Console
There is usually one console line on most Cisco devices. This console line is usually a serial line accessible by plugging into the console port on the Cisco hardware device. Cisco console ports come in two forms; one is the traditional console Ethernet type port connected to using the blue serial-to-console cable. The second (newer) type of port is a mini-USB port connected to using a mini-USB cable.
Console connections to a Cisco device can be managed/controlled in the console configuration sub-mode of the global configuration accessible using the command #line console 0
#show line displays console port configured settings.
Some important Console submode commands;
absolute-timeout <0 – 100000>
To configure the duration of an absolute login session for a console connection. Configured value is in minutes.
#logging synchronous level < 0 – 7>
By default, all logging messages appear on a console session. When logging messages appear as one is typing a command, these logging messages will distort the command being typed. This can be a nuisance in the middle of typing a command. When using a console session, you can control how messages appear so that they do not break the readability of the command being typed using the #logging synchronous command. The logging synchronous command can be made to apply to a given logging level and below.
#exec-timeout <0 – 35791> <0-2147483>
Configure the idle timeout period of a console session. The console user session automatically logs out the user after staying idle for the configured minutes and seconds. To configure an idle timeout period of 10 minutes 30 seconds;
exec-timeout 10 30
Idle timeout can be completely disabled using the command;
exec-timeout 0 0
#login <local | authentication >
To activate password checking for console lines, issue the login command;
Entering login without any parameters will enable password checking. The password checking will be for the password issued under the console line using the console mode command password password.
login local enables checking against the local database. This will require a username-password login sequence. User global config command username username secret password to configure an entry to the local database.
login authentication < default | aaa-group_name>: activates using an AAA server.
accounting: Enables commands issued by users to be logged on to a RADIUS or TACACS+ server.
accounting exec < default | aaa_accounting_group_name>
This will require that the AAA configuration for accounting be configured first.
authorization: activates checking of authorization for logged in users using AAA. For users who successfully authenticate using AAA, configuring authorization enables the user to issue a specific set to commands that they permitted to issue.
authorization exec < default | aaa_authorization_group_name>
lockable: allows a user who has logged into a console connection to lock that session. Once a console session is locked, another user connecting through another console port cannot pre-empt the current console connection.
Exec-banner: enables display of a message banner when connecting to the console. The banner is configured using the global configuration command; banner exec message
VTY (Virtual TeletYpe)
VTY lines permit remote access to a Cisco device using Telnet or SSH or both. However, it is strongly recommended that Telnet not be used as it network traffic using Telnet is transmitted in plain text. Only SSH version 2 or higher should be enabled as the transport input to remote device configuration.
VTY uses a set of CLI commands that depend on the three types of actions CLI can perform such as movement, editing and advanced.
A network device supports several VTY lines. This means that it is able to support several simultaneous remote connections. The maximum number of simultaneous VTY lines supported varies from device to device. However, when enabling remote access, you need to enable a sufficient enough number of VTY lines to allow remote device management.
SSH
To enable remote-access to a Cisco device using SSH, follow the following steps;
Step 1: Configure a device hostname: Configure a meaningful hostname. The hostname is used as part of the process of creating the encryption keys used by SSH.
One good convention is to use the following format: Country_City_Location_Number_Device_Number. The country, city, location names can be shortened to use codes. For example, UGKAMBREBBSW1 to mean switch number 1 at the Entebbe Road branch in Kampala Uganda.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname UGKAMBREBBSW1
UGKAMBREBBSW1(config)#Step 2: Configure a domain name: The domain name is used in the creation of encryption keys.
UGKAMBREBBSW1(config)#ip domain-name emmanueltoko.blogspot.com
Verify with;
show host
show ip domain-name
Step 3: Generate the encryption keys;
UGKAMBREBBSW1(config)#crypto key generate rsa modulus ?
<360-4096> size of the key modulus [360-4096]
UGKAMBREBBSW1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: UGKAMBREBBSW1.emmanueltoko.blogspot.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 59 seconds)
UGKAMBREBBSW1(config)#
*Mar 4 19:46:40.431: %SSH-5-ENABLED: SSH 1.99 has been enabled
UGKAMBREBBSW1(config)#
This platform supports a maximum key size of 4096. A key size of of 2048 is selected. A larger key size takes longer to be generated. However it provides increased security.
Usually process of generation of the encryption keys also enables SSH as seen in the log message that is displayed after the key generation process completes.
Step 4: Enable SSH version 2;
UGKAMBREBBSW1(config)#ip ssh version 2
Step 5: Configure the user credentials in the local database;
UGKAMBREBBSW1(config)#username cisco privilege 15 s3cr3t
Step 6: Enable remote access on VTY lines using SSH;
UGKAMBREBBSW1(config)# UGKAMBREBBSW1(config)#line vty 0 2 UGKAMBREBBSW1(config-line)#transport input ssh
VTY lines allow SSH and/or telnet access to a device.
Step 6: Enable password checking on the VTY lines
To verify users against the local database, use the command;
UGKAMBREBBSW1(config-line)#login local
To verify users against a RADIUS or TACACS+ service, enable AAA which is discussed here.
If AAA is enabled, the local database can only be used if it is explicitly configured in a method list;
UGKAMBREBBSW1(config)#aaa new-model UGKAMBREBBSW1(config)#aaa authentication login AAA_AUTHENT local UGKAMBREBBSW1(config)#line vty 0 2 UGKAMBREBBSW1(config-line)#login authentication AAA_AUTHENT
Typing an incorrect AAA group name results in the following error;
UGKAMBREBBSW1(config-line)#login authentication AA_AUTHENT AAA: Warning authentication list "AA_AUTHENT" is not defined for LOGIN
You can configure a router to use a telnet port other than 23. However, the ports that you can use are between 3000 and 3100.
In global configuration: #access-list 100 permit tcp any any 3005
#line vty 0 4
#access-class 100 in
#rotary 5
#password
#login
Message when no vty lines are available;
#refuse-message c sorry busy c
Configuring timeout settings: #exec-timeout 1 0 (one minute zero seconds).
Drop a session after X time for example two minutes;
#absolute-timeout 2
Allow users to lock a line;
#lockable
Verify configured settings;
#show line vty number
Enabling SSH and telnet on vty lines without configuration of the enable password will not allow user access to privileged mode on a remote router. This particularly happens when the privilege level of the user is not explicitly configured when creating the local user account using the command #username user secret password.
If a user account is created and explicitly assigned a privilege level of 15, a successful remote login using this account drops the login session directly to the privileged mode even if the enable password has not been configured.
If an ACL is blocking telnet traffic on any vty lines, the router sends a RST, ACK reply in response to a TCP SYN packet from the client.
Customising VTY Lines
Display banner motd
To display the banner motd (message of the day). It is a recommended practice to warn a someone about unauthorised login (remote or local) through a warning message. This can be accomplished through a banner.
The message of the day (motd) banner can be configured in global configuration mode;
UGKAMBREBBSW1(config)#banner motd c Enter TEXT message. End with the character 'c'. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Unauthorised login is not permitted xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx c UGKAMBREBBSW1(config)#
c is the delimiting character for the banner.
Restricting Remote Login Locations
It is a good idea to control where remote logins can be made from. This can be done using an Access Control List (ACL) and referencing the access group in the VTY line configuration using the access-class command. It is recommended to use an extended ACL for this purpose.
UGKAMBREBBSW1(config)# UGKAMBREBBSW1(config)#ip access-list extended ACL_PERMIT_NETWORK_192.168.1.0 UGKAMBREBBSW1(config-ext-nacl)#10 permit tcp 192.168.1.0 0.0.0.255 any eq 22 UGKAMBREBBSW1(config-ext-nacl)#line vty 0 2 UGKAMBREBBSW1(config-line)#access-class ACL_PERMIT_NETWORK_192.168.1.0 in UGKAMBREBBSW1(config-line)#
Timeout
Two timeout parameters exist with VTY lines; absolute timeout and idle timeout.
Idle Timeout: This is the parameter that determines how long the login session has been inactive (with no commands issued). It is a recommended practice to set a timeout for an idle VTY connection. This is particularly important if a network administrator has left their SSH session running and walked away. Setting an idle timeout value of no more than 5 minutes with three minutes being a better duration. Three minutes is usually long enough for configuration to be read and short enough for the session to be automatically ended if a network administrator walks away from the terminal. To configure an idle timeout of 2 minutes and 55 seconds;
UGKAMBREBBSW1(config-line)#exec-timeout 2 55
Absolute Timeout: This parameter dictates the maximum duration that a VTY session can run. At the expiry of the absolute-timeout value, the VTY session is ended regardless of whether the session is active or not. To configure the absolute-timeout value to 30 minutes;
UGKAMBREBBSW1(config-line)#absolute-timeout 30
Display all logging messages on the VTY session;
By default, logging level 5 – 7 are not displayed in VTY sessions, as they are in console sessions. To enable the display of these logging messages on VTY sessions, use the privileged exec command terminal monitor.
R2#ssh -l user15 192.168.1.1 Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Unauthorised login is not permitted xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx UGKAMBREBBSW1> UGKAMBREBBSW1>en UGKAMBREBBSW1#config t Enter configuration commands, one per line. End with CNTL/Z. UGKAMBREBBSW1(config)#end UGKAMBREBBSW1#terminal monitor UGKAMBREBBSW1#config t Enter configuration commands, one per line. End with CNTL/Z. UGKAMBREBBSW1(config)#end UGKAMBREBBSW1# *Mar 4 22:11:28.315: %SYS-5-CONFIG_I: Configured from console by user15 on vty0 (192.168.1.2) UGKAMBREBBSW1#
The above snippet shows that the display of level 5 message is not displayed on the VTY session. Enabling it using the terminal monitor command causes the display of level 5 - 7.
Logging Synchronous
This command can be useful especially after configuring terminal monitor command. Usually log messages appear on the terminal even in the middle of entering a configuration command often resulting in the display of the command being broken by the log message. The logging synchronous command causes the terminal to display a command being entered on a new line and incoming log messages do not break the display of the commands being entered.
UGKAMBREBBSW1(config-line)#logging synchronous
No comments:
Post a Comment