Learn to configure Console Security on Cisco Router
This blog is created for network security review, study and understanding about network related issues only!
The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!
The console port is used to attach a terminal directly into the router. By default, no security is applied to the console port and the setup utility does not prompt you to configure security for console access. Cisco routers have many different modes of operation, one of which is user mode. When you first access the router via the console port, the router will prompt you for a password, if one has been configured. After successfully supplying the password, you are logged into user mode on the router. When a Cisco router is in user mode, the router will display its hostname followed by the greater than symbol. Here is an example of user mode access:
User mode has limited functionality. Enable mode, also called privileged mode, can be accessed by typing the enable command. If passwords have been configured to access this level of the IOS, the router prompts you for the correct password. When a Cisco router is in enable mode, the router will display its hostname followed by the pound sign. Here is an example of enable mode access:
Cisco passwords are case sensitive. The simplest and most direct way to connect to the network device is to use a direct connection to the console port of a router or switch. You can configure a console password to authenticate users for user mode access by entering the following commands:
The preceding configuration sets the user mode password to CisRoutPsw. Cisco routers also maintain a local user authentication database, which can be used to authenticate users who connect directly to the console port of a router. Here's an example of configuring the router to use the local user database for authentication of users who attempt to access the router via the console:
The preceding configuration defines three users: Visa, Googla, and Yaha. Each user has an associated privilege level defined for their respective login credentials and has a password that is associated with their username. This allows Visa to log into the router with a username of Visa and a password of Vipsw. Because Visa's privilege level defines the maximum privilege level that can be configured on the router, Visa is considered to be the super−user. Googla has a privilege
level of 12 and the password Goopsw.
Assignment of privilege levels is discussed in detail later in next post!
By assigning Googla a privilege of 12, the administrator can limit the functionality that Googla may have on the router. That's also the case for Yaha. When a user plugs into the console port of a router configured with local authentication, they are first prompted for their username; after successfully passing the correct username to the router, they are then prompted for the password that is associated with that username. The following example details these steps:
Now, what do you think would happen if you were to attempt to log in with the username of Visa and the password that is associated with Googla? You would suspect that the router would deny you access. This example details this attempt:
From this, you can see that you must supply the password that is associated with the username with which you are attempting to gain access.
Warning: When using local authentication and assigning privilege levels, you must be careful to associate the correct username with the correct privilege level.
Anyone who logs in with a privilege level that is equal to 2 or above is logged directly into privileged mode.
CiscoRouter>
User mode has limited functionality. Enable mode, also called privileged mode, can be accessed by typing the enable command. If passwords have been configured to access this level of the IOS, the router prompts you for the correct password. When a Cisco router is in enable mode, the router will display its hostname followed by the pound sign. Here is an example of enable mode access:
CiscoRouter#
Cisco passwords are case sensitive. The simplest and most direct way to connect to the network device is to use a direct connection to the console port of a router or switch. You can configure a console password to authenticate users for user mode access by entering the following commands:
CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#line con 0
CiscoRouter(config−line)#password CisRoutPsw
CiscoRouter(config−line)#login
CiscoRouter(config−line)#end
The preceding configuration sets the user mode password to CisRoutPsw. Cisco routers also maintain a local user authentication database, which can be used to authenticate users who connect directly to the console port of a router. Here's an example of configuring the router to use the local user database for authentication of users who attempt to access the router via the console:
!
username Visa privilege 15 password 0 Vipsw
username Googla privilege 12 password 0 Goopsw
username Yaha privilege 8 password 0 Yapsw
!
line con 0
login local
transport input none
!
The preceding configuration defines three users: Visa, Googla, and Yaha. Each user has an associated privilege level defined for their respective login credentials and has a password that is associated with their username. This allows Visa to log into the router with a username of Visa and a password of Vipsw. Because Visa's privilege level defines the maximum privilege level that can be configured on the router, Visa is considered to be the super−user. Googla has a privilege
level of 12 and the password Goopsw.
Assignment of privilege levels is discussed in detail later in next post!
By assigning Googla a privilege of 12, the administrator can limit the functionality that Googla may have on the router. That's also the case for Yaha. When a user plugs into the console port of a router configured with local authentication, they are first prompted for their username; after successfully passing the correct username to the router, they are then prompted for the password that is associated with that username. The following example details these steps:
User Access Verification
Username: Visa
Password: Vipsw
CiscoRouter#
Now, what do you think would happen if you were to attempt to log in with the username of Visa and the password that is associated with Googla? You would suspect that the router would deny you access. This example details this attempt:
User Access Verification
Username: Visa
Password: Goopsw
% Login invalid
Username:
From this, you can see that you must supply the password that is associated with the username with which you are attempting to gain access.
Warning: When using local authentication and assigning privilege levels, you must be careful to associate the correct username with the correct privilege level.
Anyone who logs in with a privilege level that is equal to 2 or above is logged directly into privileged mode.
0 comments:
Post a Comment