Lab 2: Enabling SSH and AAA on Cisco Router
Lab 2: Enabling SSH and AAA on Cisco Router
LAB Topology
This Lab was developed on IOS Version 15.2(4). Following are the commands for setting up local AAA which is used for setting up passwords for accessing the router locally using the console ports and remotely using virtual ports for the administrator and encrypting the passwords that are stored in the local database of the router.
Task 1: Initial Configuration:
Step 1: We will configure the IP addresses on the fastethernet0/0 and loopback interfaces of R1 and fastethernet0/0 of R2 and configure EIGRP routing on both R1 & R2.
R1#conf t R1(config)#int fa0/0 R1(config-if)#ip address 10.0.0.1 255.255.255.0 R1(config-if)#no sh R1(config)#exit R1(config)#int lo1 R1(config-if)#ip address 11.0.0.1 255.255.255.0 R1(config-if)#exit R1(config)#router eigrp 100 R1(config-router)#net 10.0.0.0 R1(config-router)#net 11.0.0.0 R1(config-router)#exit R2#conf t R2(config)#int fa0/0 R2(config-if)#ip address 10.0.0.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#exit R2(config)#exit R2# R2# R2(config)#router eigrp 100 R2(config-router)#net 10.0.0.0 R2(config-router)#exit
Task 2: SSH Configuration:
Step 1: We will configure SSH and AAA on R1 router. To enable SSH services we will need to give a hostname and domain name to our Router, apart from this we would also need to configure user credentials and privileges on the router.
R1(config)#aaa new-model R1(config)#username apple privilege 15 secret cisco R1(config)#line vty 0 4 R1(config-line)#no session-timeout R1(config-line)#transport input ssh R1(config-line)#exit R1(config)#hostname R1 R1(config)#ip domain-name rst.net R1(config)#crypto key generate rsa The name for the keys will be: R1.rst.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable…[OK] *Mar 1 00:35:28.883: %SSH-5-ENABLED: SSH 1.99 has been enabled R1# R2#ssh -l apple 11.0.0.1 Password: R1>
Step 2: Configure user ‘Jon’ with privilege 15 and password ‘cisco’ and another user ‘Khal’ with privilege 7 (which should only allow “show” related commands) and password ‘disco’.
R1(config)#username jon privilege 15 secret cisco R1(config)#username khal privilege 7 secret disco R1(config)#privilege exec level 7 show R1(config)#enable secret kisko R1(config)#enable secret level 7 disco R2#ssh -l jon 11.0.0.1 Password: cisco R1>en Password: disco % Access denied R1>en Password: cisco R1# -------------------------------------Privilege Level 7 --------------------------------------- R2#ssh -l khal 11.0.0.1 Password: disco R1>en Password: disco % Access denied R1>en 7 Password: disco R1#conf t R1# //’conf t’ not working as user does not have privilege.
