Foundation Router Security - Understanding and Implementing AAA

8/18/2019 Foundation Router Security - Understanding and Implementing AAA

1/10

{\rtf\ansi\deff0{\fonttbl{\f0 Times New Roman;}{\f1 Arial;}}{\colortbl;\red0\green0\blue0;}{\info}\paperw11907 \paperh16443 \deftab1298 \margl567 \margr567 \margt567 \margb567 \pgnstart1\ftnnar \aftnnrlc \ftnstart1 \aftnstart1 {\header \pard \ql {\fs24 \f1 06 - Foundation Router Security - Understanding and Implementing AAA}\par \pard \ql {\fs10 \f1 }\par}{\footer \pard \qr {\fs20 \f1 \chpgn }\par}

\pard \ql {\fs24 \f1 We're now going to dive into understanding and implementing triple a no. We're not talking about the car repair service that you have thecard for that if you break down on the side of the road you can get a tow truck. We're talking about triple a for cisco routers. So we're going to walk through is first off what is this idea behind aaa what is. Aaa. Then will bring into the picture the secure server engine. This is a specific server that cisco makes for aaa and to manage your aaa. Communication. Then we'll set up the router we'll spend most our time by far sitting in the router interface setting it upfor aaa and. Configuring it to integrate with one of these a.c.s. servers. Soaaa in the cisco sense. Stands for authentication. Authorization and accounting. What it is is a new way of controlling the users that either come to or go t

hrough your router or switch in your network environment. By default everything is using the passwords that you type in on the router right. The password controls telnet and s.s.h. access. The enable secret allows you to get into privilege mode and once you're there you can do whatever it is you want. It's not very flexible. I mean. If you have different levels of administrators your kind of stock. You can do some. You know local authentication like we did with s.s.h. a local user account but you just don't have the flexibility that some businesses are looking for. So authentication authorization accounting or aaa re does all of that. Authentication. Is validating who you are essentially. This is ausername and password ninety percent of the time. There are other ways of authentication like you can get into the thumbprint scanner voice recognition all those kinds of things but. The traditional network uses. Username and password.Authorisation tells what you can do. So once you log into that router and you'r

e sitting on that router what can you do on that router. Can you type in show command. Can you assign ip addresses. Can you just sable interfaces. All of that deals with authentication. Or sorry authorization. You also can look at itfrom a through the router perspective. For people that are going through the router they're not asking it to be authorized to type in a command because that'sgoing to the router. That's. Accessing the router in. Configuring it throughthe router are your users. They might be coming in on a v.p.n. connection. They might be dialing up to the network an authorization for them. Means. Oh i can access this subnet. But not this server or. I can't reach these b. lands over here. It authorizes them to perform different. Privileges once they authenticate to the network. Accounting is the logging. This is tracking what you didonce you got onto the network it's making you know. Every single time you typein a command on that router. It looks you know this user logged in this time ty

ped in this command they did this. If you're going through the router and i'd say this user connected at this time. Access these resources disconnected at this time. It's all saved in a long file so if something goes wrong or you need to pull up that for accounting purposes you have a record of everything that's happened. You can use aaa on a cisco device to control. Anything that requires apassword or anything that requires access to or through the router. That includes your p.p.p. links if you've gone through and studied p.p.p. authentication in c.c. in a course the ox access. The auxilary ports. A dial up moans when somebody dials in console access. This might pop up when you're accessing the s.d.m.. That's requiring username password. Triple a can can can control. Any of t


