¾ Change the username/password prompt with AAA

TACACS+ protocol introduced with the IOS AAA architecture had great provisions for
customizing the whole login process (user-defined banners, prompts ...). Unfortunately, it never
really took off and most AAA solutions deployed today rely on RADIUS servers that cannot
control the login process itself (the RADIUS server can only check the username/password pair
for validity).

To change the login prompts when using RADIUS servers, use the aaa authentication
[banner|fail-message|password-prompt|username-prompt] text configuration command.

For example, to introduce meaningful prompts when using one-time password solution, you
could use something similar to this configuration:
aaa authentication banner #
Access to this router is protected with one-time passwords.

Send an e-mail to admin@nowhere.net if you need access.

#
aaa authentication fail-message #
Login failed. Wait at least 30 seconds and retry
#
aaa authentication password-prompt "Enter your PIN + one-time password:"
aaa authentication username-prompt "Enter your username:"
Note: the texts specified with the password-prompt and username-prompt options are one-
line texts delimited with quotes, the parameters of the banner and fail-message options are
multi-lined texts delimited with any character.

¾ Authenticating HTTP requests with AAA

By default, IOS routers use enable passwords to authenticate incoming HTTP (web) requests.
You could also use local usernames as the authentication mechanism, or you could deploy full-
blown AAA-based solution.

To enable AAA-based HTTP authentication, you have to define two AAA lists (authentication
login and authorization exec) and bind them to the HTTP server with the ip http
authentication aaa command. A working configuration example is included below (this one
uses AAA-based local username authentication, but of course you can replace that with
RADIUS- or TACACS-based one).
aaa authentication login web local
aaa authorization exec web local
!
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
Warning: the router executes AAA authentication/authorization for every HTTP request sent by
the browser. It's thus very hard to integrate this solution with one-time passwords (unless you
can cache the credentials on the AAA server).

http://wansource.blogspot.com 
 

¾ One-time passwords on Cisco routers

Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many
users forget to disable or change the default username after configuring their router with SDM,
they could end up with an exposed router.

Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time
password/secret option of the username command, allowing you to define a
username/password combination that can be used only once.

For example, the username cisco one-time secret cisco would define the default username that
can be used only for single access to the router. After the first login, the username disappears
from the running configuration and thus cannot be reused.

There are, however, two caveats associated with this feature:

• If you log into the router using any other username, the one-time username remains valid
(it's not removed on the first successful login to the box, which would make more sense
in the SDM context);
• The one-time username is removed only from the running configuration, if you don't save
the new configuration to the NVRAM, the username will reappear after the router reload.

¾ Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why,
but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA
on Cisco IOS but still retain local usernames (at least for the console access), this is how you do
it:

• Define local usernames with username xxx password yyy command (I would prefer the
secret option if your IOS supports it).
• Configure aaa new-model.
• Configure a named AAA authentication list with the aaa authentication login MyList
local.
• Attach the named AAA authentication list to the console line with the login
authentication MyList command.

If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail
or become unreachable, you could use the aaa authentication login MyList group
[radius|tacacs+|name] local command.

http://wansource.blogspot.com 
 

¾ Local usernames with no password

There are two ways you can configure local usernames without a password:

• By using the username user command without the password option, you create a
username that has a blank password (the operator has to press ENTER at the Password:
prompt)
• With the username user nopassword command, you create a user where the operator will
not be prompted for the password at all.

Hopefully, you would use such usernames only with the autocommand option to give guest
users a short overview of the router's operation (for example, display the interface status).

¾ Executing a command upon user login

Cisco IOS long had the autocommand option by which you could attach any command to a
username and have it execute after successful login. For example, username x autocommand
show ip interface brief command would configure the router to display the interface status after
someone would log in as user x.

After the autocommand is executed, the user is logged out and the session is disconnected, unless
you configure the username user nohangup option, which causes the session to remain active,
giving the operator another login prompt.

¾ Enhanced password security for local usernames

Cisco IOS long had the ability to define local users that could be used to authenticate incoming
telnet sessions or dial-up connections (using PAP or CHAP). Until IOS release 12.3, the
passwords assigned to local usernames were encrypted using the weak (type 7) reversible
encryption. With crack tools widely available on the Internet, there's obviously almost no
protection offered by this encryption type.

With IOS release 12.3, Cisco introduced enhanced password security and the new username
user secret password command which uses strong (type 5) encryption, making local user
passwords secure. Of course, such usernames cannot be used in scenarios where you need access
to cleartext password (for example, CHAP authentication).

http://wansource.blogspot.com 
 

¾ What is the sl_def_acl access list

Recenty, a lot of people were looking for information on the sl_def_acl access list. Here's the
whole story: if you've configured IOS login enhancements on your router, the router generates an
access list named sl_def_acl (unless you specify your own with the login quiet-mode access-
class command) the first time it has to enter the quiet mode. This access-list is then applied to the
VTY lines whenever the router enters the quiet mode and removed from the after the quiet period
is over. The access list itself is left in the running configuration.

