Chapter 23
Configure Device Access Control
A CCNA is responsible for helping secure traffic through Cisco devices and also for controlling traffic to these devices. For example, it is important to ensure that individuals attempting to access your devices to reconfigure them are the properly authenticated individuals and that they are correctly authorized to perform the actions they intend to perform. This chapter reviews many key aspects of configuring device access control.
This chapter covers the following essential terms and components:
▸ AAA
▸ TACACS+
▸ RADIUS
▸ Local authentication
▸ Secure passwords
▸ Device access
▸ Source addressing
▸ Telnet
▸ Login banners
▸ Password policy
Topic: Configuring Device Access Controls
CramSaver
If you can correctly answer these CramSaver questions, save time by skimming the ExamAlerts in this section and then completing the CramQuiz at the end of this section and the Review Questions at the end of the chapter. If you are in doubt at all, read everything in this chapter!
1. What single command allows you to create a local user account named JOHNS with the MD5 hashed password cisco123 and privilege level 15? (This command should be entered as efficiently as possible.)
_________
2. What password is used for backward compatibility with very old Cisco devices?
_________
3. What command can you use to apply weak encryption on plaintext passwords in a configuration?
_________
4. Examine the configuration that follows. Name at least seven things that are problematic in this configuration from a device-hardening standpoint.
R1# R1# show running-config Building configuration... Current configuration : 1113 bytes ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! enable password cisco123 ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! ! ! no ip domain lookup ! ... ! interface FastEthernet0/0 ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 no ip address shutdown clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ... ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 password cisco login transport input telnet ! ! end R1#
5. What AAA security protocol communicates from network devices to a central security server using TCP?
_________
Answers
1. username JOHNS privilege 15 secret cisco123
2. enable password
3. service password-encryption
4. There is no enable secret configured.
Telnet is allowed.
There is no banner message.
There is no service password encryption.
The console port never times out due to inactivity.
Simple passwords are in use.
Privilege level 15 is granted at the console without authentication.
5. TACACS+
AAA is an important concept for you to grasp as early as possible in your CCNA career. This important set of technologies seeks to ensure proper authentication, authorization, and accounting of access to and through devices. Remember that accounting means keeping records of what happens with a device and when it occurs (and maybe even for how long).
Some aspect of AAA is in use on a Cisco device even when you configure the device using local user accounts. Example 23.1 demonstrates such a configuration.
Example 23.1 Configuring Local Authentication for the Console Line
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# aaa new-model R1(config)# username JOHNS privilege 15 secret 1L0v3C1sc0Systems R1(config)# line con 0 R1(config-line)# login local R1(config-line)# end R1#
The commands in Example 23.1 are as follows:
▸ aaa new-model: This command enables the AAA system on the router. Without this command, IOS uses the legacy enable and login passwords (as configured by the enable global and login vty line commands).
▸ username JOHNS secret privilege 15 1L0v3C1sc0Systems: This command creates a local user account with the name JOHNS; after the command is entered, the password is hashed using MD5 so it does not display as plaintext in the configuration; note that the password keyword used in place of secret would not accomplish this hashing. The password itself for this user is 1L0v3C1sc0Systems. The privilege 15 portion of the command indicates the level of access for the user. The default privilege level for a user is privilege level 1.
▸ login local: This command requires authentication (based on the local configuration of user accounts) for a user to access this router through line console 0.
Obviously, configurations like the one in Example 23.1 are critical; misconfiguration can actually lead to device lockout. Therefore, it is important to be careful and always verify. Example 23.2 walks through the verification.
Example 23.2 Verifying the Local Authentication Configuration
R1# R1# exit R1 con0 is now available Press RETURN to get started. ! Note: pressing enter will prompt for a username and password User Access Verification Username: JOHNS Password: R1#
ExamAlert
When creating local user accounts, you can assign privilege levels to those accounts with the privilege keyword. The default privilege for local users is 1, which is commonly referred to as user mode. Once a user is logged in, the user can move to privilege level 15 by using the enable command.
What if you are not going to use local user accounts for authentication and authorization but instead plan to use accounts that are stored in a remote authentication server of some kind? You need a protocol to communicate this account information across the network. Two popular protocols support AAA functions: TACACS+ and RADIUS.
ExamAlert
TACACS+ is often the security protocol used for authenticating administrators logging in to a Cisco device, whereas RADIUS is often the protocol used for authentication of users communicating through a Cisco device.
It is important to understand the key differences between TACACS+ and RADIUS. In addition to the ones provided in the preceding ExamAlert, the differences include the following:
▸ RADIUS uses UDP, whereas TACACS+ uses TCP.
▸ RADIUS encrypts only the password in the access request packet from the client to the server, whereas TACACS+ encrypts the entire body of the packet.
▸ RADIUS combines authentication and authorization, whereas TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting functions.
▸ RADIUS is standardized by IETF (in RFC 2865), whereas TACACS+ is a Cisco-proprietary protocol.
▸ TACACS+ supports per-command authorization, whereas RADIUS does not; this is why TACACS+ is preferred for administrator authentication and authorization.
Note that no matter how your user accounts are set up—whether they are stored on the local Cisco device or stored on a central authentication server—you should always use a well-designed password security policy. This policy should specify the minimum password length and complexity, it should dictate how often users must rotate their passwords, and it should also define the lockout procedures. Consideration must also be given to secure passwords on all your Cisco devices. Note that Example 23.1 uses a long string, simple character substitution, and a mix of case in order to set a fairly strong password. Cisco devices today can assist you with the implementation of your password security policy. They can enforce complexity and length requirements when passwords are set on the local devices. For example, with IOS you can enforce a password minimum length requirement of 10 by using the security passwords min-length 10 command.
What about passwords that might appear in plaintext in the configuration? Cisco provides the service password-encryption feature to help with such cases. Example 23.3 shows the configuration and verification of this feature.
Example 23.3 Configuring and Verifying the Service Password-Encryption Feature
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# enable password ThisIsmyPassw0rd R1(config)# line vty 0 4 R1(config-line)# password ThisIsMyT3ln3tPassword R1(config-line)# login R1(config-line)# end R1# R1# show run Building configuration... Current configuration : 1370 bytes … enable password ThisIsmyPassw0rd ! line vty 0 4 password ThisIsMyT3ln3tPassword login transport input telnet ! end R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# service password-encryption R1(config)# end R1# show run Building configuration... Current configuration : 1413 bytes … service password-encryption enable password 7 02320C52182F1C2C557E080A1600421908 ! line vty 0 4 password 7 15260305170338093107662E1D54023300454A4F5C460A ! end R1#
The enable password command stores the enable password in plaintext in the configuration and is used for backward compatibility with very old Cisco devices that do not support the enable secret or other MD5 hashes. Passwords stored in plaintext are a security risk. Examples include the enable password and passwords configured on vty and console lines. Note that the service password-encryption command places a very weak level 7 Cisco-proprietary and well-known encryption on all passwords that are present in the running configuration. Although this is not a strong method of protecting the passwords, it does at least prevent them from appearing in plaintext. A decryption program for the encrypted passwords has been available since at least 1995, and to quote Cisco (see “Cisco IOS Password Encryption Facts”), you “should treat any configuration file containing passwords as sensitive information, the same way they would treat a cleartext list of passwords.”
ExamAlert
If you use this service password-encryption command and then issue the command no service password-encryption, no future plaintext passwords are protected, but your existing passwords remain in their encrypted form.
Remember that the modern alternative to the enable password command is the enable secret command. This protects the privileged-mode password by only storing a hashed version of the password. If using both commands, the passwords must be different between the two, and only the secret is used for authentication.
Another important consideration with proper device hardening is physical security (device access). Someone who gains physical access to your Cisco equipment can easily recover the startup configuration or reset the equipment—and they can easily physically damage it as well.
Another important consideration for device hardening is source addressing specific traffic, such as management traffic. It is common to source traffic from a loopback address to improve reliability, consistency, and security by only allowing access from those loopback addresses. Example 23.4 provides an example.
Example 23.4 Setting a Source Address for Network Communications
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# interface loopback 1 R1(config-if)# ip address 192.168.1.1 255.255.255.0 R1(config-if)# exit R1(config)# snmp-server source-interface traps loopback 1 R1(config)# end R1#
Example 23.4 uses the source-interface keyword to ensure that Simple Network Management Protocol (SNMP) traps are sent from a source address of the loopback interface.
Example 23.5 reviews the configuration of Telnet. Notice that the service password-encryption command encrypts the passwords stored in the configuration, as shown in this chapter.
