1 Network and Internet Security Asst. Prof. Dr. Noor Ghazi 3 rd Stage – Semester 6 Lab 4 Securing the Router for Administrative Access Control Administrative Access for Routers by: Configure Local username and password security Set Privilege Levels to Local User Accounts Change privilege Levels for IOS Commands Note: We will test the lab on the topology in Lab 3 Configure Local Username Passwor d Security on Routers R1 Step 1: Investigate the options for the username command. In global configuration mode, enter the following command: R1(config)# username user01 password ? Step 2: Create a new user account using the username command. a. Create the user01 account, specifying the password with no encryption. R1(config)# usern ame user01 password 0 user01pass b. Use the show run command to display the running configuration and check the password that is enabled. Step 3: Create a new user account with a secret password. a. Create a new user account with MD5 hashing to encrypt the password. R1(config)# username user02 secret user02pass b. Exit global configuration mode and save your configuration. c. Display the running configuration. Step 4: Te st the new account by logging in to the console. a. Set the console line to use the locally defined login accounts. R1(config)# line console 0 2 R1(config - line)# login local R1(config - line)# end R1# exit b. Exit to the initial router screen which displays: R1 con0 is now available, Press RETURN to get started c. Log in using the user01 account and password previously defined. Step 5: Test the new account by logging in from a Telnet session. a. Set the vty lines to use the locally defined login accounts. R1(config)# line vty 0 4 R1(config - line)# login local b. From R2, telnet to R1 R2 > telnet 10.1 .1.1 Username: Password Setting Privi lege Levels to Local User accounts Privilege levels are a way to give some granularity of control to administrators of Cisco IOS devices. Step 1 : Create a new local user acc ount using the username command and Set the user account to the console, aux and VTY lines. R1 Configuration //create a local username R1(config)#username sally password ciscosally //attach 'local' user db to vty lines R1(config)#line vty 0 4 R1(config - line)#login local //attach it to the console/aux (if desired) R1(config - line)#line con 0 R1(config - line)#login local R1(config)#line aux 0 R1(config - line)#login local At this point, a user connecting to the device is prompted for a “username” as opposed to simply being asked for a password. Nothing else has really changed. The user will still be placed into privilege level 1. 3 Testing from R2 R2#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: sally Password: ciscosally R1>show privilege Current privilege level is 1 R1>exit Step 2 : Adding Users with Privilege Lev els and Set the user accounts to the console, aux and VTY lines. let’s configure t hree additional user accounts to represent privilege level 7 and 15 respectively. //create a local username R1(config)#username sally password ciscosally R1(config)#username Joe privilege 7 password 0 ciscojoe R1(config)#username sam privilege 15 password 0 ciscosam Testing User Privilege Level //testing user Joe R2#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: Joe Password: ciscojoe R1# show p rivilege Current privilege level is 7 R1#exit [Connection to 10.1.1.1 closed by foreign host] //testing user sam R2#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: sam Password: ciscosam R1# show privilege Current privilege level is 15 R1#exit [Connection to 10.1.1.1 closed by foreign host] R2 4 Changing Privi lege Levels to IOS Commands In this part, you will make use of the privilege by moving IOS commands from their default levels of 0, 1 and 15. That ability is what actuall y makes to assign users varying privilege levels useful. Example : Create three users; John, Jane, and Mike. T o represent privilege level s 1, 7 and 15 respectively. They must have access to the following commands: John – View System Clock Jane – Interface Configuration, View System Clock Mike – Access to All Commands Jane and John should also be able to access anything that is typically accessible for non - privileged users. However, Mike should be able to view the route table. Step 1 : Configur ing Local Usernames w ith Privilege Levels //create a local username R1(config)#username John password cisco R1(config)#username Jane privilege 7 password 0 cisco R1(config)#username Mike privilege 15 password 0 cisco //attach the 'local' user database to vty lines R1(config)#line vty 0 15 R1(config - line)#login local //attach the 'local' user database to the console/aux (if desired) R1(config - line)#line con 0 R1(config - line)#login local R1(config)#line aux 0 R1(config - line)#login local Step 2 : Check the u sers’ access Since we haven’t moved any commands to a different privilege level, Jane’s initial access will be similar to John’s. John’s Initial Access R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification 5 Username: John Password: //check the privilege level R1>show priv Current privilege level is 1 R1> //determine if the route table is accessible R1>show ip route R1>sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS - IS, su - IS - IS summary, L1 - IS - IS level - 1 , L2 - IS - IS level - 2 ia - IS - IS inter area, * - candidate default, U - per - user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/30 is subnetted, 2 subnets S 10.2.2.0 [1/0] via 10 .1.1.2 C 10.1.1.0 is directly connected, Serial1/0 C 192.168.1.0/24 is directly connected, FastEthernet0/1 S 192.168.3.0/24 [1/0] via 10.1.1.2 //test access to other show commands R1>show int s1/0 Serial1/0 is up, line protocol is up Hardware i s M4T Internet address is 10.1.1.1/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Restart - Delay is 0 secs Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max to tal/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output r ate 0 bits/sec, 1 packets/sec 213 packets input, 11807 bytes, 0 no buffer Received 86 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 183 packets output, 12052 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 3 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up 6 //determine if access to configuration mode is granted R1>conf t ^ % Invalid input detected at '^' marker. //test access to show clock R1>show clock *00:15:45.215 UTC Fri Mar 1 2002 R1> From this, we can see that John (as should Jane) has access to see the routing table and to view the system clock. John does not have access to go into “configuration” mode. This is fine for John, but Jane will need that to configure interfaces. Therefore, our challenge is as follows: Remove John and Jane’s access to view the route table Allow Jane to configure interfaces Maintain John’ s access to the “show clock” command Step 3 : C hange the privilege levels of the applicable commands. With the usernames created in the previous step, the next step is to change the privilege levels of the applicable commands. The challenge stated that Jan e should be able to modify interface configurations and that John should have access to view the system clock. The challenge also stated that ONLY Mike should have access to view the routing table and John and Jane should not able to view the route table. The next step we will take in this process is to move the commands to the appropriate privilege level in order to allow Jane ’s access to configure the interfaces. //enabling configure mode for privilege 7 users R1(config)#privilege exec level 7 configure t erminal R1(config)# Before moving forward, let’s just see how far Jane can get in her interface management tasks. