Saturday, July 18, 2015

Basic Authentication on Cisco Network Devices

In this blog I want to go over basic authentication on a Cisco device because I see a lot of questions on authentication on the Cisco Support forums. Here I have cleared the configuration on a 3750-48PS running IOS 12.2.55-SE10. Once the switch rebooted I connected with a console cable and answered No to the wizard. Then I added an IP address to vlan 1.

interface Vlan1
 ip address 192.168.10.50 255.255.255.0
 no ip redirects
end

Here is what a login session looked like:

As you can see you can't log in using telnet because the vty lines aren't configured. This is really a problem if you forget and leave the site. You will have to return and configure the vty lines before you can log in remotely.

Here is the configuration required to use telnet:
Switch(config)#line vty 0 15
Switch(config-line)#password cisco1
Switch(config-line)#login
Switch(config-line)#end

Switch#sh run | b 0 4
line vty 0 4
 password cisco1
 login
line vty 5 15
 password cisco1
 login
!

Here is what a login session looked like:

Notice that you are placed into user mode. Since we didn't create an "enable secret" password we cannot change to enable mode.

To create an enable secret:
Switch(config)#enable secret 9x3kaqq!!
Switch(config)#end

Using login local

Now we will add "login local" to the vty lines.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#end

Switch#sh run | b 0 4
line vty 0 4
 password cisco1
 login local
line vty 5 15
 password cisco1
 login local
!
end

Once login local is added you must create a local user or you will not be able to login. To create the user:
Switch(config)#username cisco privilege 15 secret 9x3kaqq
Switch(config)#end
Switch#sh run | i username
username cisco privilege 15 secret 5 $1$T6mv$85a/oQ3sWiyxKd/yQ9Sh3/


Here is what a login session looked like:

Notice that you are logged directly to enable mode. 

Now we will add a "aaa new-model" command:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
end

Switch#
!Note that login local is removed from vty configuration. You cannot use login local
!once you add the aaa new-model command.
Switch#sh run | b 0 4
line vty 0 4
 password cisco1
line vty 5 15
 password cisco1
!
Switch#sh run | i aaa
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common


Here is what a login session looked like:

Customize the prompts

You can customize the login prompts for username and password. The is helpful if you have a mix of devices using local databases and RADIUS or Tacacs. One caution though, be careful if you are using Cisco Prime Infrastructure or other tool that logs into the devices. I had a bunch of devices with custom prompts one time using local database authentication. I then tried to add the devices to Prime and it failed on the authentication. It turns out that I had miss-spelled password and Prime was looking for Password in the prompt from the switch.


Switch(config)#aaa authentication password-prompt "Enter Local Password: "
Switch(config)#aaa authentication username-prompt "Enter Local username: "
Switch(config)#end


Conclusions
  • It's easy to forget to set up telnet or SSH correctly and not be able to log in remotely once you deploy the switch so pick an authentication method and add it to your basic configuration script.
  • To use RADIUS or TACACS+ you must create a new-model.
  • Don't use telnet unless your device doesn't support encryption. Once you have a username, enable secret and login local, setting up SSH is easy. 

Here are the steps to enable SSH:

Add a hostname to the device - hostname sw1
Add a domain name - ip domain-name mylab.pri
Create the RSA keys - crypto key generate rsa general-keys modulus 2048 (depending on your IOS version this command my be different. Use the ? to work your way through.
enable SSH - ip ssh ver 2
save the configuration - wr mem

The first time your computer connects to a device with SSH enabled you will be asked to verify the host keys. This is because the RSA keys the device offers to you are not known to your host yet. If you are sure that you entered the IP address correctly accept the keys. If you are on Windows using Putty this is what the message looks like:








3 comments:

  1. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.
    Regards,
    SAP course in chennai|SAP training|SAP Training in Chennai|sap course in Chennai

    ReplyDelete
  2. Thanks for the comments Roshini! I will have more posts coming soon. Please see the post on Layer 2 traceroute. I don't use it a lot but in certain situations there isn't anything else can do what it does.

    ReplyDelete
  3. Thanks Melisa! The feedback is very useful, I will try to keep the writing style and get more tips posted soon.

    ReplyDelete