Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.

com

Configuring Basic Cisco Device Security

Introduction
This book is guide you to how to use and configure the basic security
. commands on cisco devices step by step
: We will discuss the following steps

-Configuring Basic Password Authentication1

2- Configuring Local User Database Authentication
Configuring AAA Authentication,Authorization,Accounting Lists -3
-Configuring AAA Authentication via TACACS+ Server4
Configuring Secure Shell Virtual Terminal Access (SSH) -5
Configuring Numbered Access Control Lists -6
Configuring Named Access Control Lists -7
Configuring the VTY Lines Access Control List -8
Configuring the Password Encryption Service -9
Configuring an exec timeout and absolute timeout -10
Configuring Cisco IOS Web Server Authentication -11
Configure logging to a Remote SYSLog Server -12

Created by Ashraf Mobarak 1

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

: Configuring Basic Password Authentication -1

Learn how to configure basic password authentication including Console, VTY Line
and Auxiliary Line password authentication.

Lab Objectives

•   Configure a Console line password so that anyone attempting to establish a console

session to the device will be prompted for a password.

•   Configure the VTY line 0-4 password so that anyone attempting to establish a
telnet/ssh session to the device will be prompted for a password.

•   Configure an enable password and enable secret.

•   Configure a Auxiliary line password so that anyone attempting to established an

auxiliary line session to the device (routers only) will be prompted for a password.

Note ; Once completed, verify these configurations.

First use the security passwords command to set a minimum password length of 10
characters (or specify more than 10 for more security )

Router(config)#security passwords min-length 10

Step 1. Navigate to the console line configuration mode as shown below;

Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)# password Cisco123

For additional security, the exec-timeout command causes the line to log out after 5
minutes of inactivity

Router(config-line)#exec-timeout 5 0

. The connection to the console port should not be left logged in

Configure the console line to time out EXEC sessions, so that if an administrator
forgets to log out, the router will log him or her out automatically

The command transport input none prevents remote access to the console port via
reverse-telnet (on IOS 12.0 and earlier only )

Router(config-line)# transport input none

Simply setting the password does not enable password authentication . This is done by
;executing the login command from line configuration mode as shown below

Router(config-line)#login

Created by Ashraf Mobarak 2

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

. Once you complete these commands , verify and test these configurations

Step 2 . Now its time to configure VTY (Virtual TeleType) lines. The VTY lines are
virtual lines used for establishing a session via telnet or ssh. You apply the password
to these lines in the same manner as you did the console line as shown below;

Router>enable
Router#config terminal
Router(config)#line vty 04
Router(config-line)#password Cisco321
Router(config-line)#login

. Once you complete these commands , verify and test these configurations

Note . you can use the commands exec-timeout 5 0 and transport input none in vty line

Step 3. Configure an enable password and secret for the Cisco router to gain
privileged level access to the device via telnet. This configuration is done in global
. configuration mode
To configure an enable secret you simply execute the enable secret passwordgoeshere
;as shown below

Router#configure terminal
Router(config)#enable password Cisco1
Router(config)#enable secret Cisco2
Router(config)#end

NOTE : if you have both enable password and enable secret set, the enable secret will
.override the enable password

Step 4 . The AUX port is very similar to the console port but has modem control pins
where you can attach an external modem to the device and dial-in to the device via
external 56k modem and remote manage the device using POTS dial-up service. This
is commonly used in out of band management for single devices however when there
are multiple devices per site and out of band management is required its common to
have an access-server setup with a modem to allow console management of multiple
.devices through a single dial-in device

;To set the AUX line password you’ll execute it as shown below

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux 0
Router(config-line)#password AuxPassword123
Router(config-line)#login
Router(config-line)#end
Note . you can use the commands exec-timeout 5 0 and transport input none in aux line

Configuring Local User Database Authentication – 2

Created by Ashraf Mobarak 3

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

Learn how to configure a Cisco Router and/or Switch to authenticate exec sessions to
.a local user account database

? Why we do that
Commonly with Cisco devices, multiple users will be accessing and configuring the
device, thus requires different user credentials for individuals with different levels of
.access required to perform different management duties relating to the Cisco device

? How

Note. that you must create at least one user account, otherwise you will be locked out
of the console. If you do not already have users accounts setup, then create at least
one before setting the console to use local login. The syntax for creating a local user
is username name privilege level password / secret string.

The example below shows how to create an account with a password and set console

login.

