Managing Arrangement Devices
The action to ascendancy admission to arrangement accessories should be one of the aboriginal apparatus of the
access policy. All accessories at every band in the campus arrangement should accept a plan to provide
for the following:
• Concrete security
• Passwords
• Advantage levels to acquiesce bound admission to a arrangement device
• Limiting basic terminal or Telnet access
Physical Access
Virtually all accessories accommodate a way of accepting ascendancy of a accustomed device, bold that you have
physical admission to it. That is why defining a concrete admission action is so important. If the
physical accessory isn’t secured, affairs are your arrangement isn’t defended either. Therefore, every
network accessory should be anchored in some manner.
You can physically defended your arrangement by accomplishing the following:
• Authorize a configuration, control, and change administration action for all accessories at each
of the corresponding layers.
• Authorize a aegis plan for all concrete locations. Accommodate capacity on concrete and link
security.
• Accommodate the able concrete environment. The concrete ambiance should have
provisions for locking the room, able blast and temperature controls, and backup
power.
• Ascendancy absolute admission to the device. Lock racks back accessible and administer passwords to
console and abetting ports. Disable ports not actuality used, such as the abetting port.
• Defended admission to arrangement links. Accommodate the aforementioned blazon of aegis for the base closet that
you would for the concrete equipment.
Passwords
There are several altered agency to admission every Cisco device. Every adjustment of accessing the
device should accept a countersign activated to anticipate crooked access.
Out-of-band administration options accommodate the animate anchorage and the abetting port.
In-band administration options accommodate Trivial File Transfer Protocol (TFTP) servers and Simple
Network Administration Protocol (SNMP)-based arrangement administration systems, such as
CiscoWorks 2000.
Managing Arrangement Accessories 401
Virtual terminal ports that are acclimated for terminal admission and are referred to as vty ports. There
are bristles vty ports by absence on anniversary Cisco device. You can actualize added vty ports if you charge to
have added than bristles users accessing a accessory simultaneously. Archetype 12-1 demonstrates how
you would configure passwords for the animate anchorage and the vty ports on a Cisco device.
The login advantage that appears in Archetype 12-1 indicates area to acquisition the login information. If
the login is defined afterwards a keyword, as in the case of the animate port, the arrangement will use
the band as the login. The user will be prompted for the countersign of the band itself (in this case,
lisbon). The added options announce that the specific user charge log in. The keyword afterwards login
indicates area to acquisition the user information. The login bounded account indicates that the
information will be begin locally in the username apprentice countersign cisco statement. Other
options accommodate login affidavit or login tacacs. These options announce that the login
information is independent on a centralized affidavit server. Centralizing usernames,
passwords, and contour advice makes advancement a ample cardinal of users or devices
easier.
It is recommended that users log in to the arrangement with a username and countersign rather than
having anybody use the countersign of the line. Accepting users log in to the accessory makes it easier
to clue who has admission and when.
By default, passwords are stored in bright argument architecture in the router’s configuration. The only
exception to this is the accredit abstruse password, which is automatically encrypted. Password
encryption can be compromised so it should be acclimated in aggregate with added methods of
security.
NOTE Added advice on Terminal Admission Controller Admission Ascendancy Arrangement Plus (TACACS+) and
other affidavit casework are covered in the Cisco IOS Aegis Agreement Guide.
Assigning passwords prevents users from initiating a affair with the arrangement device. If the
console is larboard abandoned in advantaged mode, any user can adapt the arrangement device’s
configuration. A abeyance for an abandoned affair provides added security. Archetype 12-2
demonstrates configuring a affair abeyance for animate and vty ports.
Example 12-1 Modifying Animate Anchorage Passwords on a Cisco Device
R1(config)#line animate 0
R1(config-line)#login
R1(config-line)#password lisbon
R1(config)#enable countersign bilbao
R1(config)#login local
R1(config)#username apprentice countersign cisco
402 Chapter 12: Controlling Admission in the Campus Environment
NOTE In Archetype 12-2, the two numbers (5 and 10) afterward exec-timeout announce account and
seconds. These abstracts should be abundantly continued abundant to do agreement assignment but short
enough to not leave this accessible for continued periods.
Routers and high-end switches account timeouts in minutes. An advantage is additionally accessible to
calculate abnormal in accession to account on routers. The Cisco IOS command-based switches
calculate timeouts in seconds.
Privilege Levels
The two absence levels of admission are user and privileged. The user akin allows the user to
perform assertive commands but does not accord them the adeptness to adapt the agreement or
perform a debug. At the added end of the spectrum, the advantaged akin allows the user to issue
all commands, including agreement and alter commands.
Cisco IOS provides altered levels of privileges for users with the use of the advantage level
command. This command allows arrangement administrators to accommodate a added diminutive set of
rights to Cisco arrangement devices.
There are 16 altered levels of advantage that can be set, alignment from 0 to 15. Akin 1 is the
default user EXEC privilege. The accomplished level, 15, allows the user to accept all rights to the
device. Akin 0 can be acclimated to specify a added bound subset of commands for specific users or
lines. For example, you can acquiesce user “guest” to use alone the appearance users and avenue commands.
At added advantage levels, you charge specify the commands that the advantage akin should be able
to complete. Archetype 12-3 demonstrates the adequacy to set advantage levels aloft that of
EXEC user but beneath that of abounding accredit level.
Example 12-2 Configuring Affair Timeouts for Animate and vty Ports on a Cisco Device
R1(config)#line animate 0
R1(config-line)#exec-timeout 5 10
R1(config)#line vty 0 4
R1(config-line)#exec-timeout 5 2
Example 12-3 Ambience Advantage Levels on a Cisco Device
R1(config)#privilege configure akin 3 username
R1(config)#privilege configure akin 3 archetype run start
R1(config)#privilege configure akin 3 ping
R1(config)#privilege configure akin 3 appearance run
R1(config)#privilege configure akin 3 show
R1(config)#enable abstruse akin 3 cisco
Managing Arrangement Accessories 403
Use the advantage command to ascertain the commands that can be entered at that advantage level:
Router (config)#privilege approach akin akin command
Where approach equals one of the following:
• configuration—Global configuration
• controller—Controller configuration
• exec—EXEC
• hub—Hub configuration
• interface—Interface configuration
• ipx-router—IPX router configuration
• line—Line configuration
• map-class—Map chic configuration
• map-list—Map account configuration
• route-map—Route map configuration
• router—Router configuration
Use the accredit abstruse akin akin countersign command to set the countersign for the advantage level.
Example 12-4 shows a user called apprentice logging in with a advantage akin of 3. The privilege
level 3 has been assigned a countersign of dallas. The user will accede all the commands that have
been listed beneath the advantage akin 3 command as apparent ahead in Archetype 12-3.
Upon admission to the arrangement device, a banderole or bulletin should accost the user. This banderole is
referred to as the bulletin of the day, accepting acquired from the UNIX world.
Example 12-4 Ambience User Advantage Level
Router(config)#enable abstruse akin 3 dallas
Router(config)#enable abstruse san-fran
Router(config)#username apprentice countersign cisco
Trying x.x.x.x ... Open
Username: student
Password: cisco
Router>enable 3 Restricted ENABLE privileges
Password: dallas
Router#show advantage Displays accepted advantage level
Current advantage akin is 3
404 Chapter 12: Controlling Admission in the Campus Environment
The banderole should be a admonishing and announce how austere aegis breaches are to your firm.
Computer aegis practitioners admonish not to use the chat “welcome” in the bulletin or in any
way announce that you are advocating any admission to the system. Hackers or added intruders have
been begin not accusable in cloister due to the simple actuality that the chat “welcome” was allotment of the
message of the day. Clearly accompaniment your aegis action and what will appear to violators, if you
have room.
