Transcription of Configuring Local Authentication - Cisco
1 Configuring Local AuthenticationThis chapterdescribeslocal chapteralso describesproceduresto configurelocalauthenticationand chapterincludesthe followingtopics: UnderstandingAuthentication,page 1 NTP-J102 ConfigureLocal AuthenticationUsing Cisco IOS Commands,page 1 NTP-J103 ProtectAccessto PrivilegedEXEC CommandsUsing Cisco IOS Commands,page 3 UnderstandingMultiplePrivilegeLevels,pag e 8 NTP-J104 ConfigurePrivilegeLevelsUsing Cisco IOS Commands,page 8 Understanding Authentication ,authorization,and accounting(AAA)networksecurityservicespr ovidethe primaryframeworkthroughwhich you can set up access controlon your router or access a way of identifyinga user before permittingaccess to the networkand CarrierPacketTransport(CPT)
2 Supportslocal authenticationmechanismto administerits Configure Local Authentication Using Cisco IOSC ommandsThis procedureconfigureslocal authenticationusingCisco IOS neededRequired/As NeededCisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-021 Onsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelThe only supportedlogin authenticationmethodin CPT is Local or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalEnablesauthentic ation,authorization,andaccounting(AAA) new-modelExample:Step 3 Router(config)#aaa new-modelCreatesthe defaultlocal authenticationlogin defaultmethodnameExample:Step 4 Router(config-if)#aaa authenticationlogindefaultlocalEnters line configurationmode for the linesto which you want to apply [aux|console|tty|vty]line-number[ending- line-number]Example:Step 5 Router(config)#line vty 0 4 Appliestheauthenticationlisttoalineorset of authenticationdefaultExample:Step 6 Router(config-line)#loginauthenticationd efaultReturnsto global.
3 Step 7 Router(config-line)#end Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA278-20205-02 Configuring Local AuthenticationNTP-J102 Configure Local Authentication Using Cisco IOS CommandsExample: Configure Local AuthenticationThe followingexampleshows how to configurelocal authenticationusing Cisco IOS commands:Router>enableRouter#configurete rminalRouter(config)#aaa new-modelRouter(config-if)#aaa authenticationlogindefaultlocalRouter(co nfig)#linevty 0 4 Router(config-line)#loginauthenticationd efaultRouter(config-line)#endNTP-J103 Protect Access to Privileged EXEC Commands UsingCisco IOS CommandsThis procedureprovidesa way to controlaccess tothe systemconfigurationfile and privilegedEXEC(enable)commands,using Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePerformany of the listed proceduresas needed.
4 DLP-J291 Set or Changea Static EnablePasswordUsing Cisco IOS Commands, on page 3 DLP-J292 ProtectPasswordswith EnablePasswordand EnableSecret Using Cisco IOS Commands,on page 4 DLP-J293 Set or Changea Line PasswordUsing Cisco IOS Commands, on page 6 DLP-J294 EncryptPasswordsUsing Cisco IOS Commands, on page 7 Stop. You have completedthis Set or Change a Static Enable Password Using Cisco IOS CommandsThisproceduresetsorchangesastati cpasswordthatcontrolsaccess to privilegedEXEC (enable)mode,using Cisco IOS CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-023 Configuring Local AuthenticationNTP-J103 Protect Access to Privileged EXEC Commands Using Cisco IOS CommandsNoneTools/EquipmentNonePrerequis iteProceduresAs neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample.
5 Step 2 Router#configureterminalSets the user name and :Step 3 Router(config)#usernameuser1 passwordpwdEnablesa new passwordor changesanexistingpasswordfor the :Router(config)#enable passworduser1 Step 4 Returnsto privilegedEXEC :Step 5 Router(config)#end Returnto your originatingprocedure(NTP).Step 6 DLP-J292 Protect Passwords with Enable Password and Enable Secret UsingCisco IOS CommandsThis procedureconfiguresthe router to requireanenablepasswordandanenablesecret passwordusingCisco IOS Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA478-20205-02 Configuring Local AuthenticationDLP-J292 Protect Passwords with Enable Password and Enable Secret Using Cisco IOS CommandsNoneTools/EquipmentNonePrerequis iteProceduresAs neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelTo providean additionallayer of security, particularlyfor passwordsthat cross the networkor are stored ona TFTP server, you can use either commandsaccomplishthe same thing.
