Secure Remote Access (19.3.2)–Cisco Build a Small Cisco Network

Build a Small Cisco Network Cisco Network

There are multiple ways to access a device to perform configuration tasks. One of these ways is to use a PC attached to the console port on the device. This type of connection is frequently used for initial device configuration.

To set a password for console connection access, you use global configuration mode. These commands prevent unauthorized users from accessing user mode from the console port:

Click here to view code image


  Switch(config)#
line console 0

  Switch(config)#
password
 
password

  Switch(config)#
login

When the device is connected to the network, it can be accessed over the network connection using SSH or Telnet. SSH is the preferred method because it is more secure. When the device is accessed through the network, it is considered a vty connection. The password must be assigned to the vty port. The following configuration is used to enable SSH access to the switch:

Click here to view code image


  Switch(config)#
line vty 0 15

  Switch(config)#
password
 
password

  Switch(config)#
transport input ssh

  Switch(config)#
login

Example 19-7 shows a sample configuration.

Click here to view code image

Example 19-7 Secure Remote Access with Passwords

S1(config)#
line console 0

S1(config-line)#
password cisco

S1(config-line)#
login

S1(config-line)#
exit

S1(config)#
S1(config)#
line vty 0 15

S1(config-line)#
password cisco

S1(config-line)#
login

S1(config-line)#

By default, many Cisco switches support up to 16 vty lines that are numbered 0 to 15. The number of vty lines supported on a Cisco router varies with the type of router and the IOS version. However, the most common number of vty lines configured on a router is 5. These lines are numbered 0 to 4 by default, though additional lines can be configured. A password needs to be set for all available vty lines. The same password can be set for all connections.

To verify that the passwords are set correctly, use the show running-config command. These passwords are stored in the running-configuration in plaintext. It is possible to set encryption on all passwords stored within the router so that they are not easily read by unauthorized individuals. The global configuration command service password-encryption ensures that all passwords are encrypted.

With remote access secured on the switch, you can now configure SSH.

Configure SSH (19.3.3)

Before configuring SSH, you must minimally configure the switch with a unique host name and the correct network connectivity settings.

Step 1. Verify SSH support. Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an IOS that supports cryptographic features, this command is unrecognized. It is recommended that production switches should be capable of running an IOS that supports cryptographic features.

Step 2. Configure the IP domain. Configure the IP domain name of the network using the ip domain-name domain-name global configuration mode command. In Example 19-8, the domain-name value is cisco.com.

Click here to view code image

Example 19-8 Configuring S1 with SSHv2

S1#
show ip ssh

SSH Disabled – version 1.99
%Please create RSA keys (of at least 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
S1#
configure terminal

S1(config)#
ip domain-name cisco.com

S1(config)#
crypto key generate rsa

The name for the keys will be: S1.cisco.com

How many bits in the modulus [512]: 1024

S1(config)#
username admin secret ccna

S1(config-line)#
line vty 0 15

S1(config-line)#
transport input ssh

S1(config-line)#
login local

S1(config-line)#
exit

S1(config)#
ip ssh version 2

S1(config)#
exit

S1#

Step 3. Generate RSA key pairs. Not all versions of the IOS default to SSH version 2, and SSH version 1 has known security flaws. To configure SSH version 2, issue the ip ssh version 2 global configuration mode command. Generating an RSA key pair automatically enables SSH. Use the crypto key generate rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key pair. When generating RSA keys, you, as administrator, are prompted to enter a modulus length. The configuration in Example 19-8 uses a modulus size of 1,024 bits. A longer modulus length is more secure but takes more time to generate and to use.

Note

To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. After the RSA key pair is deleted, the SSH server is automatically disabled.

Step 4. Configure user authentication. The SSH server can authenticate users locally or use an authentication server. To use the local authentication method, create a username and password pair with the username username secret password global configuration mode command. In the following example, the user admin is assigned the password ccna.

Step 5. Configure the vty lines. Enable the SSH protocol on the vty lines using the transport input ssh line configuration mode command. The Catalyst 2960 has vty lines ranging from 0 to 15. This configuration prevents non-SSH (such as Telnet) connections and limits the switch to accept only SSH connections. Use the line vty global configuration mode command and then the login local line configuration mode command to require local authentication for SSH connections from the local username database.

Step 6. Enable SSH version 2. By default, SSH supports both versions 1 and 2. When supporting both versions, this is shown in the show ip ssh output as supporting version 1.99. Version 1 has known vulnerabilities. For this reason, it is recommended to enable only version 2. Enable SSH version using the ip ssh version 2 global configuration command.

Example 19-8 shows a sample SSH configuration.

Syntax Checker—Configure SSH (19.3.4)

Use this Syntax Checker to configure SSH on switch S1.

Refer to the online course to complete this activity.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *