Beruflich Dokumente
Kultur Dokumente
R1(config)#line con 0
R1(config-line)#login local
4. Enable Login Enhancements
Normal mode (watch mode) The router keeps count of the number of failed login attempts within an identified amount of time.
Router(config)#login block-for seconds attempts tries within seconds
Router(config)#login block-for 120 attempts 5 within 60 Login will be disabled for 120 seconds if more than 5
login failures occurs within 60 seconds.
Quiet mode (quiet period) When quiet mode is enabled, If the number of failed logins exceeds the configured threshold, all login attempts,
including valid administrative access, using Telnet, SSH, and HTTP are denied. However, to provide critical hosts access at all times, this behavior can be
overridden using an ACL.
Router(config)#login quiet-mode access-class {acl-name | acl-number}
Router(config)#ip access-list standard PERMIT-ADMIN
Router(config-std-nacl)#remark Permit only Administrative Hosts
Router(config-std-nacl)#permit 192.168.10.10
Router(config-std-nacl)#permit 192.168.11.10
Router(config-std-nacl)#exit
Router(config)# login quiet-mode access-class PERMIT-ADMIN invokes an ACL named PERMIT-ADMIN. Hosts that
match the PERMIT-ADMIN statements are exempt from the quiet-mode
Login Delay introduces a uniform delay between successive login attempts. This is an optional command. If not set, a default delay of one second is
enforced after the login block-for command is configured.
Router(config)#login delay seconds
Router(config)#login delay 3 configures a delay of 3 seconds between successive login attempts.
Login Log used to keep track of the number of successful and failed login attempts.
Router(config)# login on-failure log [every login] generates logs for failed login requests.
Router(config)# login on-success log [every login] generates log messages for successful login requests.
The number of login attempts before a logging message is generated can be specified using the [every login] parameter. The default value is 1
attempt. The valid range is from 1 to 65,535.
As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the
login failure rate is exceeded.
To verify that the login block-for command is configured and which mode the router is currently in, use the show login command. The
router is in either normal or quite mode, depending on whether login thresholds were exceeded.
The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login
attempts originated.
Banner Use banner messages to present legal notification to potential intruders to inform them that they are not welcome on a network. Banners
are disabled by default and must be explicitly enabled.
Router(config)#banner {exec | incoming | login | motd | slip-ppp} d message d
5. Configure SSH
Step 1: Configure the IP domain name.
R1(config)#ip domain-name domain-name
R1(config)#ip domain-name span.com
Step 2: Generate one-way secret keys.
R1(config)#crypto key generate rsa general-keys modulus modulus-size
R1(config)#crypto key generate rsa general-keys modulus 1024
The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits. The minimum recommended modulus key length is
1024 bits.
To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are
existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command.
2. Role-Based CLI
Introduction
Role-Based CLI provides more flexibility than privilege levels. It provides finer, more granular access by controlling specifically which commands are
available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different
users. Each view defines the CLI commands that each user can access.
Role-Based Views
Role-based CLI provides three types of views:
• Root view To configure any view for the system, the administrator must be in the root view. Root view has all of the access privileges as a
user who has level 15 privileges.
• CLI view A specific set of commands can be bundled into a “CLI view”. Each view must be assigned all commands associated with that view
and there is no inheritance of commands from other views. Additionally, commands may be reused within several views.
• Superview Allow a network administrator to assign users and groups of users multiple CLI views at once instead of having to assign a
single CLI view per user with all commands associated to that one CLI view.
Creating and Managing a View
Step 1: Enable aaa with the global configuration command aaa new-model. Exit, and enter the root view with the command enable
view command.
Step 2: Create a view using the parser view view-name command.
Step 3: Assign a secret password to the view using the secret encrypted-password command.
Step 4: Assign commands to the selected view using the commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command] command in view configuration mode.
Step 5: Exit the view configuration mode by typing the command exit.
Creating and Managing a Superview
Step 1: Create a view using the parser view view-name superview command and enter superview configuration mode.
Step 2: Assign a secret password to the view using the secret encrypted-password command.
Step 3: Assign an existing view using the view view-name command in view configuration mode.
Step 4: Exit the superview configuration mode by typing the command exit.
Example
R1(config)#parser view SHOWVIEW
R1(config-view)#secret cisco
R1(config-view)#commands exec include show
R1(config-view)#exit