Hubbard on Networking: Basic Authentication on Cisco Network Devices

Saturday, July 18, 2015

Basic Authentication on Cisco Network Devices

In this blog I want to go over basic authentication on a Cisco device because I see a lot of questions on authentication on the Cisco Support forums. Here I have cleared the configuration on a 3750-48PS running IOS 12.2.55-SE10. Once the switch rebooted I connected with a console cable and answered No to the wizard. Then I added an IP address to vlan 1.

interface Vlan1
ip address 192.168.10.50 255.255.255.0
no ip redirects
end

Here is what a login session looked like:

As you can see you can't log in using telnet because the vty lines aren't configured. This is really a problem if you forget and leave the site. You will have to return and configure the vty lines before you can log in remotely.

Here is the configuration required to use telnet:
Switch(config)#line vty 0 15
Switch(config-line)#password cisco1
Switch(config-line)#login
Switch(config-line)#end

Switch#sh run | b 0 4
line vty 0 4
password cisco1
login
line vty 5 15
password cisco1
login
!

Here is what a login session looked like:

Notice that you are placed into user mode. Since we didn't create an "enable secret" password we cannot change to enable mode.

To create an enable secret:
Switch(config)#enable secret 9x3kaqq!!
Switch(config)#end

Using login local

Now we will add "login local" to the vty lines.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#end

Switch#sh run | b 0 4
line vty 0 4
password cisco1
login local
line vty 5 15
password cisco1
login local
!
end

Once login local is added you must create a local user or you will not be able to login. To create the user:
Switch(config)#username cisco privilege 15 secret 9x3kaqq
Switch(config)#end
Switch#sh run | i username
username cisco privilege 15 secret 5 $1$T6mv$85a/oQ3sWiyxKd/yQ9Sh3/

Here is what a login session looked like:

Notice that you are logged directly to enable mode.

Now we will add a "aaa new-model" command:

aaa new-model

aaa authentication login default local

aaa authorization exec default local

end

Switch#

!Note that login local is removed from vty configuration. You cannot use login local

!once you add the aaa new-model command.

Switch#sh run | b 0 4

line vty 0 4

password cisco1

line vty 5 15

password cisco1

Switch#sh run | i aaa

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

Here is what a login session looked like:

Customize the prompts

You can customize the login prompts for username and password. The is helpful if you have a mix of devices using local databases and RADIUS or Tacacs. One caution though, be careful if you are using Cisco Prime Infrastructure or other tool that logs into the devices. I had a bunch of devices with custom prompts one time using local database authentication. I then tried to add the devices to Prime and it failed on the authentication. It turns out that I had miss-spelled password and Prime was looking for Password in the prompt from the switch.

Switch(config)#aaa authentication password-prompt "Enter Local Password: "

Switch(config)#aaa authentication username-prompt "Enter Local username: "

Switch(config)#end

Conclusions

It's easy to forget to set up telnet or SSH correctly and not be able to log in remotely once you deploy the switch so pick an authentication method and add it to your basic configuration script.
To use RADIUS or TACACS+ you must create a new-model.
Don't use telnet unless your device doesn't support encryption. Once you have a username, enable secret and login local, setting up SSH is easy.

Here are the steps to enable SSH:

Add a hostname to the device - hostname sw1

Add a domain name - ip domain-name mylab.pri

Create the RSA keys - crypto key generate rsa general-keys modulus 2048 (depending on your IOS version this command my be different. Use the ? to work your way through.

enable SSH - ip ssh ver 2
save the configuration - wr mem

The first time your computer connects to a device with SSH enabled you will be asked to verify the host keys. This is because the RSA keys the device offers to you are not known to your host yet. If you are sure that you entered the IP address correctly accept the keys. If you are on Windows using Putty this is what the message looks like:

@rikosintie

Michael earned his first IT certification, a Novell Certified Netware Engineer (CNE) in 1993. Michael then focused on the Microsoft MCSE credential, studied database design, and wrote several Visual Basic programs to automate production at a manufacturing company. In 2000 he earned the Cisco CCNA. Since then, Michael has earned Cisco’s security certification, Aruba’s switching certification, and the LPI’s Linux Essentials certification.

3 comments:

MelisaSeptember 18, 2015 at 3:13 AM
This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.
Regards,
SAP course in chennai|SAP training|SAP Training in Chennai|sap course in Chennai
ReplyDelete
Replies
@rikosintieSeptember 20, 2015 at 8:46 PM
Thanks for the comments Roshini! I will have more posts coming soon. Please see the post on Layer 2 traceroute. I don't use it a lot but in certain situations there isn't anything else can do what it does.
ReplyDelete
Replies
@rikosintieSeptember 20, 2015 at 8:47 PM
Thanks Melisa! The feedback is very useful, I will try to keep the writing style and get more tips posted soon.
ReplyDelete
Replies

Add comment