6 That is, they allow you to establishan encryptedpasswordthat users must enterto access enable mode (the default),or any privilegelevel you recommendthat you use theenablesecretcommandbecauseit uses an you configuretheenablesecretcommand,it takes precedenceover theenablepasswordcommand;thetwo commandscannotbe in effect neithertheenablepasswordcommandnor theenablesecretcommandis configured,and if there is aline passwordconfiguredfor the console,the consoleline passwordserves as the enable passwordfor allVTY theenablepasswordorenablesecretcommandsw ith thelevelkeywordto define a passwordfor aspecificprivilegelevel. After you specifythe level and set a password,give the passwordonly to users whoneed to have access at this level.
7 Use theprivilegelevelconfigurationcommandto specifythe commandsaccessibleat , with themore system:running-configcommand,it is displayedin or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalSets the user name and :Step 3 Router(config)#usernameuser1 passwordpwdCisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-025 Configuring Local AuthenticationDLP-J292 Protect Passwords with Enable Password and Enable Secret Using Cisco IOS CommandsPurposeCommand or ActionEnablesa passwordfor a [levellevel-number]{password|encryption- typeencrypted-password}Example:Step 4 Router(config)#enable passwordlevel 2 pswd2 Specifiesa secret password,saved using bothenablesecret[levellevel-number] {password|encryption-typeencrypted-passw ord}Step 5enablepasswordandenablesecretExample.
8 Commandsare set, the user must enter (config)#enable secret greentreeReturnsto privilegedEXEC :Step 6 Router(config)#end Returnto your originatingprocedure(NTP).Step 7 DLP-J293 Set or Change a Line Password Using Cisco IOS CommandsThis proceduresets or changesa passwordon a line,using Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA678-20205-02 Configuring Local AuthenticationDLP-J293 Set or Change a Line Password Using Cisco IOS CommandsPurposeCommand or ActionRouter#configureterminalEnablesa new passwordor.
9 Router(config)#passworduser1 Step 3 Returnsto privilegedEXEC :Step 4 Router(config)#end Returnto your originatingprocedure(NTP).Step 5 DLP-J294 Encrypt Passwords Using Cisco IOS CommandsThis procedureencryptspasswordsusing Cisco neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelEncryptionpreventsthe passwordfrom being readablein the or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalEncryptsa 3 Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-027 Configuring Local AuthenticationDLP-J294 Encrypt Passwords Using Cisco IOS CommandsPurposeCommand or ActionExample.
10 The actual encryptionprocessoccurs when the passwordencryptionis appliedto all the passwords,Router(config)#servicepassword -encryptionincludingauthenticationkey passwords,privilegedcommandpassword,andc onsoleandvirtualterminallineaccess used to keep unauthorizedindividualsfromviewingyour passwordin your privilegedEXEC :Step 4 Router(config)#end Returnto your originatingprocedure(NTP).Step 5 Understanding Multiple Privilege LevelsCPT supportsmultipleprivilegelevels, which provideaccess to default,there two levels ofaccess to commands: User EXEC mode (level 1) PrivilegedEXEC mode (level 15)You canconfigureadditionallevelsof accesstocommands,calledprivilegelevels,t omeettheneedsof userswhile protectingthe systemfrom to 16 privilegelevels can be configuredfrom level0, which is the most restrictedlevel, to level 15, which is the least access to each privilegelevel is enabledthroughseparatepasswords,which you can specifywhenconfiguringthe ,ifyouwantacertainsetofuserstobeabletoco nfigureonlycertaininterfacesandconfigura tionoptions.