2/10

hese and even multiple privileged modes that's when you're on a router. And you have certain people that are able to type in certain commands. All this focusis around aaa. When you set up your router switch for aaa. It's going to start looking for a user database. You. You can configure three different locations for your users. One of the easiest in a small network environment is the local database. This means on your router or on your switches in your network you configure usernames and passwords individually. So i wonder sometimes why did i just draw that. We have this little user here that we've configured on this router. And then you go to the have to set up this. This right and this is from global config mode we did this for us to say that you type in user name. Such and such. Password such and such and that adds the user to that device you go to your switches you add that user to those devices. So one by one the admin. Forsmall networks that. That works great you can do it without setting up a separate server or anything like that and you've got your own user accounts. But once you start getting into the twenty thirty fifty hundred devices on your network. This just becomes unmanageable in forget password changes. I mean they're going to have the same password always because you don't have to log into each oneof those devices one by one. So the second way that we can do this is a radiusserver. Know linux and windows. With the capability of being a radio server.In windows if you're if you're setting up windows. Matter fact i'll show this to you. Here is windows two thousand and three. And if i go into windows into the add or remove programs area. Click on the add remove windows components. You are looking for such under. Networking services. Right here. This internet. Authentication service. This you can see it says enables authentication autho

rization and accounting of ha. Aaa. Of dial up and v.p.n. users i. Supports the radius. Protocol. So this is known as a radio server it comes built into windows and so by doing this you can use a windows. Database or something. Active directory server something like that to be. Your authentic. Device. So instead of configuring all the user accounts on all these different devices. I have my windows server here or the linux server. Both of them can be. Radius. You just point all of these guys to that server and say get your user accounts from there. When somebody tries to telnet in or whatever comes over here and says.

Hi i am. I'm looking for this username and password. Oh is that valid great.And it passes that in. Now that is included with windows it's quote unquote fr

ee. If you have a windows box. However cisco created a specialized box for this called cisco. A.c.s. server. They even either have it as an add on to windows you can install it on like a windows server platform. And it will become an a

.c.l. server. Or they sell an appliance version this is what the appliance looks like right here and. This will allow you to have a dedicated. User device.And this server. Can tie in to windows databases that can tie into novell databases that can tie into all kinds of things. It uses what's known as the tac x.plus protocols. These two protocols are competing standards of expand on what the advantages are and disadvantages are but let me just give you the high levelof you right now. The radius. Protocol. Allows you to do basic. User authentication. And you can say you know jeremy germany's password is cisco. Can check that yes it's ok great. Then i'll allow him in a lot of the things in radiusyou need to end up setting up manually. Meaning. Like different authorizationlevels. Radius doesn't handle. Different levels of authorization by default whereas tac x. attack x. is a proprietary protocol so it's geared for cisco it only works on cisco. And it's designed for. User authentication authorization acc

ounting. It's got specific features in this box. That allows a user to come in and say. Hi my user name is jeremy. And this box says ok what can jeremy do jeremy can type this command that command opie tried. Type this command is thatall right. Oh no no then he can't type that command and. Disallow that were his radius doesn't do that. Radius says they've authenticated. Their good. Congratulations. You've authenticated. There's no real way. I mean. Rightly so windows is designed to be windows it's not designed to manage cisco commands. So there's no real way to allow my configuration to get granular. On a broad server level basis. To say when this user logs in they can do these commands or. When this user logs in this access list gets applied to their profile. Only of t


3/10

hose if i'm using radius have to be applied. Manually to the routers. Whereasif i'm using tac x. can be an all in one centralized. Box for configuration. Likewise you also have a dedicated. If you buy the appliance. Appliance model device which is just a lot more stable than running this as one of many different windows services. Now that we've seen the cisco a.c.s. server we asked the question. Well. What areas of aaa. Does that a.c.s. server handle. The short answer is. All of them. This is. Server does authentication it does authorization and it does accounting. Now under authentication the advantage of the a.c.s. server is that it supports many. User databases extremely user databases. When i set up my router to communicate with the a.c.s. server. That doesn't mean that i have to go on this. A.c.s. box. And create all of these separate users.

