The system supports 20 virtual tty (vty) lines for Telnet,
Secure Shell Server (SSH) and FTP services. Each Telnet, SSH, or FTP session
requires one vty line. You can add security to your system by
configuring the
software to validate login requests. There are two modes of authentication for a
vty line:- Simple
authentication - password-only authentication via the local configuration
- AAA
authentication - username and password authentication via a set of
authentication servers
You can
enable AAA authorization, which allows you to limit the services available to a
user. Based on information retrieved from a user's profile, the user is either
granted or denied access to the requested server.
Configuring
Simple Authentication
To configure simple authentication:
- Specify
a vty line or a range of vty lines on which you want to enable the
password.
host1(config)#line
vty 8 13 host1(config-line)#
- Specify
the password for the vty lines.
host1(config-line)#password
0 mypassword
- Enable
login authentication on the lines.
host1(config-line)#login
- Display
your vty line configuration.
host1#show
line vty 8 no access-class in data-character-bits 8 exec-timeout never
exec-banner enabled motd-banner enabled login-timeout 30 seconds
line
- Use to specify the vty line(s) on which you want
to enable the password.
- You can set a single line or a range of lines.
The range is 0-19.
- Example
host1(config)#line vty 8 13
- Use the no version to remove a vty line
or a range of lines from your configuration; users will not be able to run
Telnet, SSH, or FTP to lines that you remove. When you remove a vty line,
the system removes all lines above that line. For example, no line vty
6 causes the system to remove lines 6 through 19. You cannot remove
lines 0 through 4.
login
- Use to enable password checking at login.
- The default setting is to enable a password.
- Example
host1(config-line)#login
- Use the no version to disable password checking
and allow access without a password.
password
- Use to
specify a password on a single line or a range of lines.
- If you
enable password checking but do not configure a password, the system will
not allow you to access virtual terminals.
- Specify a
password in plain text (unencrypted) or cipher text (encrypted). In either
case, the system stores the password as encrypted.
- Use the
following keywords to specify the type of password you will enter:
- 0 (zero) -
unencrypted password
- 5 - secret
- 7 -
encrypted password
Note: To
use an encrypted password or a secret, you must follow the procedure in Setting
Basic Password Parameters earlier in this chapter to obtain the encrypted
password or secret. You cannot create your own encrypted password or secret;
you must use a system-generated password or secret.
- Example 1
(unencrypted password)
host1(config-line)#password
0 mypassword
- Example 2
(secret)
host1(config-line)#password
5 bcA";+1aeJD8)/[1ZDP6
- Example 3
(encrypted password)
host1(config-line)#password
7 dq]XG`,%N"SS7d}o)_?Y
- Use the no
version to remove the password. By default, no password is
specified.
show line vty
- Use to
display the configuration of a vty line.
- Field
descriptions
- access-class
- access-class associated with the vty line
- data-character-bits
- number of bits per character
- 7 - setting
for the standard ASCII set
- 8 - setting
for the international character set
- exec-timeout
- time interval that the terminal waits for expected user input
- Never -
indicates that there is no time limit
- exec-banner
- status for the exec banner: enabled or disabled. This banner is
displayed by the CLI after user authentication (if any) and before the
first prompt of a CLI session.
- motd-banner
- status for the MOTD banner: enabled or disabled. This banner is
displayed by the CLI when a connection is initiated.
- login-timeout
- time interval during which the user must log in.
- Never -
indicates that there is no time limit
- Example
host1#show
line vty 0 no access-class in data-character-bits 8 exec-timeout 3w 3d 7h
20m 0s exec-banner enabled motd-banner enabled login-timeout 30 seconds
Configuring
AAA Authentication and AAA Authorization
Before you configure AAA authentication and AAA authorization, you
need to configure a RADIUS and/or TACACS+ authentication server. Note that
several of the steps in the configuration procedure are optional.
To configure AAA new model authentication and authorization for inbound sessions to vty lines on your system:
To configure AAA new model authentication and authorization for inbound sessions to vty lines on your system:
- Specify AAA
new model authentication.
host1(config)#aaa
new-model
- Create an
authentication list that specifies the type(s) of authentication methods
allowed.
host1(config)#aaa
authentication login my_auth_list tacacs+ line enable
- (Optional)
Specify the privilege level by defining a method list for authentication.
host1(config)aaa
authentication enable default tacacs+ radius enable
- (Optional)
Enable authorization, and create an authorization method list.
host1(config)aaa
authorization commands 15 Boston if-authenticated tacacs+
- (Optional)
Disable authorization for all Global Configuration commands.
host1(config)#no
aaa authorization config-commands
- Specify the
range of vty lines.
host1(config)#line
vty 6 10 host1(config-line)#
- (Optional)
Apply an authorization list to a vty line or a range of vty lines.
host1(config-line)#authorization
commands 15 Boston
- Specify the
password for the vty lines.
host1(config-line)#password
xyz
- Apply the
authentication list to the vty lines you specified on your system.
host1(config-line)#login
authentication my_auth_list
aaa
authentication enable default
- Use to allow
privilege determination to be authenticated through the TACACS+ or RADIUS
server. This command specifies a list of authentication methods that are
used to determine whether a user is granted access to the privilege
command level.
