Solved

Telnet user privilege

Posted on 2008-06-19
5
1,175 Views
Last Modified: 2009-12-16
Dear Users,

We have just bought a new cisco Router which has got all the default configurations. I have given it a hostname and configure some of the interfaces. What I would like to do is to configure two new users with admin rights and  give a telnet access to the router just from specific subnet. In addition I would really appreciate if somebody can give me a link or some kind of documentation and template with important security configuration of a Router and hardening it.

Best Regards
0
Comment
Question by:londonbjk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 

Author Comment

by:londonbjk
ID: 21826144
Hi,

The first link is really usefull and can help me of creating the admin accounts. what is the difference between typing login local or login privilege 15 under the vty line? Do both command do the same job? In additon I would still appreciate if someone has got any security config template.

Thanks
0
 
LVL 5

Accepted Solution

by:
Melaleuca earned 125 total points
ID: 21826682
There are a couple ways to secure the login, you can put a password under the line vty like below, this will make the user put in the password to get access to the device. This is the least secure because they only have to guess the password.
line vty 0 4
password secret
login

The other way is to setup a username and password combo. which is more secure because they have to have both to get in. this is done like below, this also sets the privilege level to 15 so you don't have to bother with enable secret.

username admin-user privilege 15 password 0 secret
line vty 0 4
login local

The last and most secure way is to setup AAA with a radius or tacas+ server. which will give you remote logging and you can do command authorization with tacas+, but you will have to have cisco ACS for that and that is extra. But a radius can be setup for free and is the way i would do it. and have local user names as a backup method

aaa new-model
aaa authentication login Login-Radius group radius local
aaa authentication enable Login-Radius group radius enable
radius-server host 1.1.1.1
radius-server key passkey
line vty 0 4
login Login-Radius
0
 
LVL 7

Expert Comment

by:logic2
ID: 21826861
login local would look for a valid username and password configured on the router to allow access
login privelege 15 would give u enable mode access once the user authenticates in successfully

as for security there is no specific template, it all depends on what do you require for the network but as a basic guidlines

1- telnet is only permitted from a specific users (using an access class under the vty lines)
2- moreover its preferable to use a specified user name and password, so not just anybody can guess the password (use login local in that case and configure usernames and much better is to use a Tacacs server with AAA configured)
3- console and AUX password should be a strong one and only known to a few
4- you should try to block known ports that are usually attacked by viruses using Access lists on interfaces to prevent denial of service attacks
0
 
LVL 7

Expert Comment

by:kanlue
ID: 21826981
good point, logic2,

and here is an example of a very basic config just in case:
----------
! user admin (15 - administrator/super-user)
! user cisco (7 - moderate user access)
username admin priv 15 password cisco (
username cisco priv 7 password cisco
!
enable password cisco
!
line vty 0 4
login local
!
---------

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html
0

Featured Post

Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question