I can have this tie in to a novell server. A windows active directory server.You know some ib or netscape. Directory service they have their own directory

service. All of these different protocols that we can tie into some other userdatabase that your. Your company already manages the advantage of that is thatyou don't have to remember a separate username and password to log into windowsand log in the cisco router and all these different log ins. It's all going tobe the same and you can enforce. Strong password policies on your. Will say windows domain. So the past. It has to be complex it's changing every thirty days. And when it changes it changes on all the routers and switches as well so it can tie into all kinds of different user databases there's a whole bullet liston cisco's website of everything it supports. And it supports multiple authentication methods. Meaning you've got your router right here that's going to speak. Either. Radius or tac x.. To the a.c.s. server. The a.c.s. server can then

turn around and speak all kinds of different languages over here to the windows server. Could be chap or m.s. chat microsoft's version of the chap. Encrypted protocol. It could be. Peep. And there's many different standards we're going to be talking about we talk about this. Protocol called x. very cool protocol to lock down switch networks. Of today and wireless access points but anyway there's all these different fast and peepin all kinds of different standards that can be spoken to the windows or novell or netscape directory server so it doesn't. This device over here doesn't have to be a radius or attack x. server. Itcan't be if it's. Attack x. because that's cisco proprietary the server x. is a translator. From one aaa protocol. To another. Now we see authorization. Authorization we can implement time of day restrictions like you can only log on from eight to five resource restrictions you can only access these ip addresses.

Connection limits. This many users. With this username can be logged on at th

e same time limits and these are just a few commands being what you can type inon a router or switch. Accounting the records can be stored either locally on the server so you can actually browse the records and see what users did using the a.c.s. server. Or you can store it in c.s.v.. Stands for comma separated value or. See which is an open database format that is widely supported sequal can. That oracle can handle that so if you have a larger network where you want to do all this accounting into a large database system you can export all this toan o.t.c. format that can be read and understood by databases. Finally let's compare our two street fighters or protocols tac x. and radius. To see what the big differences are. You could go down and you could actually make quite a listof differences but it boils down to these three. Tak x. plus which is the newest version of tac x. is. Cisco proprietary. So right there if you've got. Cisco routers and juniper routers and h.p. routers and switches and all that kind of

stuff. Immediately tack ask it's ruled out because all of these different devices. Don't support the takacs protocol. Radius is an industry standard. So everything supports using radios to communicate to some central database. Tac x.. Separates authentication and authorization. So what that means is let's say you've got a user who. Authenticates to this. Router. The router will go to just say the cisco server. And say a server is this user allowed in the a.c.s. server will come back and say yes that username and password is valid. They're allowed in. Now that user tries to type. The show ip interface command. In therouter. And then flips back around and says. Server is the interface command.

Valid by this user. Yes that command is valid by that user it's every single t


4/10

hing authentication and authorization meaning. Who you are and what you can do. Are separate attacks. Whereas radius it's combined in one big exchange. So when the user comes in and says. Hello my name is jeremy with password of cisco. The router goes over to the a.c.s. or windows server and says hi is this. Username and password valid and. The server comes back and says yes and here's everything that they are able to do. You know this is their privilege level. Now. What that. Does is. Rely a lot on this router for the configuration. Whereas tac x.. Every command is compared against the database of commands that canbe type. With radius it just comes back and says their privilege level five. Which means on the router i've got to define this privilege level five level five can do all these individual commands. Now we can template and use copy and paste to get that in all of our devices. But. Radius is not as centralized in that sense to where. Authorization is all separate. With those. Those differentcommands and most radio servers. Again aren't going to have a list of commandsor access list capabilities. Like the cisco a.c.s. server and finally in christian lies attack x. encrypts the whole packet. Meaning when this guy says i'm germy with a password of cisco. It encrypts all of that. Sending it to the server only the header is shown. Whereas radius just encrypt the password. So if somebody has a packet sniffer right here they'll say. I see a username of jeremyjust came through i can see their password because it's encrypted. But i see that. You know they have half the puzzle of the username that i am going to start trying to hack now. Is jeremy. So that's the big comparison between the two and let me boil it down to this. If you're using. If you are using the server or a centralized database. For just a user authentication. Meaning i've got all

of these routers and i just don't want to type in the same username and password on all of them. Or i want to system where i can have a central database where i have my user name. Jeremy. And the password will say of cisco right now but in a month that's going to change the cisco. One. You know and my passwords are going to keep changing all around. As i go through and i want that to be reflected on all these devices if it's just that simple. Use radius. That's. That's great that's what radius is there for. Is i don't have to create a user accounts and every single one of these. I can. Have a centralized database for that. However if i want to be able to get details. And i want to say well. Theuser jeremy when he logs in has these restrictions can type these commands. Can access these resources on this time of day. If you're going to do that then use the tax server specifically the cisco a.c.s. platform. There's no reason to buy a.c.s. if you just want to do user and password authentication. If you want

