- Equipment List
- General Guidelines
- Setting Up the Lab
- Practice Lab 1 Exercises Section 1.0: Basic Configuration (10 points)
- Section 2.0: Routing Configuration (25 points)
- Section 3.0: ISDN Configuration (8 points)
- Section 4.0: PIX Configuration (5 points)
- Section 5.0: IPSec/GRE Configuration (10 points)
- Section 6.0: IOS Firewall + IOS IDS Configuration(10 points)
- Section 7.0: AAA (7 points)
- Section 8.0: Advanced Security (10 points)
- Section 9.0: IP Services and Protocol-Independent Features (10 points)
- Section 10.0: Security Violations (5 points)
- Verification, Hints, and Troubleshooting Tips
- Section 1.0: Basic Configuration
- Section 2.0: Routing Configuration
- Section 3.0: ISDN Configuration
- Section 4.0: PIX Configuration
- Section 5.0: IPSec/GRE Configuration
- Section 6.0: IOS Firewall Configuration
- Section 7.0: AAA
- Section 8.0: Advanced Security
- Section 9.0: IP Services and Protocol-Independent Features
- Section 10.0: Security Violations
Section 8.0: Advanced Security
8.1: Password Protection
Configure service password-encryption on all the routers to encrypt the enable password; otherwise, they will appear in clear text in the configuration.
8.2: EXEC Authentication
Configure enable secret on R2.
Configure authentication for shell EXEC without using the AAA engine using the enable use-tacacs command. Note that this is not TACACS+ but TACACS server (without the +). CiscoSecure ACS is not a TACACS server but TACACS+ only.
Configure fallback to pass authentication in the event the TACACS server is down or not found using enable last-resort succeed.
8.3: Access Control
In this case, you can configure autocommand for a user to Telnet to the router. autocommand will execute the required command and exit the session. This way the user will not be able to keep its Telnet session:
Configure R5 Telnet access to permit host 133.133.133.133 only:
username testconfig privilege 15 password 7 15060E1F1029242A2E3A32 username testconfig autocommand show run ! line vty 0 4 privilege level 15 password 7 110A1016141D login local ! end
Test by Telnetting from R1 to 10.50.13.2.
r1#telnet 10.50.13.2 Trying 10.50.13.2 ... Open User Access Verification Username: testconfig Password: testconfig Building configuration... Current configuration : 7022 bytes ! ! Last configuration change at 23:46:49 AEDT Sun Jan 19 2003 ! NVRAM config last updated at 00:15:25 AEDT Mon Jan 20 2003 ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname r3 ! snipped ! end [Connection to 10.50.13.2 closed by foreign host] r1#
As you can see, as soon as the show run command output finished, the session was closed.
access-list 3 permit 133.133.133.133 ! line vty 0 4 access-class 3 in password 7 13061E010803 login ! end