Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Configure Basic AP security through CLI

advertisement 
Nom:
Prénom:
LP IRM – Nice Sophia-Antipolis
TP #004.2
Access Point Basic security configuration
using CLI
Table of Contents
Configure Basic AP security through CLI ........................................................................................... 1
Command List ...................................................................................................................................... 2
Step 1 Configure basic AP settings ...................................................................................................... 3
Step 2 Configure a new administrator account .................................................................................... 3
Step 3 Configure accurate time (optional) ........................................................................................... 4
Step 4 Configure MOTD and login banner ......................................................................................... 4
Step 5 Configure SSH .......................................................................................................................... 5
Step 6 Configure SSH timeouts ........................................................................................................... 5
Step 7 Configure local authentication and VTY .................................................................................. 5
Step 8 debug and verify SSH ............................................................................................................... 6
Step 9 Syslog configuration ................................................................................................................. 6
Configure Basic AP security through CLI
Objective
In this lab, the student will learn the following objectives:
• Password protect the console
• Define administrator accounts
• Configure accurate time and check firmware
• Configure SSH
o Limit VTY to SSH
o Access-list to secure SSH
• Disable telnet and web
• Send system logs (syslogs) remotely
Scenario
Basic configuration of an AP can be done through the GUI or IOS CLI.
P1
2003Svr
apP
P2
XPpro
Note Detail of the PC below:
● 408px (where x=1,3,5,7,9 ) is a Windows 2003Svr
●
408py (where y=2,4,6,8,10 ) is a XP Pro
Students will learn to secure the AP through CLI. The security policy of the company mandates all devices
should be locked down according to minimum standards. Also, SSH must be used for remote manage ment
as it provides strong authentication and secure communications over insecure networks. There are currently
two versions of SSH available: SSH Version 1 and SSH Version 2. Only SSH Version 1 is currently
implemented in the Cisco IOS software.
Preparation
The student PC should be connected to the AP through an (isolated wired network or) crossover cable.
The AP should be set to factory defaults.
Team x= y=
AP Name
SSID
AP address
408px address
408py address
12
1
2
ap12
tp12
10.0.12.101/24
10.0.12.x/24
10.0.12.y/24
34
3
4
ap34
tp34
10.0.34.101/24
10.0.34.x/24
10.0.34.y/24
...
Tools and Resources
Each team will need:
• One AP (with 4 antennas plugged-in !!!!!!)
• The AP power supply or source
• A PC that is connected to the same wired network as the AP (with one crossover cable)
• A wireless PC or laptop as a client
Additional Materials
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_installation_and_configuration_gu
ide_book09186a0080147d69.html
See your instructor for:
http://kheops.unice.fr/~frati/Wireless/TP/ for this kind of documents
http://kheops.unice.fr/~frati/_TOOLS/ for networking and performance tools
http://kheops.unice.fr/~frati/_DRIVERS/ for Cisco, NetGear and 3Com softwares, drivers, docs, ...
Command List
In this lab exercise, the following commands will be used. Refer to this list if assistance or help is needed
during the lab exercise.
Step 1 Configure basic AP settings
a. Connect a Cisco rollover cable (console cable) between 408px and the AP.
b. Open a terminal emulator.
c. Press return to get started.
d. If there is an existing configuration on the AP, erase the configuration and reload.
e. Configure the hostname, SSID, and domain name according to the Preparation table.
apXY(config)#ip domain-name gtr.tp
f. Configure a 408py to connect to the AP. This will be used later in the lab to test the security configuration.
g. Remain on 408px to configure the following steps.
Step 2 Configure a new administrator account
One of the easiest ways for hackers to gain access to network devices is by using default usernames and
passwords.
a. Configure a new administrator account.
apXY(config)#username cIsCo123 password cIsCo123
b. In a production environment, it is necessary to delete the old account.
apXY(config)#no username Cisco password Cisco
c. Also, it is important to encrypt the passwords in the configurations if there are multiple administrator
accounts with various privilege levels. By default, this is enabled on the AP1240.
apXY(config)#service password-encryption
d. While in configuration mode, verify the user accounts and password encryption.
apXY(config)#do show run
e. Secure the console connection by requiring a password.
apXY(config)#line con 0
apXY(config-line)#login
apXY(config-line)#password cIsCo123
f. Exit out of the AP and log back in.
User Access Verification
Password:
g. A more secure method is to require a username and password combination. Return to configuration mode
and configure local authentication on the console.
apXY(config)#line con 0
apXY(config-line)#login local
h. Exit out of the AP and log back in using the username password combination configured in step 2a.
