In Lab 2: Enabling SSH and AAA on Cisco Router, participants typically focus on fortifying the security and access controls of a Cisco router by implementing Secure Shell (SSH) for secure remote access and Authentication, Authorization, and Accounting (AAA) for centralized management. This Security Core (SCOR) lab involves configuring SSH to establish encrypted connections for secure command-line access to the router. Additionally, participants may set up AAA to enforce robust authentication and authorization policies, ensuring precise control over user access and actions on the router. The lab aims to provide hands-on experience in enhancing router security through the implementation of SSH and AAA, fundamental practices in securing network infrastructure. Successful completion of SCOR Lab 2 equips participants with essential skills to strengthen the access control and security measures of Cisco routers.
This Lab was developed on IOS Version 15.2(4). Following are the commands for setting up local AAA which is used for setting up passwords for accessing the router locally using the console ports and remotely using virtual ports for the administrator and encrypting the passwords that are stored in the local database of the router.
Step 1: We will configure the IP addresses on the fastethernet0/0 and loopback interfaces of R1 and fastethernet0/0 of R2 and configure EIGRP routing on both R1 & R2.
R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config)#exit
R1(config)#int lo1
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#exit
R1(config)#router eigrp 100
R1(config-router)#net 10.0.0.0
R1(config-router)#net 11.0.0.0
R1(config-router)#exit
R2#conf t
R2(config)#int fa0/0
R2(config-if)#ip address 10.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#exit
R2(config)#router eigrp 100
R2(config-router)#net 10.0.0.0
R2(config-router)#exit
Step 1: We will configure SSH and AAA on R1 router. To enable SSH services we will need to give a hostname and domain name to our Router, apart from this we would also need to configure user credentials and privileges on the router.
R1(config)#aaa new-model
R1(config)#username apple privilege 15 secret cisco
R1(config)#line vty 0 4
R1(config-line)#no session-timeout
R1(config-line)#transport input ssh
R1(config-line)#exit
R1(config)#hostname R1
R1(config)#ip domain-name rst.net
R1(config)#crypto key generate rsa
The name for the keys will be: R1.rst.net
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus \[512\]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…\[OK\]
\*Mar 1 00:35:28.883: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1#
R2#ssh -l apple 11.0.0.1
Password:
R1>
**Step 2: Configure user ‘Jon’ with privilege 15 and password ‘cisco’ and another user ‘Khal’ with privilege 7 (which should only allow “show” related commands) and password ‘disco’.
R1(config)#username jon privilege 15 secret cisco
R1(config)#username khal privilege 7 secret disco
R1(config)#privilege exec level 7 show
R1(config)#enable secret kisko
R1(config)#enable secret level 7 disco
R2#ssh -l jon 11.0.0.1
Password: cisco
R1>en
Password: disco
% Access denied
R1>en
Password: cisco
R1#
-------------------------------------Privilege Level 7 ---------------------------------------
R2#ssh -l khal 11.0.0.1
Password: disco
R1>en
Password: disco
% Access denied
R1>en 7
Password: disco
R1#conf t
R1# //’conf t’ not working as user does not have privilege.