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: Jane Password: R1#configure terminal Enter configuration com mands, one per line. End with CNTL/Z. R1(config)# 7 R1(config)#interface s1/0 ^ % Invalid input detected at '^' marker. R1(config)# As seen above, Jane can now access global configuration mode. However, she cannot enter the “interface” configuration mode. That needs to be moved to privilege level 7 as well. //configuring for interface config mode for priv 7 R1(config)#privilege configure level 7 interface Let’s test Jane’s access again. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User A ccess Verification Username: Jane Password: R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#interface s1/0 R1(config - if)#ip address 1.1.1.1 255.255.255.0 ^ % Invalid input detected at '^' marker. R1(config - if)#? Interface configuration commands: default Set a command to its defaults exit Exit from interface configuration mode help Description of the interactive help system no Negate a command or set its defaults Now Jane has access to move into interface configuration mode. However, interface sub commands, including “shutdown” and “ip” are not available. To rectify this, we need to use “ALL” in the privilege command. This instructs IOS to move all sub commands to the same privilege level. //change to "ALL" interface sub commands to priv 7 R1(config)#privilege configure all level 7 interface Now let’s test one more time. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open Us er Access Verification 8 Username: Jane Password: R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#interface s1/0 R1(config - if)#? Interface configuration commands: access - expression Buil d a bridge boolean access expression appletalk Appletalk interface subcommands arp Set arp type (arpa, probe, snap) or timeout asp ASP interface subcommands auto Configure Automation autodetect Autodetect Encapsulations on Serial interface backup Modify backup parameters bandwidth Set bandwidth informational parameter bgp - policy Apply policy propagated by bgp community string bridge - group Transparent bridging interface parameters bsc BSC interface subcommands bstun BSTUN interface subc ommands carrier - delay Specify delay for interface transitions cdp CDP interface subcommands clns CLNS interface subcommands clock Configure serial interface clock compress Set serial interface for compression crypto Encryption/Decryption commands custom - queue - list Assign a custom queue list to an interface dampening Enable event dampening dc e - terminal - timing - enable Enable DCE terminal timing R1(config - if)#shut R1(config - if)#ip address 1.1.1.1 255.255.255.0 R1(config - if)#no shut R1(config - if)# As can see from the output above, Jane now has the access required to meet the second requirement i n the bulleted list. Next let’s work on removing Jane and John’s access to the “show ip route” command. So we simply need to move that command up to privilege level 15. R1(config)#privilege exec level 15 show ip route R1(config)# Now let’s see if Jane is p roperly restricted from viewing the IP routing table. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification 9 Username: Jane Password: R1#show ip route ^ % Invalid input detected at '^' marker. Since this seems to work, let’s just confirm that John still has access to view the system clock. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: John Password: R1>show clock ^ % Unrecognized command R1>show ? % Unrecognized command As can be seen above, John can no longer access any “show” commands. Let’s take a quick look at the configuration and see what is going on. R1(config)#do show run | include priv privilege configure all level 7 interface privilege exec level 7 configure terminal privilege exec level 7 configure privilege exec level 15 show ip route privilege exec level 15 show ip privilege exec level 15 show The IOS brings the base command to the privilege level with the sub commands. In other words, “privilege exec level 15 show ip route” adds the following commands to the configuration. privilege exec level 15 show privilege exec level 15 show ip privilege exec level 15 show ip route To resolve this, “show clock” needs to be returned to level 1. R1(config)#privilege exec level 1 show R1(config )#privilege exec level 1 show clock At this point, we should be ready for final testing. 10 R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: John Password: R1>show clock *01:35:19.007 UTC Fri Mar 1 2002 R1> R1>show ip route ^ % Invalid input detected at '^' marker. R1>conf t ^ % Invalid input detected at '^' marker. John’s access and restrictions are as required. Next we’ll confirm Jane’s access. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: Jane Password: R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#interface s1/0 R1(config - if)#shut R1(config - if)#ip address 2.2.2.2 255.255.255.0 R1(config - if)#no shut R1(con fig - if)#exit R1(config)#exit R1#show ip route ^ % Invalid input detected at '^' marker. R1#show clock *01:40:26.107 UTC Fri Mar 1 2002 R1# Finally, let’s confirm Mike’s access level and his access to view the route table. R2>telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Username: Mike Password: 11 R1#show priv Current privilege level is 15 R1# R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSP F inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS - IS, su - IS - IS summary, L1 - IS - IS level - 1, L2 - IS - IS level - 2 ia - IS - IS inter area, * - candidate defaul t, U - per - user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/30 is subnetted, 2 subnets S 10.2.2.0 [1/0] via 10.1.1.2 C 10.1.1.0 is directly connected, Serial1/0 C 192.168.1.0/24 is directly connected, FastEthernet0/1 S 192.168.3.0/24 [1/0] via 10.1.1.2