Example 23.5 Configuring Telnet
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# line vty 0 4 R1(config-line)# password C1sc0I$Aw3some R1(config-line)# login R1(config-line)# transport input telnet R1(config-line)# exit R1(config)# service password-encryption R1(config)# end R1# *Mar 1 00:01:34.131: %SYS-5-CONFIG_I: Configured from console by console R1#
ExamAlert
All of the configuration examples in this chapter have shown manipulation of the default vty 0 4 lines. Remember that there are other lines available, depending on the device. This means you can provide alternate configurations to different lines. Specifying line vty 5 10, for example, applies a specific configuration to vty lines 5 through 10. Most Cisco switches have vty lines 0 through 15 by default, so if you are configuring security on vty lines, apply it to all of them—and not just the first 5 lines. Pen testers often look for exactly this type of configuration neglect. They open 5 SSH sessions on a device (without ever logging in), thus reserving lines vty 0 through 4. Unless vty lines 5 through 15 have also been configured for SSH (which is easy for an attacker to verify), the next session only allows the default (Telnet) transport. It is quite easy at that point to open a ticket about connectivity issues and then wait. The administrator tries the default SSH client and can’t log on to the device. The administrator then knows the problem is on this device (since the SSH server has crashed). Instinctively, the administrator tries other login methods (such as Telnet), and the pen tester sniffs the password off the wire (that is, off the plaintext Telnet traffic).
Because Telnet is insecure, there is a secure remote access protocol alternative: Secure Shell (SSH). Example 23.6 shows a sample SSH configuration. (See Chapter 21, “Other Networking Services,” for detailed coverage of SSH configuration.)
Example 23.6 Configuring SSH
R2# R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# ip domain-name lab.ajsnetworking.com R2(config)# crypto key generate rsa The name for the keys will be: R2.lab.cbtnuggets.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys, keys will be non-exportable...[OK] R2(config)# %SSH-5-ENABLED: SSH has been enabled R2(config)# ip ssh version 2 R2(config)# line vty 0 4 R2(config-line)# transport input ssh R2(config-line)# end R2# %SYS-5-CONFIG_I: Configured from console by console R2#
The configuration commands in Example 23.6 are as follows:
▸ ip domain-name lab.ajsnetworking.com: The setting of a domain name on the device is required for the generation of the RSA key used for SSH security. Note that a hostname configuration is also required, but that is not shown here because it has already been done (on R2).
▸ crypto key generate rsa: This command triggers the generation of the RSA key for security. Notice that you must specify how many bits are in the modulus in order to control the strength of the security (where more is better); 768 is used here to specify SSH version 2 because at least 768 is required. On modern hardware, there is no reason not to use 2048.
▸ ip ssh version 2: This command specifies that version 2 of SSH should be used. Version 2 is more secure than the default version 1.
▸ transport input ssh: This command locks down the vty lines to the use of SSH and excludes the use of other protocols, such as Telnet.
ExamAlert
You can configure multiple protocols with the transport input command. For example, transport input ssh telnet specifies that SSH or Telnet may be used. You should avoid the use of Telnet because it is never considered acceptable from a security standpoint as it sends all its payload in plaintext.
Another aspect of device hardening is the configuration of a login banner—a text message displayed to users when they log in to the device, just before the username and password prompt. The typical use of a banner is to provide a legal disclaimer that access is restricted. A banner does not protect a device, but it prevents attackers from claiming in court that they didn’t know they were not supposed to be taking over the device! Example 23.7 shows the configuration and verification of a login banner. (I am not an attorney, so be sure to check with your own legal team regarding the exact language of your banner!)
Example 23.7 The Configuration and Verification of a Login Banner Message
R2# R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# banner login # Enter TEXT message. End with the character '#'. This router is for the exclusive use of ACME.INC employees. Any other use is strictly prohibited. Violators will be prosecuted to the full extent of the law.# R2(config)# exit R2# exit R2 con0 is now available Press RETURN to get started. This router is for the exclusive use of ACME.INC employees. Any other use is strictly prohibited. Violators will be prosecuted to the full extent of the law. User Access Verification Username: JOHNS Password: R2#
Notice how simple the configuration is. The banner login # command gets the job done. The # symbol is a character chosen by the administrator, and when used again in the configuration of the banner, it triggers the end of the banner text. This allows you to insert carriage returns and even ASCII art, should you desire, into the banner text. The # in this case is called the delimiter. The delimiter delimits (that is, marks) the beginning and the end of the banner text. You therefore cannot use the delimiter within the banner’s text.
