Escolar Documentos
Profissional Documentos
Cultura Documentos
com
Introduction
This book is guide you to how to use and configure the basic security
. commands on cisco devices step by step
: We will discuss the following steps
Learn how to configure basic password authentication including Console, VTY Line
and Auxiliary Line password authentication.
Lab Objectives
• Configure the VTY line 0-4 password so that anyone attempting to establish a
telnet/ssh session to the device will be prompted for a password.
First use the security passwords command to set a minimum password length of 10
characters (or specify more than 10 for more security )
Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)# password Cisco123
For additional security, the exec-timeout command causes the line to log out after 5
minutes of inactivity
Router(config-line)#exec-timeout 5 0
The command transport input none prevents remote access to the console port via
reverse-telnet (on IOS 12.0 and earlier only )
Router(config-line)#login
. Once you complete these commands , verify and test these configurations
Step 2 . Now its time to configure VTY (Virtual TeleType) lines. The VTY lines are
virtual lines used for establishing a session via telnet or ssh. You apply the password
to these lines in the same manner as you did the console line as shown below;
Router>enable
Router#config terminal
Router(config)#line vty 04
Router(config-line)#password Cisco321
Router(config-line)#login
. Once you complete these commands , verify and test these configurations
Note . you can use the commands exec-timeout 5 0 and transport input none in vty line
Step 3. Configure an enable password and secret for the Cisco router to gain
privileged level access to the device via telnet. This configuration is done in global
. configuration mode
To configure an enable secret you simply execute the enable secret passwordgoeshere
;as shown below
Router#configure terminal
Router(config)#enable password Cisco1
Router(config)#enable secret Cisco2
Router(config)#end
NOTE : if you have both enable password and enable secret set, the enable secret will
.override the enable password
Step 4 . The AUX port is very similar to the console port but has modem control pins
where you can attach an external modem to the device and dial-in to the device via
external 56k modem and remote manage the device using POTS dial-up service. This
is commonly used in out of band management for single devices however when there
are multiple devices per site and out of band management is required its common to
have an access-server setup with a modem to allow console management of multiple
.devices through a single dial-in device
;To set the AUX line password you’ll execute it as shown below
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux 0
Router(config-line)#password AuxPassword123
Router(config-line)#login
Router(config-line)#end
Note . you can use the commands exec-timeout 5 0 and transport input none in aux line
Learn how to configure a Cisco Router and/or Switch to authenticate exec sessions to
.a local user account database
? Why we do that
Commonly with Cisco devices, multiple users will be accessing and configuring the
device, thus requires different user credentials for individuals with different levels of
.access required to perform different management duties relating to the Cisco device
? How
Note. that you must create at least one user account, otherwise you will be locked out
of the console. If you do not already have users accounts setup, then create at least
one before setting the console to use local login. The syntax for creating a local user
is username name privilege level password / secret string.
The example below shows how to create an account with a password and set console
login.
Lab Objectives
• Configure a user account with the name Ashraf with a password of Cisco$123 and
assign level 15 privileges to this user on router A .
• Configure a user account with the name Ahmed with a password of LetMeSee! and
assign level 1 privileges to this user on router A .
• Configure the VTY lines 0 through 4 on router A to authenticate incoming exec
sessions with the Local User Database using the login local command under line
configuration mode.
• Verify your configuration by telnet’ing to the devices A interface 10.64.0.1
from router B .
Step 1 . create a user account with the username of Ashraf and password of Cisco$123
and grant this user level 15 privileges.
A#configure terminal
A(config)#username Ashraf privilege 15 secret Cisco$123
Step 2. – Create a user account with the username of Ahmed and password of
LetMeSee! and grant this user level 1 privileges.
NOTE: Creating a user account with level 15 privileges will place the user in
privileged mode upon a successful authentication therefore this user will not need to
provide an enable password,but creating a user account with level 1 privileges will
place the user in user mode upon a successful authentication
Step 3. – Configure the VTY lines 0 through 4 to authenticate incoming exec sessions
to the local user database. This is done by executing the login local under line
configuration mode.
