The ability to remotely administer your router is a very important feature. However, you want to restrict access as much as possible to keep intruders out. Aside from configuring your firewall to deny access to routers, we can configure the router to allow access only in specific ways. Sometimes the people you want to keep off your routers are users on your local network. We'll examine user authentication and passwords to restrict access to the router.
15.3.1. Virtual Terminal Access
The virtual terminal (VTY) configuration on your router defines how incoming connections to your router are handled. For example, we can configure the types of protocols are allowed (telnet versus SSH) to connect to our devices.
188.8.131.52. Protecting VTY with an access list
When you telnet or ssh to your router, you connect to a VTY. This terminal lets you configure your router over the network without a physical connection to the console port. This capability is extremely useful but also dangerous: if you can configure your router over the network, so can anyone else with the appropriate password. One way to make the router more secure is to apply an access list to the VTY ports. This list should allow connections only from certain hosts. The following commands restrict telnet access to the 192.168.1.5 machine (we'll talk about SSH in the next section). We also apply an exec-timeout, which disconnects idle connections:
! Define the access list access-list 5 permit 192.168.1.5 0.0.0.0 access-list 5 deny any log ! line vty 0 4 ! Only allow telnet tranport input telnet ! Apply our access list for incoming connections access-class 5 in ! Finally, apply an exec-timeout, which will disconnect an idle connection ! The timeout is 10 minutes and 0 seconds exec-timeout 10 0
184.108.40.206. Allowing SSH connections to the router
In the previous example, we used the command transport input telnet, which allowed only telnet access to our router. Once this was quite acceptable, but times have changed and telnet's security limitations are now well known. SSH is now the standard method for connecting to remote devices.
220.127.116.11. Enabling SSH
To enable SSH on our router (in this case, running IOS 12.2), we need to enable SSH, configure RSA keys, set a hostname, and set the IP domain name. After SSH is enabled, we are going to restrict our VTY access to SSH only.
First we enable SSH and set the hostname and domain name:
Router(config)#ip ssh Router(config)#hostname router1 router1(config)#ip domain-name xyz.com
Next we create the RSA keys:
router1(config)#crypto key generate rsa The name for the keys will be: router1.xyz.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : Generating RSA keys ... [OK] router1(config)#end router1# 00:18:57: %SSH-5-ENABLED: SSH 1.5 has been enabled 00:18:59: %SYS-5-CONFIG_I: Configured from console by console
We can verify our SSH configuration with the show ip ssh command.
router1#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3
All that's left is to restrict our VTY access to SSH:
line vty 0 4 login password somepassword transport input ssh
15.3.2. Users and Authentication
Usernames are optional: many routers by default have no usernames and only a single password, which is given to everyone who needs access to the router. However, doing without usernames has obvious problems: you can never tell who is logged in, who just rebooted the router, or who is responsible for the configuration changes that broke your Internet connection. Usernames and passwords make it possible to trace who has done what; they add a sense of accountability and allow more fine-grained control over what individuals are allowed to do.
There are several methods for adding users ; the more advanced methods allow accounting (tracking what a particular user actually did) as well as authorization (merely verifying that a user has permission to do something). First, let's look at the easiest way to add users to a router's configuration.
18.104.22.168. Adding users with the user command
Throughout this book, we have added username and password pairs to the router configuration itself. For example, we can add the users Patty and Pete to the router's configuration with the username command:
! First, enable password encryption to "hide" the ! clear-text passwords in the configuration service password-encryption ! Now define the passwords username patty password patty1 username pete password pete2
Patty's password is now patty1, and Pete's password is pete2.[*]
[*] These passwords are clearly weak and are used here only for clarity of the illustration. You would use a stronger password to protect your routers and educate users to do likewise.
When we display the router's configuration, we see the passwords in their encrypted form:
username pete password 7 0831495A0C4B
To tell the VTY to use the usernames that you have listed with the username command, we need to use the login local command. This command is considered the old way of enabling local authentication . The new way is with the AAA commands, which we cover in the next section.
! this is the old way of enabling local authentication. line vty 0 4 login local ! restrict inbound connections to ssh only transport input ssh
For reference, the AAA equivalent command for the above example is:
aaa new-model aaa authentication login default local
Now that the passwords are in the configuration, Patty and Pete can log in when they connect to the router. That was certainly simple. But this method doesn't scaleit's not manageable if you need to work with more than a few users and one or two routers. What if you're managing a worldwide corporate network with hundreds of routers and dozens of administrators? What if you're managing an ISP with thousands of dial-up users? In either case, you have a long list of usernames and passwords that needs to be maintained on several different machines. How do you keep the lists in sync? How would you even keep them up to date?
There is a better way. Make a central authentication repository using an authentication protocol, and configure the router to use the authentication server. There are several different protocols that you can use, but the most popular are TACACS+ and Radius, both of which use the AAA framework.
22.214.171.124. Using the AAA framework
The authentication, authorization, and accounting model (AAA) is a framework for providing authentication and accounting services across a network. It requires the support of another protocoltypically, Radius or TACACS+. Radius is an open standard that is supported by a wide range of devices and vendors. Both Radius and TACACS+ encrypt sensitive data.
Radius and TACACS+ are both supported by the CiscoSecure product. If you wish to use that product for your AAA configurations, you can find out more information on Cisco's website. Or you can use a Radius server, which you should be able to find in both free and commercial versions. For example, for a Linux box, you could look at http://www.freeradius.org (other free Radius servers are also available). Windows 2000 and Windows Server 2003 include a Radius server. For other platforms, a quick Google search will lead you to several Radius servers.
The rest of this section deals with the configuration on the router side using AAA to communicate with a Radius or TACACS+ server.
126.96.36.199. User management with AAA
The first step is to enable AAA on the router with the command aaa new-model:
! This is required to use the AAA method aaa new-model ! Configure the Radius server radius-server host 10.10.1.2 radius-server key somepassword
Next we set up the list of authentication services we want to use with the command aaa authentication. In this example, we are setting the name of the list to the default, which tells the router to use this list for all lines and interfaces. If we assign a name other than the default, we must explicitly reference that name in the line configuration (we will do this in an upcoming example). In this list, we tell the router to attempt to authenticate with the Radius server. If it can't connect, it should use the enable password as a backup:
aaa authentication login default radius enable
The next step defines the authorization for the user, specifying what the person is allowed to do on the system. In this case, we are going to grant the user access to the router's command line with the command exec:
aaa authorization exec default group radius none
The final piece is the accounting, which can log user activity to the Radius server. In this example, we are going to log the starting and stopping of any commands performed by the user. The value 15 is the privilege level of the commands to log.
aaa accounting commands 15 default start-stop group radius
188.8.131.52. Restricting dial-in user access with AAA
While we are reviewing AAA access to our devices, we should consider using it for our dial-in configurations as well. In this sample configuration, we show a group of eight lines configured for dial-in access. The AAA configuration items are highlighted in bold. The rest of the configuration is here for completeness. Refer to Chapter 17 for more information on those commands.
! Configure AAA aaa new-model aaa authentication login default radius local aaa authentication ppp default if-needed radius aaa authorization network radius ! ! Define our pool of addresses for dialup users ip local pool pool1 10.10.1.100 10.10.1.108 ! ! interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp async mode interactive peer default ip address pool pool1 ! Take our security advice on disabling CDP on interfaces ! that don't need it no cdp enable ppp authentication chap group-range 1 8 ! ! ! Configure the lines connected to the modes line 1 8 autoselect ppp autoselect during-login modem dialin transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware