This blog entry is about securing access to Cisco device using password and login combination. Users in presented examples will be configured locally on Cisco device.
Examples of such scenarios will be presented:
1. Setting the privileged level password.
2. Setting privileged level secret.
3. Configuring password checking on vty lines.
4. Configuring password checking on console line.
5. Configuring login and password checking on vty lines.
6. Configuring login and password checking on console line.
7. Configuring login and password checking on vty lines using "aaa new-model".
8. Configuring login and password checking on console line using "aaa new-model".
1. Setting the privileged level password
Such a password is present in configuration file in clear text form .
R1(config)#enable password cisco
#Output from show running-config command
enable password cisco
We can encrypt privileged level password (it will not be visible in clear text form)
using command 'service password-encryption' .
R1(config)#service password-encryption
#Output from show run after enabling service password-encryption
enable password 7 060506324F41
2. Setting privileged level secret
Such a password is present in configuration file in md5 hash form.
R1(config)#enable secret cisco
#Output from show running-config command
enable secret 5 $1$vesc$SMuKMydFV9yNREMEwiqXw0
3. Configuring password checking on vty lines
In such a scenario - user which will be loging in to the device
will be asked for providing password (will not be asked to provide login)
R1(config)#line vty 0 4
R1(config-line)#login
R1(config-line)#password testtest
4. Configuring password checking on console line
In such a scenario - user which will be logging in to the device
will be asked for providing password (will not be asked to provide login)
R1(config)#line console 0
R1(config-line)#login
R1(config-line)#password testtest
5. Configuring login and password checking on vty lines
R1(config)#username test privilege 15 secret test1234
R1(config)#line vty 0 4
R1(config-line)#login local
6. Configuring login and password checking on console line
R1(config)#username test privilege 15 secret test1234
R1(config)#line console 0
R1(config-line)#login local
7. Configuring login and password checking on vty lines using "aaa new-model"
R1(config)#username test privilege 15 secret test1234
R1(config)#aaa new-model
R1(config)#aaa authentication login testaaa local
R1(config)#line vty 0 4
R1(config-line)#login authentication testaaa
8. Configuring login and password checking on console line using "aaa new-model"
R1(config)#username test privilege 15 secret test1234
R1(config)#aaa new-model
R1(config)#aaa authentication login testaaa local
R1(config)#line console 0
R1(config-line)#login authentication testaaa
Note:
After issuing command 'aaa new-model' (without any additional configuration) - authentication on vty lines will start to use local users configured on cisco device (login and password required). Access to console line will be unrestricted.
After additional configuration of default login authentication list - console line and vty lines will use authentication mode used in default list.
Example:
aaa new-model
aaa authentication login default local
With that configuration - console line and vty line will use for authentication local users configured on Cisco device.
No comments:
Post a Comment