25 - Implementing Secure Access Control Flashcards
What command will give full privileges on a router. By default, the password appears in the running config as a MD5 hash.
Enable secret
What command changes the algorithm type used to hash a configured password?
Enable algorithm-type
When viewed in the running config, a password hashed with SHA256 will show the number _ preceding the has value, while a password hashed with SCRYPT will show the number _. The SCRYPT algorithm is considered more resistant to brute force attacks than SHA-256. The MD5 algorithm is now considered insecure and should be avoided. If used, the number _ will appear before the hash value.
8, 9, 5
What command defines line password but still shows up in the runnin config in clear text?
Password
What command encrypts a password but the encryption isn’t very strong? This uses a Vigenere cipher also know as type 7 encryption
Service password-encryption
While this type of encryption can protect passwords from a casual observer, it can be easily deciphered if someone were to get the routers running config. Therefore Cisco recommends configured username/password combinations.
Vigenere cipher also know as type 7 encryption
What command enables the ability for someone to log in to the console port, supplying the configured password as their only authentication credential?
login
What command prevents users from remaining connected to a console port when they leave a station? When no user input is detected for 5 minutes, the user is automatically disconnected.
Exec-timeout 5 0
What command populates the locally stored user database?
Username privilege secret password –
Using the username command caused a __ hash of the password in the routers running config, which is more secure than type 7 encryption but could be still improved upon by either using type 8 or type 9
MD5
When viewing the running config, all passwords are hashed according to their individual encryption algorithms. What are these?
- 5 for MD5
- 9 for type 9 (SCRYPT)
- 8 for type 8 (SHA256)
- 7 for Vigenere
What command ensures all configured passwords are at least a specific length?
Security password min-length
What command allows only inbound SSH connections instead of telnet?
Transport input ssh
What command disables logins after a specific number of failed login attempts with a specific time?
Login block-for attempts within
What command allows named or numbered ACLs to identify permitted hosts to ensure that authorised devices can always connect?
Login quiet-mode access-class
What command specifies a number of seconds the user must wait between unsuccessful login attempts?
Login delay
What are the 3 A’s of AAA?
Authentication – who are you?
Authorisation – what are you allowed to do?
Accounting – what did you do?
RADIUS and TACACS+ are __ protocols.
AAA
Both RADIUS and TACACS+ protocols use the __model.
client-server
What is the AAA process when using TACACS+ or RADIUS?
- A user or machine sends request to a client. The client is also called a Network Access Server (NAS). Typically, this is a router, switch, firewall or AP.
- The client then communicates with a server by exchanging RADIUS or TACACS+ messages.
- If authentication is successful, the user is granted access to a protected resource such as a device CLI, network, and so on.
What are the features of RADIUS?
- Transport protocol = UDP ports 1812/1813
- AAA support - Combines authentication and authorisations and separates accounting
- Challenge response - One-way, unidirectional, with a single challenge response
- Security - Encrypts only password in packet
- Type – network access
What are the features of TACACS+?
- Cisco proprietary
- Transport protocol = TCP port 49
- AAA support – uses AAA model and separates 3 services
- Challenge response – Two way, bidirectional, with multiple challenge responses
- Security - Encrypts entire packet body
- Type – device administration
Which command enables AAA services?
aaa new model
Which command configures a local username?
username admin secret adminpass
Which command specifies local AAA only?
aaa authentication login default local
Which command uses local AAA as a fallback?
aaa authentication login default group radius local
Until ___ command is enabled, all other AAA commands are hidden.
aaa new-model
How do you configure RADIUS for console and VTY access?
Configure the radius server:
Router(config)# radius server RADSRV
Router(config-radius-server)# address ipv4 10.255.255.101 auth-port 1812 acct-port 1813
Router(config-radius-server)# key SecretRAD
Associate radius server with a server group:
Router(config)# aaa group server radius RADSRVGROUP
Router(config-sg-radius)# server name RADSRV
Configure aaa authentication login to use a server group with a fallback to local:
Router(config)# aaa authentication login SRVAUTH group RADSRVGROUP local
Configure the named method list to the console:
Router(config)# line con 0
Router(config-line)# login authentication SRVAUTH
Configure the named method list to the vty 0 4 lines:
Router(config)# line vty 0 4
Router(config-line)# login authentication SRVAUTH
How do you configure TACACS+ for console and VTY access?
Configure the TACACS+ server:
Router(config)# radius server TACSRV
Router(config-radius-server)# address ipv4 10.255.255.102
Router(config-radius-server)# key SecretTAC
Associate TACACS+ server with a server group:
Router(config)# aaa group server tacacs+ TACSRVGROUP
Router(config-sg-radius)# server name TACSRV
Configure aaa authentication login to use a server group with a fallback to local:
Router(config)# aaa authentication login default group TACSRVGROUP local
Once AAA is enabled on a Cisco IOS device and the aaa authentication command is configured, you can optionally configure the dependant AAA functions aaa __ and aaa __.
authorisation, accounting
How do you configure AAA authorisation?
Configure AAA authorisation using a named method list with a server group and fallback to local authentication:
Router(config)# aaa authorization exec MYTACAUTH group TACSRVGROUP local if-authenticated
Router(config)# aaa authorization commands 15 MYTACAUTH group TACSRVGROUP local
Router(config)# aaa authorization config-commands
Configure authorisation using a named method applied to the vty lines:
Router(config)# line vty 0 4
Router(config-line)# authorization exec MYTACAUTH
Router(config-line)# authorization commands 15 MYTACAUTH
After a user is authenticated, the device allows access to certain services or commands based on the users privilege level. Authenticated users are put at the __ level by default.
EXEC
Authorisation does not get applied to console unless the ___ command is present in the configuration. By default the command is not present in the config.
aaa authorisation console
How do you configure AAA accounting?
Configure AAA accounting using a named method list with a server group:
Router(config)# aaa accounting exec MYTACACC start-stop group TACSRVGROUP
Router(config)# aaa accounting commands 15 MYTACACC start-stop group TACSRVGROUP
Configure accounting using a named method applied to the VTY lines:
Router(config)# line vty 0 4
Router(config-line)# accounting exec MYTACACC
Router(config-line)# accounting commands 15 MYTACACC
The function triggering the accounting can be one of the following keywords:
- System – major router events such as a reload
- Exec – user authentication into an EXEC session is recorded
- Commands level – info about any command running at a specific privilege level is recorded.
You can specify that certain types of accounting records to be sent to the accounting server using the following keywords:
- Start-stop – events are recorded when they start and stop
- Stop-only - events are recorded only when they stop
- None – no events are recorded.
