Configuring Local Authentication - Cisco

1 Configuring Local AuthenticationThis chapterdescribeslocal chapteralso describesproceduresto configurelocalauthenticationand chapterincludesthe followingtopics: UnderstandingAuthentication,page 1 NTP-J102 ConfigureLocal AuthenticationUsing Cisco IOS Commands,page 1 NTP-J103 ProtectAccessto PrivilegedEXEC CommandsUsing Cisco IOS Commands,page 3 UnderstandingMultiplePrivilegeLevels,pag e 8 NTP-J104 ConfigurePrivilegeLevelsUsing Cisco IOS Commands,page 8 Understanding Authentication ,authorization,and accounting(AAA)networksecurityservicespr ovidethe primaryframeworkthroughwhich you can set up access controlon your router or access a way of identifyinga user before permittingaccess to the networkand CarrierPacketTransport(CPT) supportslocal authenticationmechanismto administerits Configure Local Authentication Using Cisco IOSC ommandsThis procedureconfigureslocal authenticationusingCisco IOS neededRequired/As NeededCisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)

2 SA 78-20205-021 Onsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelThe only supportedlogin authenticationmethodin CPT is Local or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalEnablesauthentic ation,authorization,andaccounting(AAA) new-modelExample:Step 3 Router(config)#aaa new-modelCreatesthe defaultlocal authenticationlogin defaultmethodnameExample:Step 4 Router(config-if)#aaa authenticationlogindefaultlocalEnters line configurationmode for the linesto which you want to apply [aux|console|tty|vty]line-number[ending- line-number]Example:Step 5 Router(config)#line vty 0 4 Appliestheauthenticationlisttoalineorset of authenticationdefaultExample:Step 6 Router(config-line)#loginauthenticationd efaultReturnsto global :Step 7 Router(config-line)#end Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA278-20205-02 Configuring Local AuthenticationNTP-J102 Configure Local Authentication Using Cisco IOS CommandsExample: Configure Local AuthenticationThe followingexampleshows how to configurelocal authenticationusing Cisco IOS commands:Router>enableRouter#configurete rminalRouter(config)#aaa new-modelRouter(config-if)#aaa authenticationlogindefaultlocalRouter(co nfig)#linevty 0 4 Router(config-line)#loginauthenticationd efaultRouter(config-line)#endNTP-J103 Protect Access to Privileged exec Commands UsingCisco IOS CommandsThis procedureprovidesa way to controlaccess tothe systemconfigurationfile and privilegedEXEC(enable)commands,using Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePerformany of the listed proceduresas needed.

3 DLP-J291 Set or Changea Static EnablePasswordUsing Cisco IOS Commands, on page 3 DLP-J292 ProtectPasswordswith EnablePasswordand EnableSecret Using Cisco IOS Commands,on page 4 DLP-J293 Set or Changea Line PasswordUsing Cisco IOS Commands, on page 6 DLP-J294 EncryptPasswordsUsing Cisco IOS Commands, on page 7 Stop. You have completedthis Set or Change a Static Enable Password Using Cisco IOS CommandsThisproceduresetsorchangesastati cpasswordthatcontrolsaccess to privilegedEXEC (enable)mode,using Cisco IOS CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-023 Configuring Local AuthenticationNTP-J103 Protect Access to Privileged exec Commands Using Cisco IOS CommandsNoneTools/EquipmentNonePrerequis iteProceduresAs neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalSets the user name and :Step 3 Router(config)#usernameuser1 passwordpwdEnablesa new passwordor changesanexistingpasswordfor the :Router(config)#enable passworduser1 Step 4 Returnsto privilegedEXEC.

4 Step 5 Router(config)#end Returnto your originatingprocedure(NTP).Step 6 DLP-J292 Protect Passwords with Enable Password and Enable Secret UsingCisco IOS CommandsThis procedureconfiguresthe router to requireanenablepasswordandanenablesecret passwordusingCisco IOS Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA478-20205-02 Configuring Local AuthenticationDLP-J292 Protect Passwords with Enable Password and Enable Secret Using Cisco IOS CommandsNoneTools/EquipmentNonePrerequis iteProceduresAs neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelTo providean additionallayer of security, particularlyfor passwordsthat cross the networkor are stored ona TFTP server, you can use either commandsaccomplishthe same thing; that is, they allow you to establishan encryptedpasswordthat users must enterto access enable mode (the default),or any privilegelevel you recommendthat you use theenablesecretcommandbecauseit uses an you configuretheenablesecretcommand,it takes precedenceover theenablepasswordcommand;thetwo commandscannotbe in effect neithertheenablepasswordcommandnor theenablesecretcommandis configured,and if there is aline passwordconfiguredfor the console,the consoleline passwordserves as the enable passwordfor allVTY theenablepasswordorenablesecretcommandsw ith thelevelkeywordto define a passwordfor aspecificprivilegelevel.

5 After you specifythe level and set a password,give the passwordonly to users whoneed to have access at this level. Use theprivilegelevelconfigurationcommandto specifythe commandsaccessibleat , with themore system:running-configcommand,it is displayedin or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalSets the user name and :Step 3 Router(config)#usernameuser1 passwordpwdCisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-025 Configuring Local AuthenticationDLP-J292 Protect Passwords with Enable Password and Enable Secret Using Cisco IOS CommandsPurposeCommand or ActionEnablesa passwordfor a [levellevel-number]{password|encryption- typeencrypted-password}Example:Step 4 Router(config)#enable passwordlevel 2 pswd2 Specifiesa secret password,saved using bothenablesecret[levellevel-number] {password|encryption-typeencrypted-passw ord}Step 5enablepasswordandenablesecretExample.

6 Commandsare set, the user must enter (config)#enable secret greentreeReturnsto privilegedEXEC :Step 6 Router(config)#end Returnto your originatingprocedure(NTP).Step 7 DLP-J293 Set or Change a Line Password Using Cisco IOS CommandsThis proceduresets or changesa passwordon a line,using Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA678-20205-02 Configuring Local AuthenticationDLP-J293 Set or Change a Line Password Using Cisco IOS CommandsPurposeCommand or ActionRouter#configureterminalEnablesa new passwordor :Router(config)#passworduser1 Step 3 Returnsto privilegedEXEC :Step 4 Router(config)#end Returnto your originatingprocedure(NTP).Step 5 DLP-J294 Encrypt Passwords Using Cisco IOS CommandsThis procedureencryptspasswordsusing Cisco neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelEncryptionpreventsthe passwordfrom being readablein the or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalEncryptsa 3 Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-027 Configuring Local AuthenticationDLP-J294 Encrypt Passwords Using Cisco IOS CommandsPurposeCommand or ActionExample:The actual encryptionprocessoccurs when the passwordencryptionis appliedto all the passwords,Router(config)#servicepassword -encryptionincludingauthenticationkey passwords,privilegedcommandpassword,andc onsoleandvirtualterminallineaccess used to keep unauthorizedindividualsfromviewingyour passwordin your privilegedEXEC.

7 Step 4 Router(config)#end Returnto your originatingprocedure(NTP).Step 5 Understanding Multiple Privilege LevelsCPT supportsmultipleprivilegelevels, which provideaccess to default,there two levels ofaccess to commands: User exec mode (level 1) PrivilegedEXEC mode (level 15)You canconfigureadditionallevelsof accesstocommands,calledprivilegelevels,t omeettheneedsof userswhile protectingthe systemfrom to 16 privilegelevels can be configuredfrom level0, which is the most restrictedlevel, to level 15, which is the least access to each privilegelevel is enabledthroughseparatepasswords,which you can specifywhenconfiguringthe ,ifyouwantacertainsetofuserstobeabletoco nfigureonlycertaininterfacesandconfigura tionoptions,you could create a separateprivilegelevel only for specificinterfaceconfigurationcommandsan ddistributethe passwordfor that level to those Configure Privilege Levels Using Cisco IOS CommandsThisprocedureconfiguresprivilege levelsusingCiscoIOS neededRequired/As Needed Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)

8 SA878-20205-02 Configuring Local AuthenticationUnderstanding Multiple Privilege LevelsOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePerformany of the listed proceduresas needed. DLP-J295 Set the PrivilegeLevel for a CommandUsing Cisco IOS Commands, on page 9 DLP-J296 Changethe DefaultPrivilegeLevel for Lines Using Cisco IOS Commands, on page 10 DLP-J297 DisplayCurrentPrivilegeLevelsUsing Cisco IOS Commands, on page 11 DLP-J298 Log In to a PrivilegeLevel Using Cisco IOS Commands, on page 12 Stop. You have completedthis Set the Privilege Level for a command Using Cisco IOS CommandsThis procedureconfiguresa new privilegelevel forusers, and associatecommandswith that privilegelevel, using Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalCisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-029 Configuring Local AuthenticationDLP-J295 Set the Privilege Level for a command Using Cisco IOS CommandsPurposeCommand or ActionConfiguresthe specifiedprivilegelevel to allowaccess to the.

9 Step 3 Router(config)#privilegeexec level 14configureSets the passwordfor the is the passwordusers will enter after enteringenablesecret levellevel_number{0|5}password-stringSte p 4theenablelevelcommandto access the :Router(config)#end0indicatesthat an unencryptedpasswordstringfollows;5indica testhat an encryptedpasswordstring global configurationmode and returnstoprivilegedEXEC :Step 5 Router(config)#exit Returnto your originatingprocedure(NTP).Step 6 DLP-J296 Change the Default Privilege Level for Lines Using Cisco IOSC ommandsThisprocedurechangesthedefaultpri vilegelevelfora given line or a group of lines, using Cisco neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA1078-20205-02 Configuring Local AuthenticationDLP-J296 Change the Default Privilege Level for Lines Using Cisco IOS CommandsPurposeCommand or ActionExample: Enter your passwordif >enableEnters global terminalExample:Step 2 Router#configureterminalEnters line configurationmode for [aux|console|tty|vty]line-number[ending- line-number]Example:Step 3 Router(config)#line vty 0 4 Specifiesa defaultprivilegelevel for :Step 4 Router(config-line)#privilegelevel 10 Returnsto global.

10 Step 5 Router(config-line)#end Returnto your originatingprocedure(NTP).Step 6 DLP-J297 Display Current Privilege Levels Using Cisco IOS CommandsThis proceduredisplaysthe currentprivilegelevelsusing Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Cisco CPT Configuration Guide CTC and Documentation Release and Cisco IOS Release (01)SA 78-20205-0211 Configuring Local AuthenticationDLP-J297 Display Current Privilege Levels Using Cisco IOS CommandsPurposeCommand or ActionExample: Enter your passwordif >enableDisplaysthe currentprivilegelevel you canaccess based on the passwordyou privilegeExample:Step 2 Router#show privilege Returntoyouroriginatingprocedure(NTP).St ep 3 DLP-J298 Log In to a Privilege Level Using Cisco IOS CommandsThis procedurelogs in to a router at a specifiedprivilegelevel, using Cisco IOS neededRequired/As NeededOnsite or remoteOnsite/RemoteProvisioningor higherSecurityLevelProcedurePurposeComma nd or ActionEnablesprivilegedEXEC 1 Example: Enter your passwordif >enableLogs in to a :Step 2 Router#enable 12 Returnto your originatingprocedure(NTP).