introduction
Having user accounts on a router makes life and logging much easier. We can assign different privilige levels to different users to restrict access to certain commands. You may want a junior admin to see a few things to help you troubleshoot but you don't want him to be able to change anything.In the following example we are going to add 2 local user accounts, one with the default privilege level (0) and one with full privilege level (15).
The privilege word is optional. When left out the default level will be applied.
required steps
We need to be in global configuration mode in order to create user accounts. The command is pretty simple, only one line.username username password password.
Creating user accounts is not enough though, we need to tell the router to use them too! We can accomplish this by selecting the line we want to apply it to and issue the login local command.
R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#line vty 0 ?
<1-181> Last Line number
<cr>
R1(config)#line vty 0 181
R1(config-line)#login local
R1(config-line)#
optional commands
By default, user account passwords are stored in clear text in the configuration. We could use the service password-encryption command to apply a basic level of encryption on all clear text passwords. It is considered weak as it can be decrypted easily. You can test it yourself with this online decrypter.It's better practice to use the secret when creating users instead of the password as it's encryption is much stronger. The syntax is:
username username secret secret password
configuration
Let's start by enabling service password-encryption and creating a user with the default privilege level of 0 and using the password command.R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#service password-encryption
R1(config)#username JuniorAdmin password C1sc0
R1(config)#
Now create the second user but this time set the privilege level to 15 and use the secret to set the password.R1(config)#username Admin ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username Admin privilege ?
<0-15> User privilege level
R1(config)#username Admin privilege 15 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username Admin privilege 15 secret C1sc0
R1(config)#
All is left to do is to instruct the router to use the local database at logon on the desired line(s). Here is how to set it up on the console line only.R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#line console 0
R1(config-line)#login local
R1(config-line)#
verification
Log out and log in as JuniorAdmin. His privilege level is 0.R1 con0 is now available
Press RETURN to get started.
User Access Verification
Username: JuniorAdmin
Password:
R1>
Log out again and log in as Admin.R1 con0 is now available
Press RETURN to get started.
User Access Verification
Username: Admin
Password:
R1#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
R1#
See the difference? Because JuniorAdmin has a privilege level of 0 he arrives to EXEC mode when he logs in. If he wants to see the running configuration or make changes he needs to enter the enable password or enable secret passwords (whichever is configured), while the user Admin arrives to Privileged mode directly and he can start fooling around without having to enter another password.Instead of applying the login local command on specific lines, you could make it the default form of authentication on all lines by using the following global configuration commands:
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
When this method is used all users arrive into EXEC mode regardless of their privilege level! If the enable password or enable secret is not set, they will not be able to enter into Privileged Mode! Check the running configuration for usernames.
R1#show run | section username
username AUTH_R2 password 7 00364313100819
username JuniorAdmin password 7 08021D5D0A49
username Admin privilege 15 secret 5 $1$E9mL$mNFzh1/nqz4nhA.rLm8fp0
R1#
Note the difference between the encryption of the password and the secret! Secret looks -and it is- much more complicated!Here is a little extra. Remember, I've started this tutorial by saying that having user accounts makes logging easier? Have a look at this snippet from the running configuration.
R1#show run
Building configuration...
Current configuration : 1013 bytes
!
! NVRAM config last updated at 21:30:19 UTC Sat Feb 5 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
--More--
If the time and date is set on the router, the configuration file will store a timestamp and the name of the user who last saved it.
commands explained
Commands used with a brief explanation.service password-encryption: Enables light encryption on all clear text passwords
username JuniorAdmin password C1sc0: Creates a user called JuniorAdmin with a password C1sc0
username Admin privilege 15 secret C1sc0: Creates a user called Admin with privilege level 15 and a strong password
line console 0: Selects the console line
login local: Instructs the router to use the local database to authenticate at log on instead of the line password (if there is one set)
copy run start: Saves the running cinfiguration to the NVRAM
show run | section username: Shows the username section from the running configuration
Hire me for networking call +254 0710884144 or email me ericmutua44@gmail.com
Click here to order this paper @Essaybay.net. The Ultimate Custom Paper Writing Service
No comments:
Post a Comment