Solved

Authenticating PPP users while keeping them out of IOS on a Cisco router

Posted on 2008-10-23
3
192 Views
Last Modified: 2013-12-14
We authenticate PPP users on a Cisco router using a local username and password list. To my horror, recently I realized that any PPP user could could open an SSH or telnet session to the router with full administrative privileges using their PPP username and password.

As a temporary fix I have put in some ACL's to prevent access to port 22 and 23 from anywhere except admin IP addresses. However obviously now I am looking to put in a more permanent and secure solution without the hassle of having to install a separate RADIUS authentications server. I would like to keep maintaining a PPP username and password list on the router without compromising security.

The relevant router config sections is attached

!                                                                               
line con 0                                                                      
line aux 0                                                                      
line vty 0 4                                                                    
 privilege level 15                                                             
 transport input telnet ssh                                                     
!                                                                               
 
!                                                                               
aaa new-model                                                                   
!                                                                               
!                                                                               
aaa authentication ppp default local                                               
!                                     
 
!                                                                               
username admin secret 5 $8$NCxxxxxxxxxxxx
username pppuser1 password 0 secret123                             
archive                                                                         
 log config                                                                     
  hidekeys                                                                      
!

Open in new window

0
Comment
Question by:Fo_Shizzle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 10

Expert Comment

by:kyleb84
ID: 22792510
Local RADIUS server...

The Cisco itself can be the RADIUS server as well...

aaa new-model
aaa authentication login default radius local
aaa authentication login no_radius enable
aaa authentication ppp default if-needed radius
aaa authorization network radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
---
radius-server local
 nas [VLAN1IP] key [key]
 group usersgrp
  user user1 nthash password1 group usersgrp
  user user2 nthash password2 group usersgrp
!
radius-server host [VLAN1IP] auth-port 1812 acct-port 1813 key [key]
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting

-------------

The above authenticates ppp users via RADIUS username/passwords, and console access by the local password database.

0
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22792570
Hmm should change the line:

"aaa authentication login default radius local"
to
"aaa authentication login default local"

and:
line vty 0 4
 login authentication default
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question