Cisco CCNA 200-301 – Cisco Device Security Part 3

5. Usernames and Privilege Levels.

You’ll learn about user names and privilege levels. Start off by recapping what we covered earlier in this section about line level passwords. So with line level security, all administrators login with the same password. You see in our configure, I’ve got line console zero password, flatbox one, and then I say login that whenever anybody accesses over the console, they have to enter that password and in line VTi 15 for the telnet access password, flatbox one, and log in there as well. So right now, whenever any administrator wants to configure the device, they all log in with the same password, which is flatbox one. More granular security can be provided by configuring individual usernames and passwords for all of your different administrators.

So rather than having them all log in with the same password, they’re going to get their own username and password and then we can give them different levels of access when we do that. So the config for this is we say username. We’ve got admin one, secret is flatbox one and username admin two, secret flatbox two. Obviously in a real world environment, you’re not going to give them all a password to flatbox one, flatbox two, you’re going to have something a bit more different than that. Then at the line, we’ve got line console zero, login local.

So when we just say login, it means use the password that is configured at the line level. When we say login local, it means use the local usernames. If we had a password configured on the console now, because we said login local, that password in the console would be ignored. Login local means use the local usernames and then we also do it for our telnet lines as well. So we’ve got line BTY 15. We’re also seeing login local there as well. So now whenever an administrator goes to log in, they need to enter their username and password. Notice here as well that I’ve got username admin one, secret flackbox one. Because we said secret, the password is going to be encrypted. When you do a show run, you can also use username admin one password, flatbox one, but that’s the old version of the command that is not encrypted. So unless you’re on a really old router, use the command username admin one and then secret rather than password.

Okay, when you have configured this, if we go to telnet onto that device, we will get a prompt. But rather than just asking for a password now, now it’s going to, first off, ask us for the username and then we have to enter the valid password as well. When we do enter a valid username and password, we’re going to get to the user prompt by default. Okay? Next thing to talk about is privilege levels, and there’s 16 privileged levels available on your routers and switches going from level zero up to level 15. You can assign a username a particular privilege level. The default level is one. So if you go back a slide with our usernames here, because we haven’t specified a privilege level, both admin one and admin two are getting level one by default. You can also configure different passwords for direct access to the different privilege levels. You’ll see what that means when we do the example later on. Each available command in iOS can be assigned a privilege level and an administrator must be logged in with that privilege level or higher to run the command.

So you can specify, say we take a particular command, we can give it privilege level five. For any administrator to be able to run that command, they need to be logged in with a privilege level of five or higher. By default, only three of the 16 privilege levels are used. The levels that are used are zero, user and privileged. And all commands are at one of those three levels by default. Zero level access allows only five commands log out, enable, disable, help and exit. So zero level. Basically you can get into it or you can get out of it, but you can’t really run any commands that are very limited. User level one provides very limited read only access to the router and when you enter user exact mode, you’re at privilege level one by default. So you saw before in all the earlier lectures, when we log into the router, we get in the user prompt by default and there is a limited set of commands.

That’s because you’re at level one when you do that privileged. Level 15 provides complete control over router. You can run all commands when you’re logged in with privilege level 15. And when you enter privileged exec mode with the enable command, you’re at level 15 by default. So again, you saw when we log in, we get in at the user level and we’ve got level one commands we can run there. Then when we enter the enable command, we get elevated up to level 15 and we can run all commands. So for our configuration here, I’ve said username admin one, secret flackbox one and then username admin two, privilege 15, secret flackbox two, because we didn’t specify a privilege level for admin one. When they log in they’re going to be at level one, admin two, we’ve specified privilege 15.

So when they log in they’re going to be immediately at privilege level 15. And then at line console zero and line vqi 00:15, we’ve got the login local command again. So the effect of this is going to be if the username admin one logs in, like you see here, they log in, they enter their username and their password and then they’ll see the user prompt r one and the great urban symbol. If you do a show privilege, they can see their current privilege level is one. But if admin two logs in, the one that we’d configured privilege level 15 for, as soon as they enter a username and password. Notice that the prompt shows r one hash. They immediately get in at the enable prompt because they had privileged level 15. So they don’t have to go to the user prompt and then enter the enable command. We’re already logged in with level 15 because we set that at the username level. And if they do a show privilege, we’ll see our current privilege level is 15.

Okay, let’s take this on a stage. And the easiest way to explain this is by giving you an example that we’ll work through. So here I’ve configured username admin one, secret flatbox one, no privilege level specified. So they get privilege level one, username admin two, privilege 15, secret flatbox two, and username admin three, privilege five, secret flatbox three. So when admin one logs in, we’re at privilege level one. Admin two is at level 15 and admin three is at level five. Now, if I tell it to the device as admin one and enter my password, let’s go back. Admin one was privileged level one. If they do a show IP interface brief, that is a level one command. So that command will be accepted and the command will run. But then if that user tries to do a show run, which is a level 15 command, we’re going to see it’s invalid input. So the error message doesn’t say, you’re not allowed to run that command. You’re not at high enough privilege level. It just gives an error message like it’s an invalid command. If admin three logs in, they come in at level five.

