You want to assign individual (or group) user IDs and passwords to network staff.
Use the following set of configuration commands to enable locally administered user IDs:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#username ijbrown password oreilly Router1(config)#username kdooley password cookbook Router1(config)#aaa new-model Router1(config)#aaa authentication login default local Router1(config)#end Router1#
The username command also allows you to create usernames without passwords by specifying the nopassword keyword:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username weak nopassword
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#
However, we strongly recommend against doing this because it can severely weaken the router's security.
Enabling locally administered usernames overrides the default VTY password-based authentication system. When you enable the aaa new-model command, as shown in this recipe, the router immediately begins to prompt for usernames and passwords. Assigning unique usernames to individuals or groups provides accountability, as we will show later. The following example shows the login prompt for a router using local authentication:
Freebsd%telnet Router1 Trying 172.25.1.5... Connected to Router1. Escape character is '^]'. User Access Verification Username: ijbrown Password: <password> Router1>
The router prompts for the username as well as the password. Compare this to how the router behaves by default:
Freebsd%telnet Router2
Trying 172.25.1.6...
Connected to Router2.
Escape character is '^]'.
User Access Verification
Password: <password>
Router2>
Locally administered usernames work well in a small environment with a limited number of administrators. However, this method does not scale well to a large network with many administrators. Keeping usernames synchronized across an entire network can become quite daunting. Fortunately, Cisco also supports a centralized authentication system, which we discuss in Chapter 4.
When you configure locally administered usernames, the router prompts for usernames on all lines, including the console and AUX ports, as well as the VTY ports used for Telnet sessions. To avoid locking yourself out of the router, you should always configure a username command before entering the AAA commands. It is also a good idea to use another session terminal to test the new authentication system before logging out of your original session. If you do accidentally lock yourself out of the router, you will need to follow the normal password-recovery procedures for your router type.
Enabling username support causes the router to associate certain functions with usernames. This provides accountability for each username by showing exactly who is doing what. For instance, the output of the show users command includes active usernames:
Router1>show users Line User Host(s) Idle Location 66 vty 0 ijbrown idle 00:36:21 freebsd.oreilly.com 67 vty 1 kdooley idle 00:00:24 server1.oreilly.com * 68 vty 2 weak idle 00:00:00 freebsd.oreilly.com Interface User Mode Idle Peer Address Router1>
More importantly, log messages will capture the username of the individual who invoked certain high-profile commands such as configuration changes, the clearing of counters, and reloads. For example:
Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty2 (172.25.1.1) Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear counter on all interfaces by weak on vty2 (172.25.1.1) Jun 27 14:00:14: %SYS-5-RELOAD: Reload requested by kdooley on vty0 (172.25.1.1).
Note that these log messages now include the username associated with each action. So, instead of just knowing that somebody changed the configuration or reloaded the router, you can see exactly who did it.
In addition, the router captures the username of the last person to modify its configuration or save the configuration to NVRAM. To see this information, use the show running-config command:
Router1#show running-config Building configuration... Current configuration : 4285 bytes ! ! Last configuration change at 12:58:26 EDT Fri Jun 27 2003 by ijbrown ! NVRAM config last updated at 13:01:45 EDT Fri Jun 27 2003 by kdooley ! version 12.2
The username command also has an autocommand keyword, which you can use to assign an EXEC-level command to a particular username. This is useful when you want to provide limited access to a particular command while restricting access to everything else on the router. For example, you might want to set up a special username that anybody could use to run a single router command and then terminate the session:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa authentication login default local Router1(config)#aaa authorization exec default local Router1(config)#username run nopassword noescape Router1(config)#username run autocommand show ip interface brief Router1(config)#end Router1#
In this example, we defined the username run without a password and assigned it an autocommand of show ip interface brief. When you log in to the router with this username, the router will not prompt for a password. It just automatically executes the command and then terminates the session:
Freebsd% telnet Router1 Trying 172.22.1.4... Connected to Router1. Escape character is '^]'. User Access Verification Username: run Interface IP-Address OK? Method Status Protocol BRI0/0 unassigned YES NVRAM administratively down down Ethernet0/0 172.25.1.8 YES NVRAM administratively down down BRI0/0:1 unassigned YES unset administratively down down BRI0/0:2 unassigned YES unset administratively down down FastEthernet1/0 172.22.1.4 YES NVRAM up up Loopback0 192.168.20.1 YES NVRAM up up Connection closed by foreign host. Freebsd%
Note that the router issued the command and then terminated the session without providing an opportunity to issue another command.
The noescape keyword prevents the user from issuing an escape sequence to access the router EXEC. We strongly recommend using this keyword whenever you use autocommands.
Recipe 3.2; Recipe 3.4; Recipe 3.19; Recipe 3.22; Chapter 4
 |
|
|
| Top |