Category: access control
One-time passwords on Cisco routers
Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.
Configure local authentication with AAA
- Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
- Configure aaa new-model.
- Configure a named AAA authentication list with the aaa authentication login MyList local.
- Attach the named AAA authentication list to the console line with the login authentication MyList command.
Note: this article is part of You've asked for it series.
Local usernames with no password
- By using the username user command without the password option, you create a username that has a blank password (the operator has to press ENTER at the Password: prompt)
- With the username user nopassword command, you create a user where the operator will not be prompted for the password at all.
Note: this article is part of You've asked for it series.
Executing a command upon user login
After the autocommand is executed, the user is logged out and the session is disconnected, unless you configure the username user nohangup option, which causes the session to remain active, giving the operator another login prompt.
Enhanced password security for local usernames
With IOS release 12.3, Cisco introduced enhanced password security and the new username user secret password command which uses strong (type 5) encryption, making local user passwords secure. Of course, such usernames cannot be used in scenarios where you need access to cleartext password (for example, CHAP authentication).
What is the sl_def_acl access list
Recenty, a lot of people were looking for information on the sl_def_acl access list. Here's the whole story: if you've configured IOS login enhancements on your router, the router generates an access list named sl_def_acl (unless you specify your own with the login quiet-mode access-class command) the first time it has to enter the quiet mode. This access-list is then applied to the VTY lines whenever the router enters the quiet mode and removed from the after the quiet period is over. The access list itself is left in the running configuration.
Cisco IOS web server with no enable password
Default username on Cisco routers
There are, however, a few things you can do if you want to relax the access to your router in a lab environment (never do it in a production network):
- If you configure no enable password, you can switch to enable mode without supplying a password
- If you want to telnet to a router without supplying a password, configure no login on the vty lines.
- If you want to be in privilege mode immediately after accessing the router, configure privilege level on the console or vty lines.
VTY access-class accepts extended and named access lists
These new features give you the ability to implement interesting policies, for example:
- Telnet access is only allowed from the network management station.
- SSH access is allowed from anywhere within internal network
You can also use the extended access list logging functionality, making it possible to log every connection attempt to the router.
Cisco IOS Login Enhancements
On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command.
Reload the router from an interim privilege level
Local username authentication
Log terminal access to your router
The configuration commands to enable terminal access logging are login on-success log and login on-failure log. You can also specify that you want send SNMP traps in these circumstances (with the trap option) or that you only want to log every Nth attempt with the every n option.
Log user privilege level changes
CLI command logging without TACACS+
The Cisco IOS’s AAA architecture contains many handy features, including authorizing and logging every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in RADIUS environments.
You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.