This section reviews and expands on the techniques for
assigning passwords to the three potential access points to the User mode, the entry level into a Cisco device. In Chapter 3, you
learn how to use authentication servers, such as TACACS+ and RADIUS, with AAA
authentication services for securing access to Cisco devices.
The User level on a Cisco router often has three potential access
points. They include the following:
-
Console (con) port Access for the console
cable. Figure
2-2 shows a typical console port on a router.
-
Auxiliary (AUX) port A console-like access
that can be attached to an external modem for a dial-up connection.
-
Virtual terminal (vty) ports The access
points for Telnet sessions.
Figure 2-2: Console port
on an 800 model telecommuter router
The default configuration for each of these interfaces, shown in
the following code listing, doesn’t include a password. Since the release of
version 12.0 of the IOS, the virtual terminals and AUX ports require that a
password is set. If none is set, the user will be rejected with the message
“password required, but none set.” The console port doesn’t have this
requirement, so it’s a good idea always to set a password to prevent anyone with
a laptop and a console cable from accessing the device.
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
!
line con 0 <-Console connection
login
line aux 0 <-AUX connection
login
line vty 0 4 <-Virtual terminal connections
login
end
The basic password configuration for each is the same. The
password is defined with the password command and the login command. Passwords can be 1 to 25 character, and can
include uppercase and lowercase letters, as well as numbers, to comply with
complex password requirements in the password policy. The result might look like
the following listing:
!
line con 0
password cisco1
login
line aux 0
password cisco2
login
line vty 0 4
password cisco3
login
end
The passwords used should comply with the password policy portion
of the network security policy. You could use the same password for all three,
but this isn’t a secure solution. Someone attempting to access the device
through one of these three methods will be prompted only for a password, at
which time they need to supply the appropriate one.
User Name/Password with Login Local
You can require both a user name and a password, as well as
have the opportunity to create different combinations for different users. The
first step is to develop a local database of acceptable user name and password
combinations in the Global Configuration mode. Like all passwords, these are
case- ensitive, can include text and numerals, and should comply with the
password policy. The user names aren’t case sensitive. Two examples might
include the following:
Rtr1(config)#username remote password acC3ss
Rtr1(config)#username scott password woLfe7
To finish the configuration, change the login command to login local for the interface(s) that you want to use this
feature. In the following example, only the virtual terminal lines are being
changed.
username remote password access
username scott password wolfe
!
line con 0
password cisco1
login
line aux 0
password cisco2
login
line vty 0 4
login local
end
After making the changes, the next Telnet session login might look
like the following:
User Access Verification
Username: remote <-Used the remote / acC3ss combination
Password:
Rtr1>exit <-Successful attempt
User Access Verification
Username: scott <-Used scott / WOLFE7 combination – note case
Password:
% Login invalid <-Wrong case on the password)
Username: ScOtT <-Used ScOtT / woLfe7 combination – note case)
Password:
Rtr1> <-Used the correct case on the password)
The important things to remember are that the user name isn’t
case sensitive, while the password is. Furthermore, if more than one entry is in
the local database, then any valid combination is acceptable.
Sections
Comments (0 posted)
Syndication