to apply all the specific restrictions. That's what it's designed for. Now let's get into how we can configure our routers to support. Aaa and. Switches aswell this is across the board. The first thing i need to do is get to my router. Move in a global configuration mode and i'm going to type in aaa. Question mark. You can see that as soon as i type in this new model command. Triple a new model. It enables new access control commands and functions. Disables old commands. What that means is that when i type in aaa it's going to say ok all the old ways of doing authentication. They're gone. You now have all these new methods that are created for example. You used to go underneath. The v.t. y. ports and type and password cisco. To assign a telnet or s.s.h. password. No more. When you type in new model. I'm not using that username. Or that or that password underneath the v.t.i. ports. We're using a totally new way of doing things the aaa way. So as soon as i hit this look at this i'll type in aaa question

mark again. Notice up here. One command. Now and i had a question mark it'slike why am. All of these new commands have been opened up. Because i have enabled this on my router. Now before you go in heat any further on this. You want to make sure that you don't lock yourself out of the router. And it's easy to do when you're configuring aaa because. Doing this even notes. Disables the old commands. And the old password and your v t y ports is no longer used. Nowit's going to be you use. Looking to use usernames and passwords that. Are atleast. He configured on the router. So here's a quick way to lock yourself out of the router. Let's say you've got. Password using for telnet and enable secret. You type in triple a new model. Save your config and log out. You are no


5/10

w going to be locked out of your router. Because all of the ports are going tobe configured to use by default. Local authentication which means. Check the local database. On the router. You know see if there's any user names configured in that local database. On the router and if you haven't configured in the usernames and passwords. You're doing you. You can't get in the router you haveto actually do password recovery. And break into the router because you'll be locked out. So definitely don't just type in triple a new model and then go i can't remember after that and walk away. Because you will lock yourself up. So after that. We now have to type in. Aaa and choose what method with would likewe have aaa. Authentication. Aaa authorization. And aaa. Accounting there'sare three different. In our aaa. The most obvious one to configure first. Isaaa authentication. Now before even go there. We haven't yet configured attack x. or radius server. Now just so happens that. I've got over here my windowstwo thousand and three box and. Cisco has on their website. A ninety day evolved copy of the a.c.s. server for windows. So you can set up a windows server and try this for ninety days full features full functions and see if you like it.

So what you can do is on windows get this thing set up. And it's just you cansee trial. You can't actually download the full version from cisco's web site.

You do need a logon. So you just go through it's pretty much a next next nextfinish button to install the a.c.s. server and says before you begin the following items must be complete and user clients can successfully connect to aaa clients so you have to be able to log in to routers. The windows server can ping the aaa clients. Any cisco. Or any cisco. Aaa klein is running i.o.'s eleven dot one or later. If you're running eleven not want to earlier. You need to upgra

de. That's where dugan. Probably eight nine ten years old and then you're also using internet explorer. Six point zero or seven point zero netscape. Eight point zero or firefox two point zero. So good news is cisco has now made this.Multi. Browser capable it just says you know make sure all of this is true before you and solace. Hit the next button you know it's going to be basic was there let me pause the video just click next to this to get this thing running. Ohok i couldn't i couldn't do it. I had to show you this. As you're going through the installation it does ask you the question on the a.c.s. server. Are you going to use an internal database meaning the a.c.s. server has everything. Or are you going to integrate this. With the windows user database. And if. Windows. The windows active directory when you configure users has this. Grant dialin permission was used for dial up users is the use for v.p.n. users. This is do you want to refer to this to allow or deny. Dial up or v.p.n. access to this.

