Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Methods of User EXEC Access

advertisement 
Methods of User EXEC Access
This section discusses how you can secure your Cisco IOS router. This focuses only on local
solutions available on the router.
Two levels of access to a Cisco router exist:
 User EXEC? Used for basic troubleshooting processes
 Privileged EXEC? Used for detailed troubleshooting and configuration
Both of these methods support authentication. Within user EXEC access, however, the Cisco IOS
differentiates between local and remote access. Local access is done through the console or auxiliary
port, where you use the Cisco IOS command-line interface (CLI) to interact with the Cisco IOS and
the device.
Remote access can be performed in a multitude of ways.
Local Access: Console and Auxiliary
To assign a static password to the console line, use the following configuration:
Router(config)# line console 0
Router(config-line)# password password
The password that you enter in the password command is a clear-text password. When you examine
the output from the show running-config command, you will see the actual password in the
configuration:
line con 0
password cisco
logging synchronous
Obviously, this is a problem if someone is looking over your shoulder or if you back up your
configuration to a TFTP server with the copy running-config tftp command.
The two solutions discussed later remedy this problem:

encrypting the clear-text password, and

using a secure form of copying your configuration to an external server without having to use
TFTP, which lacks any authentication and encryption method.

If your router has an auxiliary line, you can assign it a password with basically the same
configuration:

