Description: The following passage mainly focuses on aaa login, which shows you how to change authentication for the VTY lines to local authentication using VTY and AAA commands. Authentication is the process of determining whether someone or something is who or what it declares itself to be.
In this tutorial I’m going to walk you through a couple of problems, first of all there’s no password required to telnet into this router, they want to fix that, we’re going to fix it in a couple of ways, I will walk you through how to set up a password which is straightforward.
Secondly we’re going to kick it up a notch and take a look at how to put the requirements for a username and password, when somebody wants to telnet to r2, instead having a global password we’ll do that, take a look at triple a, we’ll have time to include a couple of method list options as well.
Let’s start off with some basics, we’ve got this router r1 that we can use as a telnet client, we’re going to telnet over into r2, when we telnet to a router, we’re coming in through a logical VTY line, by default all Cisco routers have vty 0 through 4 which is five vty lines.
By controlling and configuring those vty lines, we can control how people get in to this router via telnet, let’s take a look at the details of r2, I’m going to do a pipe, I’m going to do a begin line, all that says is that please show me the running configuration including the word line where you see that in the config it’s an easier way to not have to look at the entire config.
Starting off I have on the vty lines off the first five of them, I have the command no login, what that means is no login required, you’d think that no login means that you can’t come in, but no login on the v2i line says no login required.
Let’s test that by telnetting from r1, at r2 I’ve got the IP address, we’ve telnet to 10.0.0.2, no password is required, if we type in who, that’s r2 saying who’s connected, it’ll show us that we have a connection, somebody’s connecting from the IP address of 10.0.0.1.
They’re coming in on, that’s on the left VTY 0, we’re in on the first logical VTY connection, if we were to have something else telnet again, they would most likely come in on vty 1 and then vty 2, I’m going to type in exit and go back to the console port.
On r2 at the console if we type in who, it also shows us who is connected, but you’ll notice that the asterisk here shows us that we are connected to this device online console zero, there’s nobody at the moment currently telnetting it into us through the vty lines.
Let’s change the rules and make someone log in, we’re going to go to line vty configuration mode for the 5 vty lines, we’ll simply change the rules, we’ll say we want to require a password and require a login, we’ll say line vty 0 4, it’s simple, we’re going to say login, enter.
Login means that people are now required to login, not the iPhone software but the Cisco software is telling us that if you’re requiring people to login, there’s no default password set on the vty lines, as a result if there’s no password, they can’t put in a password that will work, so you’ll also want to include a password.
We’ll do that, we’ll use password Cisco because it’s a security thing, ,that’s not a very secure password, but it is a password, with that configured we can go back to our router, from R1 we can try telnetting back in, what we would expect to see is no longer letting us in but rather now prompting us for that password.
I’ll buy that, let’s test it, on r1 we will telnet again, sure enough it is prompting us for that password, I’ll type it in, it doesn’t reflect that back on the screen for security reason, but it let me in, if I type in who, it shows me that I’m currently connected to this router through vty lines zero.
It also shows that there’s somebody at the console, that’s us on the other screen who’s sitting there as well, it is great, that works, now the password is cisco123, somebody put it on a post-it note and list it on their computer, the entire department knows what the password is.
How do we fix that? We could change the password, that’s not too tough, or we could kick it up a notch, we could simply have the router require people to enter usernames and passwords to log on, first of all r2 is going to have to have locally configured usernames and passwords.
Secondly we need to tell R2 on its vty lines that when people try to connect, prompt them for a username, prompt them for a password, those are the two main steps, let’s go to r2 and configure exactly that, at the console prompt of r2, we’ll go into configuration mode.
We’ll create a username, let’s create username, we’ll create that Steve, we’ll give them a password as well, password is Cisco123, instead of the keyword you pub in username, that is a emulator game from the 80s, I’ll fix that, in this key word password we could have used the key word of secret instead, it also works.
That would keep an encrypted version if you want the password in the startup and running config if we save it, that would even be a better option as well, but now we have a local user, how do we train the router to identify that when people come in?
