interface Vlan1
ip address 192.168.10.50 255.255.255.0
no ip redirects
end
Here is what a login session looked like:
As you can see you can't log in using telnet because the vty lines aren't configured. This is really a problem if you forget and leave the site. You will have to return and configure the vty lines before you can log in remotely.
Here is the configuration required to use telnet:
Switch(config)#line vty 0 15
Switch(config-line)#password cisco1
Switch(config-line)#login
Switch(config-line)#end
Switch#sh run | b 0 4
line vty 0 4
password cisco1
login
line vty 5 15
password cisco1
login
!
Here is what a login session looked like:
To create an enable secret:
Switch(config)#enable secret 9x3kaqq!!
Switch(config)#end
Using login local
Now we will add "login local" to the vty lines.Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#end
Switch#sh run | b 0 4
line vty 0 4
password cisco1
login local
line vty 5 15
password cisco1
login local
!
end
Once login local is added you must create a local user or you will not be able to login. To create the user:
Switch(config)#username cisco privilege 15 secret 9x3kaqq
Switch(config)#end
Switch#sh run | i username
username cisco privilege 15 secret 5 $1$T6mv$85a/oQ3sWiyxKd/yQ9Sh3/
Here is what a login session looked like:
Notice that you are logged directly to enable mode.
Now we will add a "aaa new-model" command:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
end
Switch#
!Note that login local is removed from vty configuration. You cannot use login local
!once you add the aaa new-model command.
Switch#sh run | b 0 4
line vty 0 4
password cisco1
line vty 5 15
password cisco1
!
Switch#sh run | i aaa
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
Here is what a login session looked like:
Customize the prompts
You can customize the login prompts for username and password. The is helpful if you have a mix of devices using local databases and RADIUS or Tacacs. One caution though, be careful if you are using Cisco Prime Infrastructure or other tool that logs into the devices. I had a bunch of devices with custom prompts one time using local database authentication. I then tried to add the devices to Prime and it failed on the authentication. It turns out that I had miss-spelled password and Prime was looking for Password in the prompt from the switch.
Switch(config)#aaa authentication password-prompt "Enter Local Password: "
Switch(config)#aaa authentication username-prompt "Enter Local username: "
Switch(config)#end
Conclusions
- It's easy to forget to set up telnet or SSH correctly and not be able to log in remotely once you deploy the switch so pick an authentication method and add it to your basic configuration script.
- To use RADIUS or TACACS+ you must create a new-model.
- Don't use telnet unless your device doesn't support encryption. Once you have a username, enable secret and login local, setting up SSH is easy.
Here are the steps to enable SSH:
Add a hostname to the device - hostname sw1
Add a domain name - ip domain-name mylab.pri
Create the RSA keys - crypto key generate rsa general-keys modulus 2048 (depending on your IOS version this command my be different. Use the ? to work your way through.
enable SSH - ip ssh ver 2
save the configuration - wr mem
save the configuration - wr mem
The first time your computer connects to a device with SSH enabled you will be asked to verify the host keys. This is because the RSA keys the device offers to you are not known to your host yet. If you are sure that you entered the IP address correctly accept the keys. If you are on Windows using Putty this is what the message looks like:
This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.
ReplyDeleteRegards,
SAP course in chennai|SAP training|SAP Training in Chennai|sap course in Chennai
Thanks for the comments Roshini! I will have more posts coming soon. Please see the post on Layer 2 traceroute. I don't use it a lot but in certain situations there isn't anything else can do what it does.
ReplyDeleteThanks Melisa! The feedback is very useful, I will try to keep the writing style and get more tips posted soon.
ReplyDelete