Home > Articles > Certification > Cisco Certification > CCIE

This chapter is from the book

Section 8.0: Advanced Security

8.1: Password Protection

  1. Configure service password-encryption on all the routers to encrypt the enable password; otherwise, they will appear in clear text in the configuration.

8.2: EXEC Authentication

  1. Configure enable secret on R2.

  2. Configure authentication for shell EXEC without using the AAA engine using the enable use-tacacs command. Note that this is not TACACS+ but TACACS server (without the +). CiscoSecure ACS is not a TACACS server but TACACS+ only.

  3. Configure fallback to pass authentication in the event the TACACS server is down or not found using enable last-resort succeed.

8.3: Access Control

  1. In this case, you can configure autocommand for a user to Telnet to the router. autocommand will execute the required command and exit the session. This way the user will not be able to keep its Telnet session:

  2. username testconfig privilege 15 password 7 15060E1F1029242A2E3A32
    username testconfig autocommand show run
    line vty 0 4
     privilege level 15
     password 7 110A1016141D
     login local

    Test by Telnetting from R1 to

    Trying ... Open
    User Access Verification
    Username: testconfig
    Password: testconfig
    Building configuration...
    Current configuration : 7022 bytes
    ! Last configuration change at 23:46:49 AEDT Sun Jan 19 2003
    ! NVRAM config last updated at 00:15:25 AEDT Mon Jan 20 2003
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    hostname r3
    [Connection to closed by foreign host]

    As you can see, as soon as the show run command output finished, the session was closed.

  3. Configure R5 Telnet access to permit host only:

  4. access-list 3 permit
    line vty 0 4
     access-class 3 in
     password 7 13061E010803
  • + Share This
  • 🔖 Save To Your Account