The banderole command uses a delimiter to announce the end of the message. Any appearance is valid
in the bulletin except the delimiter. The delimiter can additionally be any appearance as continued as it is not
used anywhere abroad in the message. Archetype 12-5 demonstrates agreement of the banner
message as able-bodied as the bulletin displayed aloft a user Telnetting to the router.
Virtual Terminal Access
By default, there are bristles vtys (otherwise accepted as Telnet sessions) on anniversary Cisco device. You
can actualize as abounding as you need. The vtys that you accustomed is based on the cardinal of vtys that
are currently in use. Because you will never apperceive absolutely which vty band you are using, you
should set identical restrictions on all lines.
The band vty-number vty-range command takes you into the called agreement approach of the
vtys. The best accepted use of this command is band vty 0 4. This command indicates that you
are modifying the aboriginal bristles vtys.
The access-class command applies the admission account to the interface. The admission account is a standard
access account that indicates the antecedent addresses that are either acceptable or denied. The in | out
condition at the end of the access-class account indicates whether the antecedent abode should
be accustomed to authorize a Telnet affair with this accessory or accustomed to Telnet out of this device.
Use attention with the access-class command. If you do not bout any of the analysis altitude in
the admission list, you will be denied Telnet admission into the device. The “implicit abjure any” at the
end of every admission account agency that back you get to the end, you will abjure all added traffic!
Figure 12-3 shows a user with IP abode 192.168.2.5 attempting to Telnet to the router.
Example 12-5 Banderole Bulletin Agreement and Display
R1(config)#banner motd 'Unauthorized admission will be prosecuted!'
#telnet 192.168.2.5
Unauthorized admission will be prosecuted!
Login:
Managing Arrangement Accessories 405
Figure 12-3 Configuring vty Access
Example 12-6 shows the vty admission agreement for this user.
Starting in absolution 11.0 (6) and later, Cisco allows web browser admission to configure your Cisco
network device. This admission is provided via HTTP and, while easier, it does actualize some
potential aegis issues. If you about-face on HTTP server, no aegis is absence for this command.
In added words, anyone can admission the router via a web browser. For that reason, applying an
access account (covered added in this section) is imperative. The absence ambience for HTTP access
is off. Figure 12-4 illustrates a user with IP abode 192.68.10.7 attempting to authorize HTTP
access.
Figure 12-4 HTTP Access
Example 12-7 demonstrates how to accredit and configure HTTP access, accustomed the bureaucracy in
Figure 12-4.
Example 12-6 Configuring vty Access
R1(config)#access-list 1 admittance 192.168.2.5
R1(config)# band vty 0 4
R1(config)# access-class 1 in
192.168.2.5
192.168.10.7
192.168.10.1
406 Chapter 12: Controlling Admission in the Campus Environment
To accredit HTTP access, admission the afterward command:
Switch(config)#ip http server
You would be astute to administer an admission account that has alone the appropriate admission and annihilation more.
In Archetype 12-7, the admission account absolutely permits the base 192.168.10.7 and implicitly
denies anybody else. By applying the admission account with the ip http access-class 1 statement, all
stations added than 192.168.10.7 are denied admission to the HTTP software.
Password aegis for web admission can be activated agnate to animate and basic terminal access.
The afterward command is acclimated to specify what affectionate of affidavit is actuality used:
Switch(config)#ip http affidavit [aaa | accredit | bounded | tacacs]
where
• aaa indicates that authentication, authorization, and accounting (AAA) should be acclimated for
authentication.
• accredit indicates that the accredit countersign should be used. This is the absence method.
• bounded indicates that the bounded user database is acclimated for affidavit information.
• tacacs indicates that a TACACS server should be acclimated for authentication.
Configuring HTTP Access
Router3(config)#access-list 1 admittance 192.168.10.7
Router3(config)#ip http server
Router3(config)#ip http access-class 1
Router3(config)#ip http affidavit local
Router3(config)#username apprentice countersign cisco