If you use windows. Well i'm not going to use windows i'll use the a.c.s. or. So it's going to do it's copy shindig. And then i'll bring the video back. All right now i've got my server running. And it's working in you can see a. Internet explorer web browser that's how you do all of the management. Now before we go any further i've got to configure my rounder to speak with my a.c.s. or someone open a command prompt and. Do a quick ip config just to find out what the ip addresses of my a.c.s. server. Once me. Thirty that one hundred two twenty nine. Remember that. Now i'm going to flip over to my router. And i'm going to type in in this case i'm going to use the tac x. protocol to communicate with the server. So i'll type in tac x.. Tac x. server. Host and then the ip address of the tac x. server which. If so quickly forgotten. It is one. Thirty one hundred twenty nine. So flip back over here. Once and thirty doubt one hundred twenty nine is my tack xor then it gives me the option of. Typing in a key.

Single connection timeout all that kind of stuff. So if i type in single connection and hit enter. I've now created and configured this. To use this as the tax server this single connection command. Says i will use a single t.c.p. connection to the server. So when when the router connects. Let me jump back over to my white board. When the router connects to the server. It will start a.That's hurting me see a server there. It will start a single t.c.p. session over here. You know three way handshake and then it will. Authentic users is this user ok yes it is. Can you do this yes you can you know all of this back and forth over a single t.c.p. connection. Otherwise if i don't include that. Single single connection command every single time and ask for a new username a new p


6/10

assword a new command. It's going to tear down and reestablish the t.c.p. connection which is a lot more overhead. So usually the best way to do it. Now there's one more thing i have to do. On the router side and that's define a key. I can either type in a key at the end of this command or i can say that tag server will use the key. And then whatever i want. Or delete this all just do. Tak x. server. Key and then whatever i want the difference is the key type here is associated with just this one server. Whereas if i type in tactics or key in then i'll just put cisco as my key. That applies to all tac x. servers that i have this router configured for if i have multiple tax servers that i'm using forredundancy or something like that. That's the router side. Now on the tax server side. Wherever that is here we are on the tax server side i need to go to the network configuration. Now i want to make sure i mention for those of you that are studying for the exam. Configuring this. This side the tac x. server. Is part of the c c s p track. You will only need to know how to configure this side. The router to communicate with the radius or the tac x. server. This is c.c.'s speed but. I thought you know. I gotta show it to other wise it's just half a config. So i need to go under this network configuration in add a aaa client. And you can see down here i have aaa servers. That's my server. And i say. Yes i just named it test machine. Just brought up a simple test machine sothe aaa client. I mean i had an i'll call it the router. It's ip address. Isand should over here. Do a show ip interface brief it's one thirty to one hundred a pace that in there. And then the shared secret. This is the key. This is the key that i need to type in between them that i typed in over on the router. Now underneath i have some radius stuff if i'd like to do that but overall i'm

just i'm using tack x. i can skip that. It is going to be a single connectionbetween them and. You know some of these other settings we can apply. If we'dlike to do that. It's a minute apply and now. My c.v.t. router is added as a aaa client of the a.c.s. server. Now i can go in and start creating my users. Now. Click fine and you can see there's no users matching anything i don't haveany users yet. So you can click click on add. At it now click on. Lets say.Jeremy. Will be my username. Add in at that guy. And underneath you have allof the user information real name user set up what is this password i'm going to put cisco is this password. If you want to separate. For check. A ramp authentication. To other types of authentication we can put a different one in here. You can set up call back ip address assignment. Network access restrictions these are like access lists when the. When the user logs in. And the beauty isin this a.c.s. server you've got this help system over here. If you ever confus

e like what is network access restrictions. You can click on this and it givesyou everything about it like here's what it is. The irony is there is no real training class on the a.c.s. server. In the c.c. s.p. track they actually go into it a little more in depth but i would say maybe. Maybe one nugget would be dedicated to this. There's hardly any training because really it's kind of a self training system you just kind of muddle your way through it and you figure outstuff as you go. Of course they have documentation on cisco's website but it'seasy enough to just figure out. On the fly. You see the mac sessions is this count disabled and so on. You know all of these different settings. So once i've created this. User account. I can just click on submit. And i've now addeda user when i click on find i've added my first user. To the database. And you can see it's part of the default group which is one user. You can go under here and. Again i'm now diving way into the a.c.s. server you don't need any of th

