Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
4
Replies

Switch Authentication encryption

paul dungey
Level 1
Level 1

‎12-13-2018 01:17 AM - edited ‎03-08-2019 04:48 PM

Hi,

 

I have 15 switches on two separate sub nets in my organisation that requires a username and password Encryption to be set up, I need help with the correct configurations to lock down the switches from unauthorised access within the organisation and external threats from hackers, scammers, and remote, aux, and console access

 

I need to set up each switch with the following configurations as well but not sure how

Static IP

Host name

Authentication Banner

 

I really appreciate your help.

 

Thank you 

 

Paul

 

 

 

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎12-13-2018 01:46 AM

Hello,

 

you have to decide whether you want to use local authentication or TACACS/RADIUS. Local authentication is fairly simple, just configure a username and password and configure the CON/AUX/VTY with 'login local':

 

Switch#

username admin privilege 15 password 0 cisco

!

line con 0

login local
line aux 0

login local
line vty 0 4

login local

 

The authentication banner can be whatever you want. Below is an example ('+' is used as the delimiting character):

 

Switch#conf t

Switch(config)# banner motd +

******************************************************************************

* WARNING !!! *

* This system is for the use of authorized users only. *

* *

* Individuals using this network without authority, or in excess of their *

* authority, are subject to legal action. *

*

******************************************************************************

Switch(config)#+

0 Helpful

Georg Pauwen
VIP
VIP

‎12-13-2018 01:56 AM

As for the static IP address on each switch, it is usually good practice to have a dedicated VLAN other than the default VLAN 1 for management. Basically, you assign an IP address from the same subnet to the management interface of each switch, e.g.:

 

Switch#

!

interface Vlan 10

ip address 192.168.10.1

 

Hostnames should somehow make sense and be recognizable within your company, e.g.:

 

Switch#conf t

Switch(config)#hostname S1_DATA_CORP

0 Helpful

paul dungey
Level 1
Level 1
In response to Georg Pauwen

‎12-13-2018 02:16 AM

Hi Georg,

 

Thank you for the quick response, my IT manager has decided to just have a username and password when login in to the privilege mode on the switch and does not want to secure CON/AUX/VTY with 'login local god forbid if we ever get hacked.

what would the configuration be to set up a username and password for enable mode.

 

thanks

0 Helpful

Georg Pauwen
VIP
VIP
In response to paul dungey

‎12-13-2018 02:30 AM

Hello,

 

in that case, use aaa:

 

1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default local
5. aaa authorization exec default local
6. aaa authorization network local
7. username name [privilege level] {password encryption-type password}

 

line vty 0 4

transport input all

login authentication default --> this line will probably not be visible in the running config...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card