A(config)#line vty 0 4
A(config-line)#login local
B#telnet 10.64.0.1
Trying 10.64.0.1 ... Open
: Privileges
Configuring AAA Authentication , Authorization , Accounting Lists – 3
This lab was created to provide you a basic understanding of AAA; that of which is
commonly used in production networks for Authentication, Authorization and
.Accounting
: Overview of AAA
Access control is the way you control who is allowed access to the network
server(Authentication) and what services they are allowed to use once they have
access(Authorization) and to audit what actions they performed while accessing the
network (Accounting). Authentication, authorization, and accounting (AAA) network
security services provide the primary framework through which you set up access
. control on your network device such as router or access server
It provides a higher degree of scalability than the con, aux, vty and privileged EXEC
. authentication commands alone
All authentication methods, except for local, line password, and enable authentication,
.must be defined through AAA
Authorization : Provides the method for remote access control, including one-time
authorization or authorization for each service, per-user account list and profile, user
. group support, and support of IP, IPX, ARA, and Telnet
AAA authorization works by assembling a set of attributes that describe what the user
is authorized to perform. These attributes are compared to the information contained
in a database for a given user and the result is returned to AAA to determine the
user’s actual capabilities and restrictions. The database can be located locally on the
access server or router or it can be hosted remotely on a RADIUS or TACACS+
,+security server. Remote security servers, such as RADIUS and TACACS
authorize users for specific rights by associating attribute-value (AV) pairs, which
define those rights with the appropriate user. All authorization methods must be
. defined through AAA
to configure AAA authorization ,define a list of authorization methods and then
. applying that list to various interfaces
Accounting : Provides the method for collecting and sending security server
information used for billing, auditing, and reporting, such as user identities, start and
stop times, executed commands (such as PPP), number of packets, and number of
. bytes
Accounting enables you to track the services users are accessing as well as the amount
of network resources they are consuming. When AAA accounting is activated, the
network access server reports user activity to the RADIUS or TACACS+ security
server (depending on which security method you have implemented) in the form of
accounting records. Each accounting record is comprised of accounting AV pairs and
is stored on the access control server. This data can then be analyzed for network
management, client billing, and/or auditing. All accounting methods must be defined
through AAA. As with authentication and authorization, you configure AAA
accounting by defining a named list of accounting methods, and then applying that list
. to various interfaces
method lists : is a sequential list that defines the authentication methods used to
. authenticate a user
Method lists enable you to designate one or more security protocols to be used for
. authentication
: Real world application
Companies with several Cisco devices commonly use RADIUS or TACACS+ for
user Authentication and Authorization. Local authentication is also used but only as a
backup method when communication to the AAA server fails. AAA servers, rather
they be TACACS+ or RADIUS provide a centralized management point to control
Authentication and Authorization to Cisco devices or other vendor devices for not
only management purposes of the device but for other authentication methods as well
.such as remote vpn authentication, ssl vpn, 802.1x and proxy authentication
Configuring Authentication :
Should be configured for smaller networks, such as those with one or two routers
providing access to a limited number of users , uses the local usernames and
passwords stored on a router .
1. Add usernames and passwords to the local router database for users that need
administrative access to the router.
Lab Objectives
A>enable
A#configure terminal
A(config)#aaa new-model
The syntax for configuring a AAA login authentication list is; aaa authentication login
LISTNAME AUTHTYPE
To enable local authentication using a preconfigured local database, use the keyword
local or local-case.
The difference between the two options is that local accepts a username regardless of
case, and local-case is case-sensitive.
To specify that a user can authenticate using the enable password, use the enable
keyword.
the enable method could be configured as a fallback mechanism in case the username
and password is forgotten.as:
In the above command the list named CONSOLE_AUTH is created that requires
users to attempt to authenticate to the router's local user database first. If that attempt
returns an error, such as a local user database is not configured, the user can attempt
to authenticate by knowing the enable password.
Note that a minimum of one method and a maximum of four methods can be
specified for a single method list.
In this objective the list name is CONSOLE_AUTH and the authentication type is
LOCAL as shown below;
Note . you can not use any services of AAA that provided for network security
services before enabling AAA
Step 3. – Now you’re ready to configure the console line to authenticate users
attempting an exec session to the AAA login authentication list you just created. This
is a single command executed in line configuration mode; login authentication
listname
A(config)#line con 0
A(config-line)#login authentication CONSOLE_AUTH
Step 4. – Verify your configuration by logging completely out from or reload the
router and logging back in via the console. If configured properly you should be
prompted for a username and password now as shown below;
Username: ashraf
Password:
A#
Additional security can be implemented on the line using the command in globlal
: configuration mode as follow
A(config)#aaa local authentication attempts max-fail 5
This command secures AAA user accounts by locking out accounts that have
excessive failed attempts
: Configuring Authorization