alimohammed72
asked on
Access Control for catalyst switch 4506
Hello
I have cat4506 ver 12.2. I want to create 2 users who can log on and adminster the switch with privilege levels 15.How can we configure switch to prompt for username and password when these users telnet to it ?
Thanks
I have cat4506 ver 12.2. I want to create 2 users who can log on and adminster the switch with privilege levels 15.How can we configure switch to prompt for username and password when these users telnet to it ?
Thanks
ASKER
there is no option for command priv 15..please see below
(config)#user test secret pass ?
LINE <cr>
(config)#user test secret pass ?
LINE <cr>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would also suggest in addition to the above you think about using SSH to connect.
Telnet sends plain text across the network. so any one could sniff the traffic and see exactly what you are doing on the router / switch
to enable SSH all you have to do is
(config)#crypto key generate rsa general-keys modulus 1024
this will create the 1024 bit encryption keys used for encrypting the data when using SSH and httpS
then
(config)#line vty 0 4
(config)#transport input ssh telnet
will make the connection accept telnet or ssh connections.
you will now have a much more secure connection to the switch, and also the ability to still use telnet if you need to, setting up the user name and setting the login local command stay the same as above.
I set some lines up to run SSH that require you to log in using username and password, and some lines to run telent that require the old simple password method to log in. This means I can't accidently log in via telnet with out knowing.
there are 3 log in methods
#login (this requires the password you set up on the indivual vty or consol lines to get access)
#login Local (requires you set up user names and passwords using the commands above)
#login Tacacs (requires you have a central server set up that the switchs/routers use to check any connection attempts are valid, very usefull if you have lots of devices on the network. you can set up mutiply users easly and centraly manage them)
Telnet sends plain text across the network. so any one could sniff the traffic and see exactly what you are doing on the router / switch
to enable SSH all you have to do is
(config)#crypto key generate rsa general-keys modulus 1024
this will create the 1024 bit encryption keys used for encrypting the data when using SSH and httpS
then
(config)#line vty 0 4
(config)#transport input ssh telnet
will make the connection accept telnet or ssh connections.
you will now have a much more secure connection to the switch, and also the ability to still use telnet if you need to, setting up the user name and setting the login local command stay the same as above.
I set some lines up to run SSH that require you to log in using username and password, and some lines to run telent that require the old simple password method to log in. This means I can't accidently log in via telnet with out knowing.
there are 3 log in methods
#login (this requires the password you set up on the indivual vty or consol lines to get access)
#login Local (requires you set up user names and passwords using the commands above)
#login Tacacs (requires you have a central server set up that the switchs/routers use to check any connection attempts are valid, very usefull if you have lots of devices on the network. you can set up mutiply users easly and centraly manage them)
ASKER
can we setup switch as TACACS server rather me buying a new server ?
not sure you can do this actuly. I belive some of the more powerfull switchs and routers do allow you to set them up as Tacacs server, however I have never done this.
Also a tacacs server is not a processor intensive service. So you could simple set up Tacacs on a server you already have in place. Possible not a DC or Exchange server. but maybe a little used file server, or even an old desktop PC that you can sit in the server room running it.
I have my own network server, it runs the syslog server, I am playing with TACACS on it, my configuration tools, runs my monitering software.. etc.. etc.. It's nothing to special in terms of proformance, however it does allow me to keep all my network services in one place. I started of with a old dell desktop, and as I have grown out of it I have slowly incressed untill I now have a full Dell server.
But I would say start small and once you are starting to push the limits of a desktop PC, talk to your managers about uopgrading. But a rescued desk top that was to be disposed off, will easly allow you to do all the testing, get it up and running and prove if this is the way you want to go.
Also a tacacs server is not a processor intensive service. So you could simple set up Tacacs on a server you already have in place. Possible not a DC or Exchange server. but maybe a little used file server, or even an old desktop PC that you can sit in the server room running it.
I have my own network server, it runs the syslog server, I am playing with TACACS on it, my configuration tools, runs my monitering software.. etc.. etc.. It's nothing to special in terms of proformance, however it does allow me to keep all my network services in one place. I started of with a old dell desktop, and as I have grown out of it I have slowly incressed untill I now have a full Dell server.
But I would say start small and once you are starting to push the limits of a desktop PC, talk to your managers about uopgrading. But a rescued desk top that was to be disposed off, will easly allow you to do all the testing, get it up and running and prove if this is the way you want to go.
ASKER
OK.I found the spare machine.How do I go about installaing and configuring TACACS now ?
Thanks
Thanks
LOL how long have you got???
Sorry but you will need to reserch TACACS servers and how to set them up. There are many many different things you can do with it, depending how far you want to go.
As I mentioned above I am playing with TACACS at the moment and working out what is what.
I suggests if you want an answer to how to set up TACACS you ask in another question. If you only have the one switch then I think it may be a bit of an over kill. if you have lots of devices you will want to set it up on a test network first before implementing it on you live devices. You can if you are not carefull easly lock your self out of a switch for good!
Sorry but you will need to reserch TACACS servers and how to set them up. There are many many different things you can do with it, depending how far you want to go.
As I mentioned above I am playing with TACACS at the moment and working out what is what.
I suggests if you want an answer to how to set up TACACS you ask in another question. If you only have the one switch then I think it may be a bit of an over kill. if you have lots of devices you will want to set it up on a test network first before implementing it on you live devices. You can if you are not carefull easly lock your self out of a switch for good!
Switch(config)#user test secret pass priv 15
Switch(config)#line vty 0 4
Switch(config-line)#login local