- The
authentication methods that you can use in a list include these options: radius,
line, tacacs+, none, and enable.
- To specify
that the authentication should succeed even if all methods return an
error, specify none as the final method in the command line.
- Requests
sent to a TACACS+ or RADIUS server include the username that is entered
for login authentication.
- If the
authentication method list is empty, the local enable password is
used.
- Example
host1(config)#aaa
authentication enable default tacacs+ radius
- Use the no
version to empty the list.
aaa authentication
login
- Use to set
AAA authentication at login. This command creates a list that specifies
the methods of authentication.
- Once you
specify aaa new-model as the authentication method for vty lines,
an authentication list called "default" is automatically
assigned to the vty lines. To allow users to access the vty lines, you
must create an authentication list and either:
- Name the
list "default."
- Assign a
different name to the authentication list, and assign the new list to the
vty line using the login authentication command.
- The
authentication methods that you can use in a list include these options: radius,
line, tacacs+, none, and enable.
- The system
traverses the list of authentication methods to determine whether a user
is allowed to start a Telnet session. If a specific method is available
but the user information is not valid (such as an incorrect password), the
system does not continue to traverse the list and denies the user a
session.
- If a
specific method is unavailable, the system continues to traverse the list.
For example, if tacacs+ is the first authentication type element on
the list and the TACACS+ server is unreachable, the system attempts to
authenticate with the next authentication type on the list, such as radius.
- The system
assumes an implicit denial of service if it reaches the end of the
authentication list without finding an available method.
- Example
host1(config)#aaa
authentication login my_auth_list tacacs+ radius line none
- Use the no
version to remove the authentication list from your configuration.
aaa authorization
- Use to set
the parameters that restrict access to a network.
- Use the
keyword exec to determine if the user is allowed to run User Exec
mode commands. The commands you can execute from User Exec mode provide
only user-level access.
- Use the
keyword commands to run authorization for all commands at the
specified privilege level (0- 15). See Table 6-1 for a description
of privilege levels.
- You can
enter up to three authorization types to use in an authorization method
list. Options include: if-authenticated, none, and tacacs+.
Note: For
information about TACACS+, see the ERX Broadband Access Configuration Guide,
Chapter 4, Configuring TACACS+.
- Authorization
method lists define the way authorization is performed and the sequence in
which the methods are performed. You can designate one or more security
protocols in the method list to be used for authorization. If the initial
method fails, the next method in the list is used. The process continues
until either there is successful communication with a listed authorization
method or all methods defined are exhausted.
- Example
host1(config)#aaa
authorization exec
- Use the no
version to delete method list.
aaa
authorization config-commands
- Use to
reestablish the default created when the aaa authorization commands
command was issued.
- After the aaa
authorization commands command has been issued, aaa
authorization config-commands is enabled by default, which means that
all configuration commands in Exec mode are authorized.
- Example
host1(config)#aaa
new-model host1(config)#aaa authorization command 15 parks tacacs+ none
host1(config)#no aaa authorization config-commands
- Use the no
version to disable AAA configuration command authorization.
aaa new-model
- Use to
specify AAA new model as the authentication method for the vty lines on
your system.
- If you
specify AAA new model and you do not create an authentication list, users
will not be able to access the system through a vty line.
- Example
host1(config)#aaa
new-model
- Use the no
version to restore simple authentication.
authorization
- Use to apply
AAA authorization to a specific vty line or group of lines.
- Use the exec
keyword to apply this authorization to CLI access in general.
- Use the commands
keyword to apply this authorization to user commands of the privilege
level you specify.
- You can
specify the name of an authorization method list; if no method list is
specified, the default is used.
- After you
enable the aaa authorization command and define a named
authorization method list (or use the default method list) for a particular
type of authorization, you must apply the defined list to the appropriate
lines for authorization to take place.
- Example
host1(config)#line
vty 6 host1(line-config)#authorization commands 15 sonny
- Use the no
version to disable authorization.
line
- Use to specify the virtual terminal lines.
- You can set a single line or a range of
lines. The range is 0-19.
- Example
host1(config)#line vty 6 10
- Use the no version to remove a vty
line or a range of lines from your configuration; users will not be able
to run Telnet, SSH, or FTP to lines that you remove. When you remove a vty
line, the system removes all lines above that line. For example, no
line vty 6 causes the system to remove lines 6 through 19. You cannot
remove lines 0 through 4.
login authentication
- Use to apply an authentication list to the
vty lines you specified on your system.
- Example
host1(config-line)#login authentication
my_auth_list
- Use the no version to specify that
the system should use the default authentication list.
password
- Use to
specify a password on a line or a range of lines if you specified the line
option with the aaa authentication login command.
- If you
enable password checking but do not configure a password, the system will
not allow you to access virtual terminals.
- Use the
following keywords to specify the type of password you will enter:
- 0
(zero) - unencrypted password
- 5 -
secret
- 7 -
encrypted password
