cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2933
Views
0
Helpful
8
Replies

Privileges, Console, Telnet User Credentials

Eckzyzxx45
Level 1
Level 1

Hi Guys,

I want to stregnthen our internal network equipments.

I'm just using "username Name privilege 15 password PASSWORD".

I want to ask if I can put username/passwords on the User EXEC, Privileged EXEC and Global Configuration.?

My config..

line con 0
logging synchronous
login local

line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
privilege level 15
logging synchronous
login local
transport input telnet ssh

Thanks in advance and Merry Xmas :)

8 Replies 8

Hi

Pls explain waht exactly is your goal.

Shawn B
Level 4
Level 4

Do you have access to a  RaDIUS or TACAS+ server? It may be possible to reach your goals with those tools. If I am understanding your question correctly, I do not know of a way. You could look at deploying an ACL to limit what has access in.

I agree with the other responses that it is not clear to me what you are trying to achieve. Can you provide some clarification?

I will observe that when you include privilege level 15 on the vty configuration that anyone who is successful in authenticating is automatically put into privilege mode and has access to config mode. So if you want to increase the security implementation of your routers and switches perhaps the first step might be to remove privilege level 15 from the vty. Then people would log in to user mode and have to do a separate authentication for privilege mode.

If you are trying to achieve something so that some users have access only to user mode and not privilege, while other users have access to privilege mode without access to config mode, while other users have access to both privilege mode and config mode then I would think that authorization using an external aaa server like TACACS might do it. I am not aware of any way to achieve that when using local authentication on the router or switch.

HTH

Rick

HTH

Rick

Hi Eckzyzxx45,

For the User EXEC mode, you can connect via console or virtual terminal line. 

A username/password requirement can be set for these, by issuing the "line" command from global configuration mode. 

configure termina

line console 0

login

password _______                    ....This will require a password to connect via serial/console 

Replicate this command with "line vty 0 15"  instead of "console" to set a password requirement for Telnet or SSH. 

To protect Privileged EXEC mode, you should use the "enable secret" command to provide authentication. 

configure terminal 

enable secret __(password here)____

Once a user is in Privileged EXEC mode, I do not believe it is possible to password protect Global Configuration mode. Perhaps by setting a very low privilege level to exec mode, level 1 for example, it could be possible, though that did not work when I tested it with Packet Tracer. 

Therefore, if you wish to prevent a user from accessing configuration mode, I would only provide that user with a console/vty password to enter user mode, and restrict entering privileged mode

If you look at the partial config given in the original post you will see that they already use login local to require login with a user ID and a password unique to that user. The suggestion to use line vty 0 15 with login and with password would mean that every one would login using the shared password and this would be a significant step backward in terms of the security of the routers and switches.

HTH

Rick 

HTH

Rick

Yes - thank you for pointing that out, Rick. Looking at his partial config I think I may have misunderstood what he was asking for in his original question. 

I certainly agree that it is difficult to understand what he is really asking for. What you suggested is a fine explanation of the beginning steps of providing security for accessing a router or switch. But his partial config makes it clear that he has already passed beyond that beginning level of security.

HTH

Rick 

HTH

Rick

Junior Wingate
Level 1
Level 1

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage. In no even shall the author be liable or accountable, as any posting or comments are strictly based on authors knowledge and or understanding of the question.

By reading your post, it is difficult to determine what commands or rights you want to grant at each level. To accomplish your goal, you need to use aaa new-model commands. The end-state is to set authorization and authentication for certain commands or levels. This normally includes setting specific attributes that are authenticated against TACACS+ or RADIUS. If there are commands you want to set for a specific group you would set that under "aaa" command family (subcommands). 

It is fairly simple to build out a radius server to respond to the command you want to allow or not allow from a specific user. Please see below and let me know if this answers your question:

rt#show run | s aaa|line
aaa new-model
aaa group server radius Radius_Server1
ip radius source-interface GigabitEthernet0/2
aaa authentication username-prompt "User Login:"
aaa authentication login default group radius local enable (primary point of interest)
aaa authentication enable default enable (primary point of interest)
aaa authorization exec default group Radius_Server1 local  (primary point of interest and so others exist)
aaa session-id common
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4

login authentication default (or whatever group you used)
access-class 50 in
access-class 50 out
transport input ssh
transport output ssh
line vty 5 1869

login authentication default (or whatever group you used)
access-class 50 in
access-class 50 out
transport input ssh
transport output ssh
rt#

Keep in mind that the more granular you want to go with this, the more features or capabilities a system must have. Example, if you want to tag traffic known from a specific system... you can use ISE/firewll/etc to do SGT or security group tagging (unrelated to question but an example). If you want authentication, authorization, and maybe accounting you may want to use Microsoft Radius or something along those lines.

Cisco Configuration Guides:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathor.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html (similar but this shows or uses PPP commands & Radius)

Again if I understand correctly please let me know. If not please let me know. If more data is needed, just reply and I will try to post a specific example you and a configure on/in dropbox/elephant/onedrive (blog post at http://www.cerbros.net/ (click blog) at request (above disclaimer applies to site post/blogs)). 

Review Cisco Networking for a $25 gift card