It should prompt them for a username because it’s asking for a global password, we’ll go back to our configuration on the vty lines, we’ll go to line vty 0 to 4, we’ll simply say login, I want to use the local database meaning I want to use my configuration of usernames and passwords to check against to authenticate users.
As a result when we press ENTER, we go back to R1 to telnet into this router, when we see the prompt, it is going to prompt us for a username instead of the password prompt, users have to put in their information, we’ll put in Steve, we’ll put in our password Cisco one two three.
We’ve logged on, we’ve taken it from a global password, we’ve moved it to requiring usernames and passwords, the global password is still in the fig but not used, it’ll never prompt anybody for that global password on the vty lines currently, as a result it’s wasting space in the config, it is not doing anything.
That’s an example of kicking it up and allowing somebody to connect and being required for their username and password, let me share with you how to use something called triple a, triple a is an acronym, I’m going to take this off.
When I say no login local, we verify from R1 that we can telnet with no password required, we’re in, Triple A is all about authenticating users, authorizing users and accounting for what users do, we’re going to focus on the first of those which is the authentication part.
On the cisco router if we want to change the rules about how we authenticate people, we can say triple a new model, that syntax simply tells the router to forget the old game, the new game is by default going to require people to put their usernames and passwords in when they log in.
This is on the vty lines and on the auxiliary port, it does not apply to the console, it’s got too many people logging themselves out of the console before they created usernames and passwords, with that one command back at r1 if we telnet in, check this out.
A few seconds ago it is able to telnet in, now because triple a new model the setup is now saying the default has changed, we’re going to ask for used name and password, I’ll put in Steve, cisco 123, we’re in, but the cool thing is that all I have to do is simply to do triple a new model.
I’ll require the authentication, I’d like to share with you something called an authentication list, let me describe what it is, the authentication list is simply a list, we’ll call it free, with triple-a you can create this list called free or whatever you’d like to name it.
You can specify what method you’d like to use, we’re requiring authentication, maybe we do not want to require authentication for the vty lines, we create a method list, this method list is supposed to require no authentication, then we could apply the method list to the vty lines, vty 0 through 4.
As a result that would take precedence over the default consideration of authenticating everybody, it’s cool, it’s simple, let me demonstrate how to create one, back at R2 I’m going to say for triple a authentication for character mode login.
I want to create a method of this called free, I’ll show you the options, the method list can use the enable secret, it can use a group of tacacs or radius servers, it can use the local database, it can use the password that’s on the line if you want.
In this case I’m going to say none, that’s going to say if this method list is called upon, we’re not going to require any authentication, at the moment people with vty lines require authentication, if we go to vty line 0 to 4, we say login authentication, we use this name free, it is going to override the process of how triple-a behaves.
If we do this as a debug of triple-a authentication, we can see behind the scenes of what’s going on, what we’re going to find is that when somebody tries to come in through the vty line, it’s going to look at this method list that’s applied to those vty lines, look at what the method is which is none, it’s going to simply let us in without any authentication required.
We could simply test that by telnetting again, we got no authentication required in, if we take a look at the debug, it’s saying that somebody tried to connect, the method list free was associated with the vty lines, as a result free said no login required, you’re in like a bird.
If we want to change that, check this out, we could change the authentication list, we could say that I want to use the password, I want to use the method that’s configured on the line, let’s say Triple A authentication login free, let’s use the local database, that will be fine because we know we have Sally, Steve, Bob and other users that we might have created in the local database.
If we go back to R1 and try that telnet one more time, it is prompting us for username, we can get in, maybe we can type in who, the reason for that is that we are coming in through this vty lines 0 logically, we have a method list that I attached to that vty line 0 through 4, the method list at the moment says use the local database, that’s what it did.
If you go back to the debug on R2, we’ll see that once again it picked a method this called free which was requiring the local database meaning local authentication, that’s a little information into the world of triple a new model and some of the behaviors that it does, thanks foe reading.