Answers: Login Security 1

certskills
By certskills May 3, 2016 09:10

This lab asks you to work through a few login security options in IOS. Should be a quick and easy lab. Check out the requirements here first, and come back to this post for the answers.

Answers

Figure 1: Network Topology and Addresses

 

Example 1: R1 Config

 

Example 2: R2 Config

 

Example 3: SW1 Config

 

Example 4: SW2 Config

 

Commentary

When configuring a Cisco device (or any device) one of the first tasks that is performed is to configure management access. This includes everything from configuring the credentials that will be used to access the console port, to the configuration of remote access into a device. A common problem however is that this part of the configuration is often assumed to be done correctly as it is one of the most basic, but the incorrect configuration of management on a device can leave it easily exposed to exploit.

The first configuration requirement asked you to secure the console with a shared password of “certskills”. The command that is used to configure the password on a line is the password password command, and the command to enable login using that shared password is the login subcommand on that same line. These commands should have been configured on the console of each of the devices shown in the figure. (In fact, the same security configuration should be applied to all four devices based on the requirements in this lab.)

The second configuration requirement asked you to protect privileged mode with a shared password, which means you need to configure an enable password. The enable password password command would either store the password in the configuration as clear text, or if the service password-encryption global command were configured, IOS would store that password as an encrypted value. Unfortunately, that encryption is easily broken.

To meet the requirements of the lab, you have to use the enable secret password command. This command supports several methods to protect the password by storing only a hash or digest of the password. By default, with no other parameters, the enable secret command stores the password using MD5. So, the enable secret ccnaskills command meets all the requirements.

The third configuration requirement asked you to protect Telnet access with a per-user username/password, specifically for only one user to begin: user ‘person’ using the password of ‘access’. Again this was to be configured using the most secure method, and as with the enable password the most secure method is to use the secret parameter instead of the password parameter.

Finally, to enable support for Telnet only, and to use local usernames for those Telnet users, you need a couple of other commands. First, to enable Telnet only, use the transport input telnet command on the vty lines. (Some IOS versions and devices may default to support Telnet already.) Then to tell IOS to use local usernames for Telnet users, under those same vty lines, use the login local command, which enables a device to use the local username database for access.

Note that if you are doing this lab on real gear, or even on VIRL, your device may support by default more than the 5 vty lines 0 through 4. Some support 0 through 15 by default. The point here is to make sure and configure the correct security commands, and to support Telnet or SSH, add those commands to all the vty lines supported on each device.

Login Security 1
Multi-area OSPF 2
certskills
By certskills May 3, 2016 09:10
Write a comment

4 Comments

  1. adrikayak January 8, 06:08

    Isn’t it necessary to issue “username person secret access” on every device? Only R1 seems to have it in its configuration.

    Reply to this comment
    • CCENTSkills January 12, 12:42

      Yep, you’re right. Looks like a copy/paste error. I’ve just added it into the other three devices’ configs. Thanks for the heads up.
      Wendell

      Reply to this comment
  2. Jonathan July 29, 12:41

    Wendell

    Maybe this comes up in later labs but “technically” the most secure for the routers I have would be the username person algorithm-type scrypt secret access.

    Also, The 3750 and 2950 switches I have don’t sha-256 or scrypt hash options. Is that because the hardware or IOS I have isn’t the latest or is it because routers need more security then switches?

    Thank you

    Reply to this comment
    • CCENTSkills August 3, 16:29

      Hi again Jonathan,
      I looked for “username… scrypt” support in the configuration, and can’t find it. I don’t see it in any devices I have, and I don’t see it in the IOS doc. I do see “scrypt” supported as an option on the enable secret command. So at this point, I’m not in agreement auth scrypt being an option for the task of configuring the username command in this lab. Feel free to follow up.

      As to your other question, I haven’t heard what Cisco’s thinking is of the other encoding algorithms for on-box passwords. Sorry, nothing to offer on that point.
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories