Security is like Onion. We need to specify different layers of security. We can force each user to enter password to go to a specific level in a building but for convenience, we can issue swipe cards to users with privilege to access up to certain levels in the building (without entering password), once they are in the building.
Privilege levels [router is a building of 15 levels]
- # is privilege level 15
- > is privilege level 1
- All the commands in lower level are available to the upper level
Move ping command to privilege level 4
- (config)#privilege exec level 4 ping
Enter into privilege level 4
- > enable 4
Check which privilege level are u in?
- > show privilege
Enable Secret[can set password for each level]
It can be used to lock down each level (think for 2 and above). by default, enable secret applied to level 15 (this as 15th[topmost] floor of a building).
The following commands have same effect (setting password ‘cisco123’ at level 15) :
- R1(config)#enable secret
- R1(config)#enable secret level 15 0 pwd -e.g. cisco123>
- R1(config)#enable secret level 15 5 <MD5 hash of the password>
- R1(config)#enable secret 5
Username and password [card issued to user specifying max privilege]
Use username and password both when connecting to router (con, vty or aux). So, set them first. Need to define the user’s privilege level (15 means[highest position] can access everything)
R1(config)# username admin privilege 15 secret 0 cisco123
- This username is entered into local database of device
Secure entry point
- need to show card [specify username and password both]rather than just password
- in technical terms, use local database during login (login local)
- there are 3 entry points (password is not required but good practice):
- line console 0
- password <pwd>
- login local
- line aux 0
- password <pwd>
- login local
- linevty 0 15
- password <pwd>
- login local
- line console 0
Lock down access methods to router :Using AAA
SO far:
- We are looking down each entry point individually
AAA stands for
- Authentication: proof your identity. e.g. you are a legitimate user
- Authorization: What are you authorized to do? e.g. you can’t go to level 15 as you are user with privilege level 4
- Accounting : Keep a record. e.g. user1 went to level 5 at 5pm yesterday is a record.
Turn on AAA in router
- (config)# aaa new_model
AAA will define some rules, which will be followed by router across all entry points (console, vty, aux)
- Method list is used to specify rules
- There is a default method list.
- Default method list is automatically applied everywhere until a more specific method list is applied.
- we can define custom method list but we need to specify where to apply them
Specify default method list to use local database for authentication
- (config)# aaa authentication login default local (assume a user exist in local database)
Specify default method list to use local database for authorization [optional]
- (config)# aaa authorisation exec default local
- before passing exec shell, check privilege level of user in local database
- This command is not applied to console port
- If local database is empty then we are stuck
- MAKE SURE a user exist in local database and then (config)# aaa authorisation console
TEST AAA
- #debug aaa authentication
- #debug aaa autherisation
- R1#telnet r1
- #undebug all
Define custom method list to access router :Using AAA
- Define a custom list ‘CON-AUTHEN’ for authentication: first check with groupoftacacs servers and if unavailable then use ‘enable secret’ (assume enablesecretis set)
- (config)# aaa authentication login CON-AUTHEN group tacacs+ enable
- Define a custom list ‘CON-AUTHUR’ for authorization: Provide no authorization
- (config)# aaa authorisation exec CON-AUTHUR none
APPLY this rule (custom method list) at console 0
- line console 0
- login authentication CON-AUTHEN
- authorisation exec CON-AUTHUR
Cool Tips
1. R1(config)# security passwords min-length 8
2. If login attempt is made 10 times with in 60 seconds then block fro 300 seconds
- R1(config)# login block-for 300 attempts 10 with 60
3. This is alternative to previous point but point 2 is better
- R1(config)# aaa local authentication attempts max fail 3
- Once 3 files login attempts are made the user is locked down
- show aaa local user lockout
- clear aaa local user lockout all
4. Use SSH and HTTPS
HTTPS (CCP will use https):
- ip http secure-server
- ip http authentication local
FUN
1. who is connected to device
- #who OR #show users
- #show ssh
2. Create alias c for configuration terminal
- alias exec c config t
- show alias