SCOR Lab 2: Enabling SSH and AAA on Cisco Router

Enabling SSH and AAA on Cisco Router

In Lab 2: Enabling SSH and AAA on Cisco Router, participants typically focus on fortifying the security and access controls of a Cisco router by implementing Secure Shell (SSH) for secure remote access and Authentication, Authorization, and Accounting (AAA) for centralized management. This Security Core (SCOR) lab involves configuring SSH to establish encrypted connections for secure command-line access to the router. Additionally, participants may set up AAA to enforce robust authentication and authorization policies, ensuring precise control over user access and actions on the router. The lab aims to provide hands-on experience in enhancing router security through the implementation of SSH and AAA, fundamental practices in securing network infrastructure. Successful completion of SCOR Lab 2 equips participants with essential skills to strengthen the access control and security measures of Cisco routers.


LAB Topology

This Lab was developed on IOS Version 15.2(4). Following are the commands for setting up local AAA which is used for setting up passwords for accessing the router locally using the console ports and remotely using virtual ports for the administrator and encrypting the passwords that are stored in the local database of the router.

Task 1: Initial Configuration:

Step 1: We will configure the IP addresses on the fastethernet0/0 and loopback interfaces of R1 and fastethernet0/0 of R2 and configure EIGRP routing on both R1 & R2.

R1#conf t
R1(config)#int fa0/0
R1(config-if)#ip address
R1(config-if)#no sh
R1(config)#int lo1
R1(config-if)#ip address
R1(config)#router eigrp 100

R2#conf t
R2(config)#int fa0/0
R2(config-if)#ip address
R2(config-if)#no sh
R2(config)#router eigrp 100

Task 2: SSH Configuration:

Step 1: We will configure SSH and AAA on R1 router. To enable SSH services we will need to give a hostname and domain name to our Router, apart from this we would also need to configure user credentials and privileges on the router.

R1(config)#aaa new-model
R1(config)#username apple privilege 15 secret cisco
R1(config)#line vty 0 4
R1(config-line)#no session-timeout
R1(config-line)#transport input ssh
R1(config)#hostname R1
R1(config)#ip domain-name
R1(config)#crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. 
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus \[512\]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…\[OK\]
\*Mar 1 00:35:28.883: %SSH-5-ENABLED: SSH 1.99 has been enabled

R2#ssh -l apple



**Step 2: Configure user ‘Jon’ with privilege 15 and password ‘cisco’ and another user ‘Khal’ with privilege 7 (which should only allow “show” related commands) and password ‘disco’.

R1(config)#username jon privilege 15 secret cisco
R1(config)#username khal privilege 7 secret disco
R1(config)#privilege exec level 7 show
R1(config)#enable secret kisko
R1(config)#enable secret level 7 disco

R2#ssh -l jon

Password: cisco

Password: disco
% Access denied

Password: cisco

-------------------------------------Privilege Level 7 ---------------------------------------

R2#ssh -l khal

Password: disco

Password: disco
% Access denied

R1>en 7
Password: disco
R1#conf t
R1#                                   //’conf t’ not working as user does not have privilege.