Router(config)# line aux 0

Router(config-line)# password password
NOTE
Most passwords that you configure on your router can be from 1 to 25 characters, and the first
character cannot be a number. You can have leading spaces before the password, but they are
ignored. However, any trailing spaces after the password become a part of the password. You can
include a ? in a password by first using the Ctrl-V sequence and then typing in the ?, like this:
alphaCtrl-V?987. This creates a password of alpha?987.
CAUTION
Remember that the password Line Configuration mode command does not encrypt passwords by
default; it stores them in clear text. I highly recommend that you not use the password command as
your authentication method because all administrators who access the line must use the same
password. This makes accountability difficult. Typically, this is used as a last resort. I recommend
either a local user and password database, discussed in the "Local Authentication Database
To allow access through the auxiliary or VTY lines, use one of the following two configurations:
Router(config)# line aux 0
Router(config-line)# [no] login [local]
or:
Router(config)# line vty 0 4
Router(config-line)# [no] login [local]
The login command, by itself, specifies the use of authentication. By default, it checks for a password
configured with the password line-configuration command. If this does not exist, the user is not
allowed access. To disable authentication checking, use the no login command. Note that this never
is recommended for any type of connection, whether local or remote access.
NOTE
Even if the Cisco IOS does not check a password for user EXEC access, a password still must be
configured for privileged EXEC access for remote-access connections. Otherwise, the user is not
allowed access to user and privileged EXEC mode. This process is not true concerning the console
line.
Optionally, you can override the use of the password configured on the line and use other methods,
such as a local username and password database, by specifying login local (discussed later in this
chapter in the "Local Authentication Database" section), or use external authentication using a
security server (discussed in Chapter 5). Remember my earlier caution: Use either of these two
methods (preferably the latter one, which is preferred for securing line access).
TIP
Always put some method of authentication on all your lines, even ones that you are not using, such as
the auxiliary line. This ensures that later someone does not set up a new line connection inadvertently
and forget to secure it.
Login Connection Timeouts
By default, console, auxiliary, and Telnet (VTY) sessions time out after 10 minutes of idling. You can
override this with the exec-timeout command, shown here:
Router(config)# line type #
Router(config-line)# exec-timeout minutes seconds
You must specify the minutes and seconds for the timeout. Optionally, you can specify 0 and 0 for the
minutes and seconds, specifying an infinite timeout. I never recommend this for a production router,
but only for lab situations, such as practicing for the CCIE Router and Switch or Security lab exam.
This simple example sets the timeout to 5 minutes for Telnet sessions
Router(config)# line vty 0 4
Router(config-line)# exec-timeout 5 0
To view your timeouts, use the show line command. Based on my previous configuration, Example 31 shows the partial output of this command.
Remote Access
Compared to local access, in which you can access user EXEC mode only through the console or
auxiliary line, you can access your router remotely in quite a few ways. These methods include
Telnet, RSH, SSH, HTTP and HTTPS, and SNMP. The following sections cover the configurations
and issues with these approaches.
VTY (Telnet)
Cisco uses VTY lines to handle incoming and outgoing Telnet connections. VTYs are basically logical
lines: The Cisco IOS treats them as a physical line from a configuration and operation perspective,
but they are not something that you physically can touch with your hands.
You already know how to set up basic authentication on a VTY. Here is a simple example:
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# login
This sets up basic Telnet access to your router.
CAUTION
Telnet sends user information across the network in clear text. Remember that if you are using this
router as part of a firewall system, you want to keep it as secure as possible. You could get around
the Telnet password issue by using token cards and a token card server, but all other information that
you type in the Telnet router session is sent in clear text.
Figure 1
Router(config)# access-list 1 permit 172.16.3.10
Router(config)# access-list 1 permit 172.16.3.11
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# transport output ssh
Router(config-line)# access-class 1 in
Secure Shell
Two versions of SSH are available: version 1 and version 2. In most Cisco IOS versions, Cisco
supports an enhanced version of version 1, called 1.5; however, starting in Cisco IOS 12.3T and later
versions of 12.1E, Cisco also supports SSHv2.
Two components are required for SSH to function:
 Server
 Client
The SSH server provides a secure connection, which is encrypted, to the Cisco IOS CLI. This
connection is similar to an encrypted Telnet connection. The SSH client runs the SSH protocol to
connect to an SSH server, and it must support the Data Encryption Standard (DES) or 3DES as well
as password authentication. DES and 3DES are discussed in more depth in Chapter 19, "IPSec Siteto-Site Connections." Authentication is performed in a normal fashion: Users can be authenticated
using local mechanisms or by using an external security server. Cisco routers support both server and
client connections
SSH Server Configuration
Before setting up SSH, you must install a Cisco IOS image that supports DES or 3DES (this requires
the image to support IPSec). For both router client and server functions to work, you need at least
Cisco IOS 12.1(3)T.
When you have installed the appropriate Cisco IOS software, you can begin your Cisco IOS
configuration. You should perform these six steps:
Step 1. Assign a name to the router (required).
Router(config)# hostname router_name
Step 2. Assign a domain name to the router (required).
Router(config)# ip domain-name DNS_domain_name
Step 3. Generate your encryption keys (required).
Router(config)# crypto key generate rsa
You must assign a router and domain name before executing this command; otherwise, you
will get an error message. Cisco recommends that you use a key size of at least 1024 bits.
When you execute this command, it does not appear in the running or saved configuration.
Also, if you need to generate a new key pair, first use the crypto key zeroize rsa command.
Step 4. Set up your VTY access for SSH (optional, but recommended):
Router(config)# username name secret password
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# transport input ssh
Router(config-line) login local
For SSH access, you must use a username and password by setting up either a local
authentication database or an authentication server. The username and login local
commands set up local authentication. This is true of most SSH clients that I have dealt with.
Step 5. Tune the SSH server (optional).
Router(config)# ip ssh {[timeout seconds] | [authentication-retries
integer]}
Optionally, you can specify a timeout, in seconds, for initiating an SSH connection. If the
connection cannot be established in this time period, the connection fails. You also can limit
the number of authentication retries for a connection upon an invalid authentication attempt
(the default is 3). Other parameters exist for this command, but these are the two most
common ones. If you cannot execute this command, it is because you have not generated
your encryption keys with the crypto key generate rsa command. After the user has
authenticated and established an SSH connection to the router, the Cisco IOS uses the VTY
idle timeout (exec-timeout command) to monitor the session.
Step 6. Verify SSH server operation (optional).
Router# show ssh
Router# show ip ssh
Web Browser
Cisco supports the use of a web browser to access and manage a Cisco router. This is a nice feature
for administrators who find the Cisco IOS CLI intimidating
NOTE
Even though the GUI interface of a web browser presents a user-friendly front end to the router's
Cisco IOS, you cannot perform all configuration and management options from a web browser.
Therefore, in many cases, you still need to access the Cisco IOS CLI to perform configuration and
management tasks.
By default, the HTTP server function on the router is disabled. To configure HTTP access, use the
following steps:
Step 1. Enable the HTTP server (required).
Router(config)# ip http server
Step 2. Define an authentication method (highly recommended).
Router(config)# ip http authentication {aaa | enable | local}
Step 3. Restrict access through HTTP (highly recommended).
Router(config)# ip http access-class standard_ACL_#
This command enables you to restrict, based on the source IP address of the client, which
devices are allowed HTTP or HTTPS access to the route.
Step 4. Change the HTTP port number (optional).
Router(config)# ip http port port_#
By default, the Cisco IOS uses port 80 for HTTP connections; however, you can change this
port to a different number with the ip http port command. By changing the port number to a
nonstandard one, you make it more difficult for a hacker to determine that you are running a
web server on the router.
Step 5. Change the location of HTML files (optional).
Router(config)# ip http path URL_location
Typically, you will not use this command: It sets the base HTTP location path for HTML files
on the router. By default, these files are located in Flash, but you can move them to a different
location, such as a PCMCIA card, if you do not have enough space in Flash for your Cisco
IOS. Here is a simple example of doing this:
ip http path slot0
Step 6. Restrict the number of HTTP connections (recommended).
Router(config)# ip http max-connections #_of_connections
Example 3-7. HTTP Server Configuration
Allow only two devices are allowed HTTP access to the router: 172.16.3.10 and 172.16.3.11. Both
administrators have accounts set up, and the router uses the local authentication database
(username commands) to perform the authentication. One interesting thing to point out about the
username commands is the privilege 15 reference
Router(config)# access-list 1 permit 172.16.3.10
Router(config)# access-list 1 permit 172.16.3.11
Router(config)# username richard privilege 15 secret bigXdogYlover
Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER
Router(config)# ip http server
Router(config)# ip http authentication local
Router(config)# ip http access-class 1
Related documents
Exercise 8
Exercise 8
Adtran 1234 Reset and Web enable
Adtran 1234 Reset and Web enable
Project2 - City Tech OpenLab
Project2 - City Tech OpenLab
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA 2 - Chapter 8 Study Guide 1. Why
What is 192.168.1.1?
What is 192.168.1.1?
Access router just from LAN
Access router just from LAN
Assignment 1
Assignment 1
Download
advertisement