Lab Objectives

Assume the topology as shown bellow ;

Created by Ashraf Mobarak 4

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

•   Configure a user account with the name Ashraf with a password of Cisco$123 and
assign level 15 privileges to this user on router A .
•   Configure a user account with the name Ahmed with a password of LetMeSee! and
assign level 1 privileges to this user on router A .
•   Configure the VTY lines 0 through 4 on router A to authenticate incoming exec
sessions with the Local User Database using the login local command under line
configuration mode.
•   Verify your configuration by telnet’ing to the devices A interface 10.64.0.1
from router B .

Step 1 . create a user account with the username of Ashraf and password of Cisco$123
and grant this user level 15 privileges.

A#configure terminal
A(config)#username Ashraf privilege 15 secret Cisco$123

Step 2. – Create a user account with the username of Ahmed and password of
LetMeSee! and grant this user level 1 privileges.

A(config)#username Ahmed privilege 1 secret LetMeSee!

NOTE: Creating a user account with level 15 privileges will place the user in
privileged mode upon a successful authentication therefore this user will not need to
provide an enable password,but creating a user account with level 1 privileges will
place the user in user mode upon a successful authentication

Step 3. – Configure the VTY lines 0 through 4 to authenticate incoming exec sessions
to the local user database. This is done by executing the login local under line
configuration mode.

A(config)#line vty 0 4
A(config-line)#login local

Step 4. – Verify your configuration by reverse telnet’ing to the A interface from

router B. You should receive a username and password prompt and upon a successful
authentication based on the credentials provided you should be granted an exec shell
session in user mode if using the username Ahmed or privileged mode if using the
;username Ashraf as shown below

B#telnet 10.64.0.1
Trying 10.64.0.1 ... Open

User Access Verification

Username: Ashraf
Password:
#A

: Privileges
Configuring AAA Authentication , Authorization , Accounting Lists – 3

Created by Ashraf Mobarak 5

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

This lab was created to provide you a basic understanding of AAA; that of which is
commonly used in production networks for Authentication, Authorization and
.Accounting
: Overview of AAA
Access control is the way you control who is allowed access to the network
server(Authentication) and what services they are allowed to use once they have
access(Authorization) and to audit what actions they performed while accessing the
network (Accounting). Authentication, authorization, and accounting (AAA) network
security services provide the primary framework through which you set up access
. control on your network device such as router or access server
It provides a higher degree of scalability than the con, aux, vty and privileged EXEC
. authentication commands alone

: About AAA security service

AAA is an architectural framework for configuring a set of three independent security

functions in a consistent manner. AAA provides a modular way of performing the
: following services
Authentication : Provides the method of identifying users ,such as password and
. login methods ,encryption
It is the way a user is identified prior to being allowed access to the network and
network services . you think about how to configure AAA authentication ? this done
by define a list of authentication methods ,and then applying that list to various
interfaces . The method list defines the types of authentication to be performed and
the sequence in which they will be performed; it must be applied to a specific
interface before any of the defined authentication methods will be performed. The
only exception is the default method list (which is named “default”). The default
method list is automatically applied to all interfaces if no other method list is defined.
. A defined method list overrides the default method list

All authentication methods, except for local, line password, and enable authentication,
.must be defined through AAA
Authorization : Provides the method for remote access control, including one-time
authorization or authorization for each service, per-user account list and profile, user
. group support, and support of IP, IPX, ARA, and Telnet
AAA authorization works by assembling a set of attributes that describe what the user
is authorized to perform. These attributes are compared to the information contained
in a database for a given user and the result is returned to AAA to determine the
user’s actual capabilities and restrictions. The database can be located locally on the
access server or router or it can be hosted remotely on a RADIUS or TACACS+
,+security server. Remote security servers, such as RADIUS and TACACS
authorize users for specific rights by associating attribute-value (AV) pairs, which
define those rights with the appropriate user. All authorization methods must be
. defined through AAA
to configure AAA authorization ,define a list of authorization methods and then
. applying that list to various interfaces
Accounting : Provides the method for collecting and sending security server
information used for billing, auditing, and reporting, such as user identities, start and
stop times, executed commands (such as PPP), number of packets, and number of
. bytes

