6.1 Key Terms
AAA
= Authentication, authorization, and accounting.
Method
list = List of available methods for AAA to use in order (local, RADIUS,
TACACS, and so on).
Custom
privilege level = Level 0 (user) and level 15 (enable) are predefined;
anything in between (1–14) would be custom privilege level.
Parser
view = Commands are available only within particular contexts (views).
This is a way to implement role-based management, by creating views and
associating specific administrators with those views.
SSH
= Secure Shell. An encrypted alternative to Telnet. For remote CLI management
access to a network device.
Syslog
= Logging messages can be sent to a syslog server that gathers all incoming
messages into text files. Syslog server programs can sort by incoming device IP
and by severity/facility levels to make security monitoring simpler.
SNMP
= Simple Network Management Protocol is used for device management, including
requesting information and receiving updates from network devices.
NTP
= Network Time Protocol. Used to synchronize time on the network, which is
important for log messages and for any IPS/IDS event time stamps to correlate
messages across multiple devices.
Secure
bootset = Part of the Cisco IOS Resilient Configuration feature,
preventing the erasure of IOS files from a storage device, such as flash or
NVRAM.
6.2 Things to
Remember
6.2.1 AAA Components to Secure Administrative and
Remote LAN Access
Access Type Mode
> Mode > Where These Are Likely to Be Used > AAA Command Element
Remote
administrative access (Usually TACACS+ between the router and the ACS)
> Character (line or EXEC mode) > Lines: vty, AUX console, and tty >
login , enable , exec
Remote
network access end users (Usually RADIUS between the router and the ACS)
> Packet (interface mode) such as an interface with PPP requiring
authentication > Interfaces: async, group-async, BRI, PRI, Other
functionality: VPN user authentication > ppp, network, vpn groups
6.2.2 Method List Options
Command Element
> Description
type
> Identifies the type of list being created. Relevant options are
authentication, authorization , or accounting.
default
> Specifies the default list of methods to be used based on the methods that
follow this argument. If you use the keyword default, a custom name is not
used.
list-name
> Used to create a custom method list. This is the name of this list, and is
used when this list is applied to a line, such as to vty lines 0–4.
method
> At least one method must be specified. To use the local user database, use
the local keyword. A single list can contain up to 4 methods, which are tried
in order, from left to right. In the case of an authentication method list,
methods include the following:
enable: The
enable password is used for authentication. This might be an excellent choice
as the last method in a method list. This way, if the previous methods are not
available (such as the AAA server, which might be down or not configured), the
router times out on the first methods and eventually prompts the user for the
enable secret as a last resort.
krb5: Kerberos
5 is used for authentication.
krb5-telnet:
Kerberos 5 Telnet authentication protocol is used when using Telnet to connect
to the router.
line: The line
password (the one configured with the password command, on the individual line)
is used for authentication.
local: The
local username database (running config) is used for authentication.
local-case:
Requires case-sensitive local username authentication.
none: No
authentication is used.
group radius:
A RADIUS server (or servers) is used for authentication.
group tacacs+:
A TACACS+ server (or servers) is used for authentication.
group group-name: Uses either a subset of
RADIUS or TACACS+ servers for authentication as defined by the aaa group server
radius or aaa group server tacacs+ command.
6.3 Command
References
Command >
Description
service
password-encryption > Encrypt most plaintext passwords in the
configuration.
aaa
new-model > Enable AAA features.
aaa
authentication login default local > Create a default method list for
character mode login that will use the local database (running config) on the
router or switch.
enable
view > Enter the root parser view, from where you can create
additional views. This requires that aaa new-model already be in place in the
configuration.
privilege
exec level 8 show startup-config
> Assign a show startup-config command to a custom privilege level 8.
crypto
key generate rsa > Create the public/private key pair required for
SSH.
secure
boot-image > Secure the IOS image on flash
aaa
authentication bubba local enable
> Create an authentication method list called bubba that will use the local
database first, and if the username does not exist, will require the enable
secret to allow login.
line
console 0 login authentication bubba > Apply the method list named
bubba to the console port.