For those of you interested in the details, the sl_def_acl access list contains these lines in IOS
release 12.4(9)T:
router#show access-list
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log
The last line makes me wonder if the programmers of this particular feature should attend the
ICND course first :).

¾ Cisco IOS web server with no enable password

IOS has (yet another) nice "underdocumented" feature - if you don't have an enable
password/secret configured on your router, you can access IOS HTTP(S) server (assuming it's
enabled with the ip http server command) without any authentication whatsoever. Of course
you'd never do that in a production environment, but it's nice to know you can always configure
the router from a web browser if needed (see also the discussion on default passwords with Cisco
SDM).

¾ Default username on Cisco routers

I get a lot of hits via Google from people searching for a default username on Cisco router. It's
ages-old news, but there is no default username. Period. If you have to get access to a router
and cannot remember the password(s), the only thing left is the password recovery mechanism ...
although even that can be disabled with the no service password-recovery configuration
command.

There are, however, a few things you can do if you want to relax the access to your router in a
lab environment (never do it in a production network):

• If you configure no enable password, you can switch to enable mode without supplying
a password
• If you want to telnet to a router without supplying a password, configure no login on the
vty lines.
• If you want to be in privilege mode immediately after accessing the router, configure
privilege level on the console or vty lines.
•

http://wansource.blogspot.com 
 

¾ VTY access-class accepts extended and named access lists

You could limit terminal access to a router with an access-class in line configuration command
for a very long time (since, at least, IOS release 10.0). However, the access-class command only
accepted standard access-lists, allowing you to restrict access solely based on source IP
addresses. In the meantime, this feature quietly got upgraded to support extended access lists. In
the IOS release 12.4, the command even accepts (undocumented !) named access lists.

These new features give you the ability to implement interesting policies, for example:

• Telnet access is only allowed from the network management station.

• SSH access is allowed from anywhere within internal network

You can also use the extended access list logging functionality, making it possible to log every
connection attempt to the router.

For example, the configuration ...

ip access-list extended TerminalAccess

permit tcp host 10.0.0.2 any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log
!
line vty 0 4
access-class TerminalAccess in
... would log any terminal access to the router with messages similar to the one below.
%SEC-6-IPACCESSLOGP: list TerminalAccess denied tcp 10.0.0.3(1057) -> 0.0.0.0(23), 1
packet
%SEC-6-IPACCESSLOGP: list TerminalAccess permitted tcp 10.0.0.2(1058) -> 0.0.0.0(23), 1
packet

¾ Cisco IOS Login Enhancements

Cisco has in IOS release 12.3(4)T (integrated into 12.4) finally introduced features (long
available in Unix and Windows) that slow down dictionary attacks on a router. On top of logging
of login failures, you can also slow down the login process by delaying the router response after
a login failure with the login delay seconds command.

On top of that, the you can configure the router to enter quiet mode after several login failures
have been detected in specified timeframe with the login block-for seconds attempts tries
within seconds configuration command.

The quite mode is implemented by applying an access-list to the VTY lines. You can specify the
access-list yourself with the login quiet-mode access-class { acl-name-or-number } command,
otherwise the router generates an access-list named sl_def_acl ...
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log

http://wansource.blogspot.com 
 

20 deny tcp any any eq www log

30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log
and applies it with the access-class in command to the VTY lines.

Warning: If you save router configuration during the quiet period, the access-class command
will be saved to NVRAM.

The router also logs the entering and exiting of the quiet mode with log messages similar to the
ones below:
1d03h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 192.168.0.6]
[localport: 23] [Reason: Login Authentication Failed] at 19:20:17 UTC Sat Dec 2 2006
1d03h: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 43 secs,
[user: ] [Source: 192.168.0.6] [localport: 23] [Reason: Login Authentication Failed] [ACL:
sl_def_acl] at 19:20:17 UTC Sat Dec 2 2006
1d04h: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period
timed out at 19:21:17 UTC Sat Dec 2 2006

¾ Reload the router from an interim privilege level

While you wouldn't usually want non-privileged user to reload a Cisco IOS-based router, you
might also not appreciate the need to give the network operator level-15 access (which includes
configuration privileges) just to reload the box. The solution is the privilege configuration
command. To lower the privilege level of the reload command, configure privilege exec level
desired-level reload.

For example, after configuring ...

privilege exec level 4 reload
enable secret level 4 mypassword
... an operator can reload the box with the following commands:
Rtr>enable 4
Password:
Rtr#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]y
14:11:13: %SYS-5-RELOAD: Reload requested by console.