Created by Ashraf Mobarak 6

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

Accounting enables you to track the services users are accessing as well as the amount
of network resources they are consuming. When AAA accounting is activated, the
network access server reports user activity to the RADIUS or TACACS+ security
server (depending on which security method you have implemented) in the form of
accounting records. Each accounting record is comprised of accounting AV pairs and
is stored on the access control server. This data can then be analyzed for network
management, client billing, and/or auditing. All accounting methods must be defined
through AAA. As with authentication and authorization, you configure AAA
accounting by defining a named list of accounting methods, and then applying that list
. to various interfaces
method lists : is a sequential list that defines the authentication methods used to
. authenticate a user
Method lists enable you to designate one or more security protocols to be used for
. authentication
: Real world application
Companies with several Cisco devices commonly use RADIUS or TACACS+ for
user Authentication and Authorization. Local authentication is also used but only as a
backup method when communication to the AAA server fails. AAA servers, rather
they be TACACS+ or RADIUS provide a centralized management point to control
Authentication and Authorization to Cisco devices or other vendor devices for not
only management purposes of the device but for other authentication methods as well
.such as remote vpn authentication, ssl vpn, 802.1x and proxy authentication

: AAA provides the following benefits

Increased flexibility and access control -
Scalability -
.+Standardized authentication methods, such as RADIUS, TACACS -
. Multiple back up systems -

Configuring Authentication :

Should be configured for smaller networks, such as those with one or two routers
providing access to a limited number of users , uses the local usernames and
passwords stored on a router .

Configuring local AAA services to authenticate administrator access requires a few

basic steps :

1. Add usernames and passwords to the local router database for users that need
administrative access to the router.

2. Enable AAA globally on the router.

3. Configure AAA parameters on the router.

4. Confirm and troubleshoot the AAA configuration.

Lab Objectives

Created by Ashraf Mobarak 7

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

•   Enable AAA by executing the aaa new-model command in global configuration.

•   Configure a AAA login authentication list named CONSOLE_AUTH and
authenticate to the local database only.
•   Configure the console line to authenticate using the authentication list you created
named CONSOLE_AUTH
•   Verify your configuration by logging completely out of the router and back in.

Step 1. – Enable AAA by executing the command aaa new-model in global

configuration mode. This enables the new authentication methods and disables the old
authentication methods such as line passwords.

Router con0 is now available

Press RETURN to get started.

A>enable
A#configure terminal
A(config)#aaa new-model

Step 2. – Configure a AAA login authentication list named CONSOLE_AUTH and

authenticate to the local database only.

The syntax for configuring a AAA login authentication list is; aaa authentication login
LISTNAME AUTHTYPE

To enable local authentication using a preconfigured local database, use the keyword
local or local-case.

The difference between the two options is that local accepts a username regardless of
case, and local-case is case-sensitive.

To specify that a user can authenticate using the enable password, use the enable
keyword.

the enable method could be configured as a fallback mechanism in case the username
and password is forgotten.as:

A(config)#aaa authentication login CONSOLE_AUTH local enable

In the above command the list named CONSOLE_AUTH is created that requires
users to attempt to authenticate to the router's local user database first. If that attempt
returns an error, such as a local user database is not configured, the user can attempt
to authenticate by knowing the enable password.

Note that a minimum of one method and a maximum of four methods can be
specified for a single method list.

In this objective the list name is CONSOLE_AUTH and the authentication type is
LOCAL as shown below;

A(config)#aaa authentication login CONSOLE_AUTH local

Created by Ashraf Mobarak 8

Configuring Basic Cisco Device Security Ashraf_ittaiz@yahoo.com

Note . you can not use any services of AAA that provided for network security
services before enabling AAA

Step 3. – Now you’re ready to configure the console line to authenticate users
attempting an exec session to the AAA login authentication list you just created. This
is a single command executed in line configuration mode; login authentication
listname

A(config)#line con 0
A(config-line)#login authentication CONSOLE_AUTH

Step 4. – Verify your configuration by logging completely out from or reload the
router and logging back in via the console. If configured properly you should be
prompted for a username and password now as shown below;

Router con0 is now available

Press RETURN to get started.

User Access Verification

Username: ashraf
Password:
A#

To troubleshoot an authentication use the command

A#debug aaa authentication
that helps identify problems when things are not working properly.

Additional security can be implemented on the line using the command in globlal
: configuration mode as follow
A(config)#aaa local authentication attempts max-fail 5
This command secures AAA user accounts by locking out accounts that have
excessive failed attempts

: Configuring Authorization

Created by Ashraf Mobarak 9