i. Overview:1. Setting up the EnvironmentHere we go over all the things you need to have working to be able to get user accounts working:
1.1 Enabling Local Accounts:Accounts can be stored on the local device, or accounts can be managed via a Radius server. if you want to store the accounts locally, make sure you enable aaa, To do this do the following:
aaa new-modelaaa authentication login default localaaa authorization exec default local1.2 Encrypting all passwords in the configsTo enable encryption of all passwords in the saved configs, you need to enable the globalpassword-encryption command. conf tTo show how this would work, here we see the configs before password encryption: [...]username rancid privilege 3 password 0 test[...]And then after the command is entered, how the password is encrypted into an encrypted string [...]username rancid privilege 3 password 7 051F031C35[...]1.3 Enable Password:If a user account IS NOT set to privilege level 15, then they will need to enable, (or "su") to a level that will allow them to make changes to the system.To create an enable password, and have the password encrypted in the config file enter the following: conf t
enable secret 0 BigBooTay
endthis will result in something like this in your running config enable secret 5 $1$2ASJ$aSefGi55hhFb3Ro6TQA3P1
privilege configure level 8 snmp-server community privilege exec level 6 show running privilege exec level 8 configure terminal2. Accounts:2.1 Creating a User AccountTheusername command allows you to create accounts, set the privilege level, and set the users password. To create a new user, you would simply enter the following: conf t username rancid privilege 3 password 0 testendWhere the username is "rancid", the level is "3" (which is a very limited access account), and the password is entered in plaintext "0" and it is "test". 2.2 Copying/Pasting Encrypted Passwords:If you want to copy the configs from one router to the other, you can copy the encrypted password from one to the other and it will simply work. (they all use the same encryption algorithm.) Also, the config says if the password is encrypted, in this example, the "5" tells the router that the following command being entered is already encrypted, and to no re-encrypt it.[...]username rancid privilege 3 password 5 051F031C35[...]2.3 Dangers of Crackable Passwords:Make sure you don't use enable password, or use the encryption level 7. Both of these use simple hashing, and are easily cracked. 3.1 Configuring Terminal and Console Access:To allow connectivity to the system, you need to configure the vty settings. There are not an unlimited amount of terminals (or number of ssh connections) that can be made at a given time. By default we enable 5 sessions, "0" through "5". You also want to make sure that you enable an ACL on the terminal, to control who can connect. First configure the ACL:
ip access-list standard vty-access remark CLI accesss from mgmt networks permit 10.50.32.0 0.0.0.255 permit 10.50.34.0 0.0.0.255 permit 10.33.195.0 0.0.0.255 permit 10.33.0.0 0.0.255.255 deny any log exit!Then configure the five terminals:
line vty 0 4 access-class vty-access in exec-timeout 30 0 login local transport input ssh exit!Note that this allows ssh inputs and uses "local" accounts rather then radius or something.
3.2 Enabling SSH Access:If it was not setup already, to enable crypto on the device you need to first define the dns domain
ip domain-name cmed.usand then you need to generate an ssh key
crypto key generate rsaip ssh time-out 60ip ssh authentication-retries 2References:
|