Category: access control

By default, IOS routers use enable passwords to authenticate incoming HTTP (web) requests. You could also use local usernames as the authentication mechanism, or you could deploy full-blown AAA-based solution.

Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.

Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:

• Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
• Configure aaa new-model.
• Configure a named AAA authentication list with the aaa authentication login MyList local.
• Attach the named AAA authentication list to the console line with the login authentication MyList command.

If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.

There are two ways you can configure local usernames without a password:

• By using the username user command without the password option, you create a username that has a blank password (the operator has to press ENTER at the Password: prompt)
• With the username user nopassword command, you create a user where the operator will not be prompted for the password at all.

Hopefully, you would use such usernames only with the autocommand option to give guest users a short overview of the router's operation (for example, display the interface status).

Note: this article is part of You've asked for it series.

Cisco IOS long had the autocommand option by which you could attach any command to a username and have it execute after successful login. For example, username x autocommand show ip interface brief command would configure the router to display the interface status after someone would log in as user x.

After the autocommand is executed, the user is logged out and the session is disconnected, unless you configure the username user nohangup option, which causes the session to remain active, giving the operator another login prompt.

Cisco IOS long had the ability to define local users that could be used to authenticate incoming telnet sessions or dial-up connections (using PAP or CHAP). Until IOS release 12.3, the passwords assigned to local usernames were encrypted using the weak (type 7) reversible encryption. With crack tools widely available on the Internet, there's obviously almost no protection offered by this encryption type.

With IOS release 12.3, Cisco introduced enhanced password security and the new username user secret password command which uses strong (type 5) encryption, making local user passwords secure. Of course, such usernames cannot be used in scenarios where you need access to cleartext password (for example, CHAP authentication).

Recenty, a lot of people were looking for information on the sl_def_acl access list. Here's the whole story: if you've configured IOS login enhancements on your router, the router generates an access list named sl_def_acl (unless you specify your own with the login quiet-mode access-class command) the first time it has to enter the quiet mode. This access-list is then applied to the VTY lines whenever the router enters the quiet mode and removed from the after the quiet period is over. The access list itself is left in the running configuration.

IOS has (yet another) nice "underdocumented" feature - if you don't have an enable password/secret configured on your router, you can access IOS HTTP(S) server (assuming it's enabled with the ip http server command) without any authentication whatsoever. Of course you'd never do that in a production environment, but it's nice to know you can always configure the router from a web browser if needed (see also the discussion on default passwords with Cisco SDM).

I get a lot of hits via Google from people searching for a default username on Cisco router. It's ages-old news, but there is no default username. Period. If you have to get access to a router and cannot remember the password(s), the only thing left is the password recovery mechanism ... although even that can be disabled with the no service password-recovery configuration command.

There are, however, a few things you can do if you want to relax the access to your router in a lab environment (never do it in a production network):

• If you configure no enable password, you can switch to enable mode without supplying a password
• If you want to telnet to a router without supplying a password, configure no login on the vty lines.
• If you want to be in privilege mode immediately after accessing the router, configure privilege level on the console or vty lines.

You could limit terminal access to a router with an access-class in line configuration command for a very long time (since, at least, IOS release 10.0). However, the access-class command only accepted standard access-lists, allowing you to restrict access solely based on source IP addresses. In the meantime, this feature quietly got upgraded to support extended access lists. In the IOS release 12.4, the command even accepts (undocumented !) named access lists.

These new features give you the ability to implement interesting policies, for example:

• Telnet access is only allowed from the network management station.
• SSH access is allowed from anywhere within internal network

You can also use the extended access list logging functionality, making it possible to log every connection attempt to the router.

Cisco has in IOS release 12.3(4)T (integrated into 12.4) finally introduced features (long available in Unix and Windows) that slow down dictionary attacks on a router. On top of logging of login failures, you can also slow down the login process by delaying the router response after a login failure with the login delay seconds command.

On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command.

While you wouldn't usually want non-privileged user to reload a Cisco IOS-based router, you might also not appreciate the need to give the network operator level-15 access (which includes configuration privileges) just to reload the box. The solution is the privilege configuration command. To lower the privilege level of the reload command, configure privilege exec level desired-level reload.

As I get a lot of hits from Google refering to local login, here's the whole story: Cisco IOS supports local username/password based authentication (almost) forever (it's been there even before the AAA architecture). To change from simple password-based authentication to username+password based on, use login local configuration command on console and/or VTY lines. The local usernames and passwords are defined with the username configuration command.

In a previous post, I've shown how you can log the changes in interactive user's privilege level. With the Cisco IOS Login Enhancements (introduced in IOS release 12.3(4)T, integrated in 12.4), you can also log all login successes and failures, even when using local user database (a similar functionality was previously achievable only when using central TACACS+ or RADIUS server).

The configuration commands to enable terminal access logging are login on-success log and login on-failure log. You can also specify that you want send SNMP traps in these circumstances (with the trap option) or that you only want to log every Nth attempt with the every n option.

The logging userinfo configuration command introduced in IOS release 12.3T (integrated into 12.4) starts logging of all changes in user privilege levels (as requested by enable or disable commands).