And right now there wasn’t really any point of doing this because all commands are at level 15, level one or level zero by default. So admin three has got level five, but they really haven’t got any more rights than admin one right now because we haven’t set any commands to run at level five. So admin three, they can do a show IP interface brief. That’s a level one command. They’re level five. So that will work just fine. But they try to do a show run that’s level 15. They’re only at level five. They’re going to get the error message. If admin two logs in, we’d set privilege level 15 for them. So as soon as they log in, they get the enable prompt we’re running at level 15 and they can run all commands, including show run, okay? So next thing we’ll do is we will actually make some use of having that privilege level five.

So we enter the command privilege exec level five, showrunning config. This means that we’re changing the show running config command from a privilege level of 15 to a privileged level of five. So now anybody logged in with level five is going to be able to run this command. We then log out and log back in as admin one. They try to do a show run, it’s going to fail because they are running at level one. But now when admin three enters the command, they can do a show run. They’re logged in at level five, so the command will work now, but if they try to do a configure terminal, a config t, that fails because config t is still a level 15 command. So what we’ve done is we’ve given them some additional commands that they can run now, which was showrun, but they’re still not a full level administrator, so they can’t make any changes. Last thing to show you here is about how we can also set the password for a privilege level directly at that level.

So here when we do enable secret secret one, if you don’t specify a privilege level when you set the enabled secret, it defaults to your setting the password for privilege level 15. Then we add an additional command enabled secret, level five, secret two. So now if somebody types in enable, and then they put in the password secret one, they’ve got level 15 access. But if somebody enters a command enable five to get in at level five and put in the level five password, they’ve got level five access.

So you can see here right now, I’m logged in as admin one, which is a level one administrator I do a showroom on which is level five, and they can’t run it because we’re currently at level one. But if that user knows the level five enable password, they can say enable five, meaning log in at level five, they put in the level five password, and now they can do a show run. But if they entered config t, they wouldn’t be able to make any changes.

6. SSH Secure Shell

In this lecture, you’ll learn about SSH secure shell. There’s a problem with telnet in that all traffic between your workstation and the router switch goes in plain text. So if anybody sniffing that traffic, they’ll see all of the commands that you’re sending to the device. And worse, they’ll be able to see what your username and password is, so they’ll be able to log in as you later on. So we don’t want to do that. We don’t want to use telnet. We want to use SSH instead. SSH works just like telnet. It gives you command line access to the router or switch. But unlike telnet, all of the traffic is encrypted. So even if somebody is sniffing your traffic, they’re not going to be able to read it. They won’t be able to read what commands you’re sending or be able to see your username and password. So best practice is to enable SSH and disable telnet. To enable SSH, it needs a way to encrypt the traffic. So it uses a digital certificate for this. And one of the attributes on that digital certificate is a domain name.

So you need to set the domain name first. The command for that is IP domain name. And in the example here, I’m using Flackbox. com, you can use your organization’s domain name if you want. It doesn’t really matter. You can use anything. So we’ve configured the domain name. Then we need to generate the certificate. The command for that is crypto key generate RSA. RSA stands for reverse, shamir and adelman. Those are the guys that invented this. So you do that. The router will then ask you how many bits you want to use for the certificate. The lowest value you can use on the router is 512. But for SSH, the lowest value that is allowed is seven, six eight. So use seven, six eight or higher for your SSH certificate. So that is our certificate generated.

Now we just need to make sure the SSH is enabled on the VTY lines. Those VTY Virtual Terminal lines are used to control both incoming telnet and SSH access as well.

And again, best practices enable SSH but disable telnet. By default, both are enabled. So with SSH, you cannot use a line level password. For telnet, you can either use a line level password or you can use individual usernames, but for SSH, it has to be individual usernames. So I configure here. I’ve configured username flatbox with a password flatbox one. I should have used secrets rather than password. There. It’s the newer way and it’s more secure. But if I’ve enabled service password encryption, it will still be encrypted in the show running output anyway.

Okay, so I’ve got my user there. Then I need to configure my lines. So I’ve got line VTY 15 and then transport input SSH. The default is transport input all which allows both telnet and SSH. We want to only allow SSH, so we just say Transport input SSH. Don’t mention telnet there. Then log in local to use the local usernames. And then I exit back out to global config and I say ipssh version two. That is optional, but that means that it will only accept SSH version two incoming, which is the latest version. It’s a bit more secure than the older versions.

Okay, so that’s how we configure it then, to actually use it. If we’re at a Linux client, we can say SSHL for the username, and then our username was flatbox and we’re SSH to the device at ten o ten. It will then prompt us for the password. It won’t ask us for the username because we already included that in the SSH command. So Linux has got support for SSH by default. Windows does not.

So on Windows typically we will use Potty. Even if you’re used to always using Potty in real world, you still need to know this command SSHL username and then the IP address. Because this is what you can get tested on in the CCNA exam. Okay, so that was how we can configure SSH. See it in the next lecture where I’ll show you. Doing it in the lab.

• Category: Uncategorized