¾ Local username authentication

As I get a lot of hits from Google refering to local login, here's the whole story: Cisco IOS
supports local username/password based authentication (almost) forever (it's been there even
before the AAA architecture). To change from simple password-based authentication to
username+password based on, use login local configuration command on console and/or VTY

http://wansource.blogspot.com 
 

lines. The local usernames and passwords are defined with the username configuration
command.

The Cisco IOS thus supports the following local (non-AAA) authentication settings:

• no login disables any authentication; anyone able to access the line (console or VTY
through telnet or SSH) is logged in automatically (do not use outside of lab environment).
• login enables simple password-based authentication. The password is specified per-line
(console or VTY) with the password command (do not specify different passwords on
different VTY lines or you'll create total confusion).
• login local enables local username+password authentication.

Note: the login tacacs configuration command specifies the old TACACS protocol and is almost
unusable these days.

¾ Log terminal access to your router

In a previous post, I've shown how you can log the changes in interactive user's privilege level.
With the Cisco IOS Login Enhancements (introduced in IOS release 12.3(4)T, integrated in
12.4), you can also log all login successes and failures, even when using local user database (a
similar functionality was previously achievable only when using central TACACS+ or RADIUS
server).

The configuration commands to enable terminal access logging are login on-success log and
login on-failure log. You can also specify that you want send SNMP traps in these
circumstances (with the trap option) or that you only want to log every Nth attempt with the
every n option.

After you've configured terminal access logging, the router will start to generate syslog messages
similar to the ones below (localport: 23 indicates the user was using telnet to access the router,
localport: 80 that she was using HTTP):
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 172.16.1.1]
[localport: 23] at 19:10:27 UTC Sat Dec 2 2006
1d04h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: a] [Source: 192.168.0.10]
[localport: 80] [Reason: Login Authentication Failed - BadPassword] at 19:35:53 UTC Sat Dec 2
2006
If the user accesses the router through the console port, both the source and localport are set to
all zeroes:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 0.0.0.0] [localport: 0] at
19:10:48 UTC Sat Dec 2 2006

http://wansource.blogspot.com 
 

¾ Log user privilege level changes

The logging userinfo configuration command introduced in IOS release 12.3T (integrated into
12.4) starts logging of all changes in user privilege levels (as requested by enable or disable
commands).

Sample printout:
fw>enable
Password:
03:00:50: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
fw#disable
fw>
03:00:52: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console

¾ CLI command logging without TACACS+

The AAA architecture of Cisco IOS contains a number of very useful features, including the
ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA
command accounting only supports TACACS+ as the AAA transport protocol, making it
unusable in environments using RADIUS.

You can use Embedded Event Manager as a workaround. The following configuration
commands will log every command executed on the router.

event manager applet CLIaccounting

event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
The log messages generated by this EEM applet have the following format:
%HA_EM-6-LOG: CLIaccounting: command
As the EEM uses standard IOS logging mechanisms, you can use the show logging command to
examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router's console,
unless you disable console logging with no logging console command or use TCL-based syslog
filters (more about them in an upcoming post).

¾ Use Cisco IOS FTP server to bypass Microsoft "security patch"

Microsoft decided a while ago to disable the ability to send username and password encoded in
URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS
web server without explicit user login (IOS web server does not support anonymous access).
However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most
Cisco IOS images and download files to your web browser with the
ftp://user:password@router/file URL.

http://wansource.blogspot.com 
 

To enable FTP server in Cisco IOS, use the ftp-server enable configuration command followed
by the ftp-server topdir directory command which specifies the top-level FTP directory (for
example, flash:). To authenticate FTP users, define local usernames with the username user
password password configuration command.

¾ Disable command execution with Cisco IOS web server

If you give your users guest access to a router, you might want to disable some web-based
applications the router usually offers (for example, command execution). To do this, use the
following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):

1. List all the web applications your Cisco IOS supports with the show ip http server
session-module command. By default, all web applications should be active.
2. Create a subset of applications you want to activate with the ip http session-module-list
list-name module-list. global configuration command, for example.

ip http session-module-list NoExec

HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept

3. Activate the desired applications with the ip http active-session-modules list-name

configuration command (you should also use the ip http secure-active-session-modules
command if you've enabled HTTPS server).
4. Verify the results with the show ip http server session-module command. Only the
applications listed in your module list should be active, all others should be inactive.

¾ Include a default username/password in web request

I've got a great question related to a previous post:

Is there anyway to send the username and password with the URL request to the router so the
user is not prompted for the login?
You can specify username and password as part of standard URL syntax
http://username:password@host/rest-of-url, so to execute a show ip interface brief
command you could use this URL (after configuring multilevel web access on the router):
http://guest:guest@router/level/1/exec/show/ip/interface/brief
 

http://wansource.blogspot.com