User Access Verification
Username:
Password:
apXY>
Write the result of the command down here below with your comments
« show run »: interresting lines of the output
Comments
Step 3 Configure accurate time (optional)
In order to keep track on any potential attacks, it is important to maintain proper time.
a. Configure the correct time. Use the help feature if needed.
apXY#clock set 00:00:01 01 JAN 2007
b. Set the correct timezone
apXY(config)#clock timezone [name of time zone] [offset in hours]
Example:
apXY(config)#clock timezone Paris +1
c. (Optional if in US) Configure daylight savings time. Use the help feature or command reference if needed.
apXY(config)#clock summer-time
d. Check the clock settings while in configuration mode.
apXY(config)#do show clock
Step 4 Configure MOTD and login banner
a. Configure a message-of-the-day (MOTD). The MOTD banner appears on all connected terminals at login
and is useful for sending messages that affect all network users (such as impending system shutdowns).
apXY(config)#banner motd #
This is a supposed secure site.
For access, contact the instructor.
#
apXY(config)#
b. Exit out of the console or telnet session to check the MOTD.
c. Configure a login banner. This banner appears after the MOTD banner and before the login prompt.
apXY(config)#banner login $
Access for authorized users only. Please enter your username and password.
$
apXY(config)#
d. Exit out of the console to check the banner.
Step 5 Configure SSH
In some circumstances, attackers may be able to use a packet analyzer to intercept telnet passwords, which
may enable them to gain access to the AP or other networking devices. The SSH protocol is a secure form
of telnet, providing both authentication and encryption.
First, begin by generating the asymmetric keys used in the SSH authentication process.
Generate RSA keys
a. Enter the following command in the configuration mode:
apXY(config)#crypto key generate rsa ?
b. What are the available help options for this command?
_______________________________________________________________
To enable SSH for local and remote authentication on the AP, enter the command crypto key generate rsa
and press Enter. The AP will respond with a message showing the naming convention for the keys.
c. What is the default size, in bits, of the key modulus?
_______________________________________________________________
d. Press Enter to accept the default key size and continue.
Step 6 Configure SSH timeouts
a. Configuring SSH timeouts and authentication retries is a way of providing additional security for the
connection. Use the command ip ssh {[time-out seconds]} {authentication-retries integer} to enable timeouts
and authentication retries.
Set the SSH timeout to 15 seconds and the amount of retries to 3 by entering the following commands:
apXY(config)#ip ssh time-out 15
apXY(config)#ip ssh authentication-retries 3
1. What is the maximum timeout value allowed?
_______________________________________________________________
_______________________________________________________________
2.What is the maximum amount of authentication retries allowed?
_______________________________________________________________
_______________________________________________________________
Step 7 Configure local authentication and VTY
a. Use the following commands to define a local user and assign SSH communication to the vty lines:
apXY(config)# username cisco password student
apXY(config)# line vty 0 4
apXY(config-line)# transport input ssh
apXY(config-line)# login local
1. What are the available parameters for the transport input command?
_______________________________________________________________
_______________________________________________________________
Step 8 debug and verify SSH
Enable debugging
a. Enable debugging of SSH by entering the following commands:
apXY(config)#logging on
apXY(config)#exit
apXY#terminal monitor
apXY#debug ip ssh
b. Browse in SSH debug output logs messages
c. Next, open another instance of the SSH client and connect to the AP. Use the correct username
and password to log in to the AP.
d. To get an idea of the debugging process and the debugging message, open another instance of the SSH
client and intentionally enter the wrong username or password. View the debugging output for failed
authentication.
e. Brieffly describe what is logged
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Step 9 Syslog configuration
a. Tftp32 can be configured to act as a syslog server. Brieffly describe what is the logging command to use
in order to set it up and write down some events' format
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Disable debugging
apXY#undebug all
All possible debugging has been turned off
Viewing SSH sessions
b. Use the show ssh command
to view the active SSH sessions.
Viewing SSH parameters
c. To display the version information and SSH parameters, use the show ip ssh command.
d. Is the output displayed exactly as the output below? If not, what are the differences?
_______________________________________________________________
_______________________________________________________________
apXY>sh ip ssh
Fill in the blanks:
SSH Enabled - version _____________
Authentication timeout: _____________ secs; Authentication retries: ________
e.If the configuration was saved to flash, erase the startup configuration and reload the AP.
apXY#erase startup-config
apXY#reload
Related documents
11.6.1.2 Packet Tracer - Skills Integration Challenge Instructions IG
11.6.1.2 Packet Tracer - Skills Integration Challenge Instructions IG
SSH beáll
SSH beáll
Drupal Installation on Debian OS using LINUX commands
Drupal Installation on Debian OS using LINUX commands
E-business Website Development Lab
E-business Website Development Lab
Enabeling SSH on CISCO IOS (Quick and Easy)
Enabeling SSH on CISCO IOS (Quick and Easy)
Slide 1
Slide 1
Creating a Profile Windows Live Mail
Creating a Profile Windows Live Mail
Configuring SSH
Configuring SSH
adding OneID to existing SSH servers
adding OneID to existing SSH servers
Download
advertisement