ExamAlert
The login banner is only one type of banner possible on a Cisco device. For example, the banner motd command configures a message-of-the-day banner that is displayed to all the connected terminals. This banner is useful for sending messages that affect all users, such as messages about impending system shutdowns. When a user connects to the router, the MOTD banner appears.
CramQuiz
1. What is wrong with the command username JOHNS password cisco123? (Choose two.)
A. The password is in plaintext if service password-encryption is not in use.
B. The username command must be separate from the password assignment.
C. The password is too simple.
D. The privilege level must be set.
2. What command dictates the use of AAA on a Cisco device?
A. aaa enable
B. aaa run
C. aaa authentication
D. aaa new-model
3. What command under the vty lines allows the checking of a local password?
A. check-password
B. enable
C. login local
D. test
4. What is the effect of the command transport input ssh telnet?
A. SSH is used instead of Telnet.
B. Telnet is used instead of SSH.
C. Telnet and SSH are restricted.
D. SSH and Telnet are allowed.
5. What is true about banner messages on Cisco routers? (Choose two.)
A. You must always use a # symbol to indicate the end of the banner.
B. Various types of banner messages appear at different times or for different conditions.
C. You can use ASCII art in them.
D. They typically are not used for legal warnings.
CramQuiz Answers
1. A and C are correct. The password here will be in plaintext, and the password that is selected is much too simple. To store the password in encrypted form on the IOS device, use the secret keyword or configure the password encryption service. If the privilege level is not explicitly configured with the username command, it has a default value of 1.
2. D is correct. The aaa new-model command enables the use of AAA on the device.
3. C is correct. The login local command requires authentication using the local username and password configuration. The command no login on a vty line (when aaa new-model is not enabled globally) disables password checking before login and results in open access. The login command requires the administrator to enter the password as configured under the line configuration, without providing a username.
4. D is correct. transport input ssh telnet permits SSH and Telnet as a backup method.
5. B and C are correct. Various types of banner messages are used for different purposes. They can contain carriage returns and even ASCII art.
Review Questions
1. What is an alternative to using local authentication on a Cisco router?
A. Centralized AAA
B. A remote Telnet database
C. SNMP for authentication
D. FTP for authentication
2. What happens if you issue the command no service password-encryption?
A. Encrypted passwords are reversed.
B. The device no longer encrypts future passwords.
C. The device removes all encrypted passwords.
D. This command is not valid.
3. Why might you set the source interface in traffic? (Choose two.)
A. In order to increase reliability
B. In order to enhance processing speed
C. In order to enhance security
D. In order to eliminate the use of send buffers
4. What command do you use to create the public/private key pair for SSH?
A. crypto key ssh create
B. crypto key generate ssh
C. crypto key ssh
D. crypto key generate rsa
5. What AAA security protocol communicates from network devices to a central security server using UDP?
A. TACACS+
B. RADIUS
C. Telnet
D. SFTP
6. What security protocol does not encrypt the entire body of a packet?
A. RADIUS
B. TACACS+
C. VTP
D. STP
Answers to Review Questions
1. A is correct. The most common and most powerful configuration for authentication is to centralize this function with AAA.
2. B is correct. This command has no effect on passwords that have already been encrypted on the device. No passwords created in the future will be encrypted. All hashed passwords (MD5 hashed secrets) will remain hashed regardless of the service password-encryption command.
3. A and C are correct. Source address control is often used for enhanced reliability and security.
4. D is correct. This command creates the keying material needed by SSH.
5. B is correct. RADIUS provides low overhead. One of the ways it does this it by using UDP in its operations.
6. A is correct. RADIUS encrypts only the password in the access request packet from the client to the server.
Hands-On Lab Practice Assignment
Device Hardening
To complete this Hands-On Lab Practice Assignment, download the assigned Packet Tracer file from the book’s companion website and perform the lab on your locally installed version of Packet Tracer. For instructions on how to download and use the Packet Tracer files, see “Packet Tracer Hands-On Lab Practice Assignments” in the Introduction of this book.
Additional Resources
Authorization, Authentication, and Accounting
Basic Switch Configuration
TACACS+ and RADIUS Comparison
Cisco IOS Password Encryption Facts