is for the security exam but boy is it interesting. This is where you can apply to the whole group. Your time of day access settings callback network access restrictions sessions ip address. Know all of these same things. And this is where you can say whether or not you want them to have access to the shell. The exact. In the router. If you would like that you can actually say i want. Youknow users in this group to log in with privilege level fifteen. Which immediately allows them to get. Enable mode access when they log into the router. Youcan define what commands they're allowed to use i mean. The sky's the limit ofwhat you want to do on this but. This is the configuring the tax side. The read the server side of it. From the client side. All we need to do was say. You


7/10

're. Using aaa my new model. I've now said. You're going to use this as yourtax ever you're going to use a single connection and here is the key that you're going to use when you communicate with the tactics are now we can define our methods. When i go in and i want to say. When somebody's authenticates i want them to use. You know the. The tax or something like that that's known as a method. Let me give you an example of one in then i'll explain it as i go. Let's say i want to secure my authentication. I can type in aaa authentication i'll do a question mark. And this is ok. What kind of authentication. Are you talking about. Are you talking about p.p.p. authentication. Are you talking about when somebody wants to get enable access. Are you talking about eight o two dot one x. we're going to talk about all this. Later on. All of these are valid forms of authentication. The one i'm focused on is logons. When people are trying to log into this router. I want to use this authentication method. Now you can see that i can either create a word. He named authentication list i was level in the routers as word. Just type a word there. Or underneath you have default. The default authentication list. This says. If you want to configure. Methods of authentication do you want to configure the default method that. Everything on the router uses. Meaning. Telnet. Consul port. Auxilary port. P.v.p. dial up connections you know everything. Anything that going to this router.

Will use the default. Method that you define here or do you want to define your own method. Your own list of authentication that they can use. When this case. Before i do the default i'm going to define my own. And we'll call it. Myown. Because i'm not feeling too creative. That's just the name it's the nameof the authentication list. Now the router is going to ask me. Ok. What kind

of. Authentication would you like to use. And i'll say ok well the first thing i want to do when somebody is trying to authenticate to this. Router. Somehow. I want to use the server group. And i want to use the group of. Attack x. servers. Now how does it know the group. That's what we configured up here. When we went through and configured this. This was a server group. I've configured one tax server. If i can figure more of them i guess you would call them a group. But this is considered the group of attack x. servers. So when i'm. When i'm configuring this i'm saying. I'm going to have this list of authentication the first method i would like to use is the takacs servers. Now if that's down. Let's say the tax server is down or the router can't get there maybe a switch failure or a need for net. Failure. Then. I want to use the local user database. Meaning. If i can't get to the tax server. Then see if there's any usernames and passwords locally. It's always good to configure a backup. Why. Wel

l if the router can't get to the tax server. Then you're locked out. I mean and that could be a denial of service attack an intruder. Knows that if they sever. This routers connection to the tac server. And nobody can log in they then. You know the router is locked out you are completely disabled from reaching the router. I would even say. You know. Security wise it's just a good practice i mean by golly if i if i can't reach my server i don't want to be locked out of my devices because they can't get there. I'm going to fall back on the localauthentication in maybe on all my routers and switches i just create this. Horrifically difficult. Backdoor username and password that says ok if everything's down. This is the key to my system. So i can put in local there. Now. You can keep going with this and you can say well if you know the local database is unavailable but i mean i can stop with that same and say. Well the local database will never be unavailable because it's local on the router. If. If it's unav

ailable that means the routers down and you can't get to the router anyway. But just some other. Adams that i can put on this list you know instead of local i could say. You know if. Here's a dangerous one. If the tac x. server is down go out and use none. No authentication. You know that means. It means that if you can't reach the tax server then anybody can logon. You want to tell thatensure. Come on in. There's no authentication. It's fair game here anybody can get in. That's dangerous you don't want to do that you can also use. The enable password. I could type in. Enable so. If the tactic servers down then the password on need to get into the router is the enable password. So there's a lot of options that i can do. Most people will just say. Tactics are followed b


