileged mode, ada login juga. Enable untuk mengaktifkan autentikasi default (ada fitur untuk named list, daftar yg kita buat sendiri).
Group berarti menggunakan server-group. Kok server-group? Karena kita bisa menggunakan lebih dari satu server. Bahkan bisa mengkombinasikannya dengan local database username yang ada di switch itu sendiri.
Sebenarnya ini akan lebih kamu pahami jika sudah sampai ke dasar routing dan switching (juga vlan). Tapi akan kita bahas inti caranya, gimana supaya switch bisa diakses ssh/telnet dari remote network.
Ini intinya: switch perlu dikonfigurasi IP address agar mendukung protocol manajemen IP based (ssh/telnet/icmp/snmp/dll). Dalam hal ini khususnya SVI (switch virtual interface) alias interface VLAN di switch layer 2.
d3342ee215