6.4 Command
Examples
Using Strong
Passwords
R1 (config)# username
admin secret CeyeSc01$24
R1 (config)# line
console 0
R1 (config-line)# password
k4(1fmMsS1#
R1 (config-line)# login
R1 (config-line)# exit
R1 (config)# line
vty 0 4
R1 (config-line)# password
8wT1*eGP5@
R1 (config-line)# login
R1 (config-line)# line
aux 0
R1 (config-line)# no
exec
R1 (config-line)# password
1wT1@ecP27
R1 (config-line)# login
R1 (config-line)# exit
R1 (config)# do
show run | include username
R1 (config)# do
show run | include password
R1 (config)# service
password-encryption
R1 (config)# do
show run | begin line
Enabling AAA
Services and Working with Method Lists
R1 (config)# aaa
new-model
R1 (config)# tacacs-server
host 50.50.4.101
R1 (config)# tacacs-server
key ToUgHPaSsW0rD-1#7
R1 (config)# aaa
authentication login default local enable
R1 (config)# aaa
authentication login MY-LIST-1 group tacacs local enable
R1 (config)# aaa
authorization commands 1 TAC1 group tacacs+ local
R1 (config)# aaa
authorization commands 15 TAC15 group tacacs+ local
R1 (config)# aaa
accounting commands 1 TAC-act1 start-stop group tacacs+
R1 (config)# aaa
accounting commands 15 TAC-act15 start-stop group tacacs+
R1 (config)# username
admin privilege 15 secret 4Je7*1swEsf
R1 (config)# line
vty 0 4
R1 (config-line)# login
authentication MY-LIST-1
R1 (config-line)# authorization
commands 1 TAC1
R1 (config-line)# authorization
commands 15 TAC15
R1 (config-line)# accounting
ommands 1 TAC-act1
R1 (config-line)# accounting
commands 15 TAC-act15
Another Example of
Creating and Applying a Custom Method List to vty Lines
R2 (config)# aaa
authentication login MY-AUTHEN-LIST-1 local enable none
R2 (config)# line
vty 0 4
R2 (config-line)# login
authentication MY-AUTHEN-LIST-1
R2 (config-line)# exit
R2 (config)# username
bob secret ciscobob
R2 (config)# enable
secret ciscoenable
R2 (config)# interface
loopback 0
R2 (config-if)# ip
address 2.2.2.2 255.255.255.0
R2 (config-if)# exit
R2 (config)# logging
buffered 7
R2 (config)# end
R2# debug aaa
authentication
R2# clear log
R2# telnet 2.2.2.2
R2>
R2> who
R2> exit
R2# telnet 2.2.2.2
R2>
R2> exit
R2# telnet 2.2.2.2
Using debug
Commands
R4 (config-if)# ip
address 4.4.4.4 255.255.255.0
R4 (config-if)# exit
R4 (config)# username
admin privilege 15 secret cisco
R4 (config)# aaa
authentication login AUTHEN_Loc local
R4 (config)# aaa
authorization exec AUTHOR_Exec_Loc local
R4 (config)# aaa
authorization command 15 AUTHOR_Com_15 local
R4 (config)# line
vty 0 4
R4 (config-line)# login
authentication AUTHEN_Loc
R4 (config-line)# authorization
exec AUTHOR_Exec_Loc
R4 (config-line)# authorization
commands 15 AUTHOR_Com_15
R4 (config-line)# exit
R4 (config)#
R4 (config)# do
debug aaa authentication
R4 (config)# do
debug aaa authorization
R4 (config)# exit
R4# telnet 4.4.4.4
R4#
R4# config t
R4 (config)#
Creating and
Assigning Commands to a Custom Privilege Level
R2 (config)# privilege
exec level 8 configure terminal
R2 (config)# enable
secret level 8 0 NewPa5s123&
R2 (config)# end
R2#
R2# disable
R2> show
privilege
R2> enable ?
R2> enable 8
R2# show privilege
R2# configure
terminal
R2# ?
Creating a Local
User and Associating That User with Privilege Level 8 and Assigning Login
Requirements on the vty Lines
R2 (config)# username
Bob privilege 8 secret Cisco123
R2 (config)# line
vty 0 4
R2 (config-line)# login
local
Creating and
Working with Parser Views
R2 (config)# enable
secret aBc!2#&iU
R2 (config)# aaa
new-model
R2 (config)# end
R2# enable view
R2#
R2# configure
terminal
R2 (config)# parser
view New_VIEW
R2 (config-view)# secret
New_VIEW_PW
R2 (config-view)# commands
exec include ping
R2 (config-view)# commands
exec include all show
R2 (config-view)# commands
exec include configure
R2 (config-view)# commands
configure include access-list
R2 (config-view)# exit
R2 (config)# exit
R2# disable
R2> enable view
New_VIEW
R2# show parser
view
R2# configure
terminal
R2 (config)# ?
Associating a User
Account with a Parser View
R2 (config)# username
Lois view New_VIEW secret cisco123
Preparing for SSH
Router (config)# hostname
R1
R1 (config)# crypto
key generate rs
R1 (config)# ip
domain-name cisco.com
R1 (config)# crypto
key generate rsa
R1 (config)#
R1 (config)# username
Keith secret C1#kRk*ks
R1 (config)# line
vty 04
R1 (config-line)# login
local
Perparing for SSH –
continued from “Alternatively”
R1 (config)# aaa
new-model
R1 (config)# aaa
authentication login Keith-List-1 local
R1 (config)# line
vty 0 4
R1 (config-line)# login
authentication Keith-List-1
R1# ssh –l Keith
10.1.0.1
R1>
R1> show ssh
Perparing for HTTPS
R1 (config)# ip
http secure-server
R1 (config)# ip
http authentication ?
R1 (config)# ip
http authentication local
Using Service Time
Stamps with Syslog Events
R4 (config)# interface
fa0/0
R4 (config-if)# shut
R4 (config-if)#
R4 (config)# service
timestamps log datetime
R4 (config)# int
fa0/0
R4 (config-if)# no
shutdown
CLI Equivalent
Generated by CCP
logging 10.1.0.25
logging trap
debugging
logging buffered
8192 informational
Output Created by
CCP for Implementing SNMPv1
snmp-server
location 10.1.0.26
snmp-server
contact Bubba Jones
snmp-server
community super-secret RW
snmp-server host
10.1.0.26 trap cisK0tRap^
Using
Authentication via Keys with NTPv3 (CCP syntax delivered to router)
ntp
update-calendar
ntp
authentication-key 1 md5 pAs5w0rd!3@
ntp authenticate
ntp trusted-key 1
ntp server
55.1.2.3 key 1 source FastEthernet0/0 prefer
Verifying
Synchronization for the NTP Client
R2# show ntp
status
R2# show ntp
association
Creating a Secure
Bootset
R6 (config)# secure
boot-image
R6 (config)# secure
boot-config
R6 (config)# do
show secure bootset
Comments
Post a Comment