8/10

y local. Know this is right here. A aaa method. I have now created a method named. My own. And now i can apply that method wherever i would like to. I want to use authentication on the ports. While i can go underline v t y z o spacefor and type in. Logon remember we have been doing this is old news right here. We've always tried to log in and we've even typed in. Logon local but. You can see the logon command. If i if i type it now it's like sorry you're not done in the log in local. That's no longer valid. I don't. I don't know what youmean. What. How did these commands go away they worked before. Well as soon as we typed in aaa a new model. And i want to make sure i highlight again. It soon as i type it in. It disables the old way of doing authentication. There'sno longer the logon command or the logon local because i type in now. Logon. Sorry for flying around so fast i get excited. I type in love again. And i follow that up with. Authentication it says ok well. What kind of authentication do you want to use. You can either. Type in the method. You would like to use. Or you can just use the default. Now this is where i can apply this. It's kind of like an access list. Config mode. And i apply it to wherever i'd like to apply it i say log in authentication. My own. And now. Applied to the linesis the. My own method. That says use the tac x. server first whenever somebody tries to get in view of v.t. why. And then use the local user database. Thisis now configured for. Aaa. This is the first aaa method. I can exit out i could go you know i could create multiple methods i could say aaa. Authentication. Logon and i'll just say none. And i'll just say that this authentication method named none will have no authentication. You may be thinking well. Gerri where would you want to do that. Right here. Whoops. Did i something wrong. Au

thentication list. None is not defined. What did i do. I must of type something wrong there. I mean do. Authentication. Logon none. Let's just say no logon. Maybe it just doesn't like the name on no logon. Will say this uses. I think i know it's wrong. Uses the local database and then. None should be down well. Take it. I'm just debating with myself here. Line council zero. I'll do logon. Authentication. No logon. Ok. It just might must not have liked thename none. So that what that does. Is now say there is no authentication on the council board. Now i have met some people in there. Let me back up. Beforei start on my little. Rants here. There are some people who like to put passwords on the consul port. Because they just like that extra layer of security. But the thing is. At this point in your cisco journey you know that if you can physically get to a cisco device. You can do password recovery you know. Go around every password in probably three to five minutes or less if you're really go

od. By breaking into raw monitor mode and all that kind of stuff and getting around all the passwords. So my thought is. Unless you're using a terminal server for that. Out of band management. Where somebody could potentially hack your terminal server then get into the consul ports. I would say it's pretty rare that you want authentication on the console port because most the time if you'replugging into the consul port. It's a crisis. And i've been in situations where i've run into the room with my consul cable i plug in there and i hit internet like ope what's the password and i'm like the password. Things are broken andi don't remember the consul password that somebody said. Three years ago and what i did somebody fun you know you're screamin so many fun the consul password and usually end up doing password recovery and getting around it anyway. Because nobody remembers what the consul password is. So i usually say. No logging on the consul port is the best bet so you know if you're physically at the device.

Then you can do that now. All bets are off when you move into a terminal server environment where somebody could potentially. Telnet into a router and thenreverse telnet remember the out of band management i talked about earlier on. That might be a good place for a council password. But then you'd be using it all the time. So. Anyhow. Let me do a show run. And i'll say include aaa. And you can see on this c.v.t. router i now have two methods. One of them called a my own one of them called no log in each applying different methods of logginginto this router. And i've now applied. My own and. No log into the ports and consul ports respectively. I can do this for as many methods as i want in onecan even configure the aaa. Authentication. Logon. Default method. And i cou


9/10


10/10

Maybe you've got the ip address of the router batter or something like that.But we can. We can verify i'll do a show run include user. And just show thatthere is no user. On this router named jeremy there's germy admin. But there is no jeremy so it is pulling this username and password from over in that tax database that we created. So with that. I hope this has been informative for you and i'd like to thank you for viewing. }

}

Foundation Router Security - Understanding and Implementing AAA

Documents

Transcript of Foundation Router Security - Understanding and Implementing AAA