AAA

Authentication, Authorization and Accounting (AAA)

 Place local login before group authentication so that the specified usernames are authenticated first.

aaa authentication login default local-case group radius

aaa authentication login default local group tacacs+

AAA Auto-Command
 Automatically logout particular users (PPP usernames for example) and prevent them from managing the
router.
 The autocommand function will only work if authorization is configured using AAA.
 The console is treated differently by default, and requires additional commands in order to automatically
logout users.
 The aaa authorization console applies AAA rules to the console as well.

username R1 autocommand logout

aaa authorization exec default if-authenticated

aaa authorization console

line con 0
authorization exec default

Lines / SSH
Wednesday, December 2, 2015
7:09 PM

Login
 Log both successful and failed login attempts.
 3-second delay between successive login attempts.
 Do not allow login attempts for 10 seconds if two tries fail within 15 seconds.
 During login block allow hosts in ACL.

login on-failure log

login on-success log
login delay 3
login block-for 10 attempts 2 within 15
login quiet-mode access-class QUIET

ip access-list standard QUIET

permit host 192.168.0.1

Secure Shell (SSH)

 Enable SSH without ip domain-name by using the label keyword.
 Normally the first generated RSA key is linked to SSH. Override this with the keypair-name command.

crypto key generate rsa modulus 768 label R1.lab.local

ip ssh version 2
ip ssh rsa keypair-name R1.lab.local
username admin privilege 15 password cisco
line vty 0 4
login local

show crypto key mypubkey rsa

ssh -v 2 -l admin 192.168.0.1
Telnet
 Default ToS is 192 (C0). Change the Telnet ToS with the ip telnet tos command.

Hide IP / hostname information when establishing Telnet sessions:

ip telnet hidden addresses
ip telnet hidden hostnames

Or:
service hide-telnet-addresses

Show the line connected to when Telnet establishes:

service linenumber

show users
show line
Privilege
Wednesday, December 2, 2015
8:32 AM

Privilege Access Control

 The all keyword specifies the configuration and all underlying sub-configurations.
 This will give access to all interfaces and all configurations under the interfaces.
 Every level has access to all the commands available underneath it. 8 has access to privilege 1-7 and 8
 In IOS there are 3 default privilege levels:
o Privilege 0.
o Privilege 1. User exec.
o Privilege 15. Privilege exec.

Create custom commands for level 10:

privilege exec level 10 [commands]
privilege configure level 10 [commands]
privilege interface level 10 [commands]