Fo_Shizzle
asked on
Authenticating PPP users while keeping them out of IOS on a Cisco router
We authenticate PPP users on a Cisco router using a local username and password list. To my horror, recently I realized that any PPP user could could open an SSH or telnet session to the router with full administrative privileges using their PPP username and password.
As a temporary fix I have put in some ACL's to prevent access to port 22 and 23 from anywhere except admin IP addresses. However obviously now I am looking to put in a more permanent and secure solution without the hassle of having to install a separate RADIUS authentications server. I would like to keep maintaining a PPP username and password list on the router without compromising security.
The relevant router config sections is attached
As a temporary fix I have put in some ACL's to prevent access to port 22 and 23 from anywhere except admin IP addresses. However obviously now I am looking to put in a more permanent and secure solution without the hassle of having to install a separate RADIUS authentications server. I would like to keep maintaining a PPP username and password list on the router without compromising security.
The relevant router config sections is attached
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
!
aaa new-model
!
!
aaa authentication ppp default local
!
!
username admin secret 5 $8$NCxxxxxxxxxxxx
username pppuser1 password 0 secret123
archive
log config
hidekeys
!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Cisco itself can be the RADIUS server as well...
aaa new-model
aaa authentication login default radius local
aaa authentication login no_radius enable
aaa authentication ppp default if-needed radius
aaa authorization network radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
---
radius-server local
nas [VLAN1IP] key [key]
group usersgrp
user user1 nthash password1 group usersgrp
user user2 nthash password2 group usersgrp
!
radius-server host [VLAN1IP] auth-port 1812 acct-port 1813 key [key]
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
-------------
The above authenticates ppp users via RADIUS username/passwords, and console access by the local password database.