Cisco Device Security Flashcards
What mode is this in?
hostname#
Privileged Exec Mode
What mode is this in?
hostname>
User Exec Mode
What mode is this in?
hostname(config)#
Global Configuration Mode
What three different levels are there for basic line level security?
- Console
- Virtual Terminal VTY
- Privileged Exec Mode
What line number is the console at always?
0
What is a basic Telnet Configuration?
- Switch(config)#int vlan 1 (You can use a different management VLAN here if you want)
- Switch(config-if)#ip address {ip-address} {subnet}
- Switch(config-if)#no shutdown
- Switch(config-if)#exit
- Switch(config)#ip default-gateway {default-gateway-address}
- R1(config)#line vty 0 15
- R1(config-line)#password {password}
- R1(config-line)#login
What is the default inactivity timeout for administrators on Cisco Devices?
10 minutes
How would you configure a timeout to not be enforced?
no-exec-timeout
How would you configure a timeout of 15 minutes and 30 seconds?
exec-timeout 15 30
What configuration can you use to control who gets access to Telnet and SSH Sessions?
- R1(config)#access-list 1 permit host 10.0.0.10
- R1(config)#line vty 0 15
- R1(config-line)#login
- R1(config-line)#password {password}
- R1(config-line)#access-class 1 in
What command can you use to ensure that all passwords are encryped and not in plain text?
service password-encryption
How would you configure a Telnet session to use individual usernames and passwords instead of a generic global one?
- R1(config)#username {username} secret {password} (This sets the username and password which we’ll use below when we invoke login local
- R1(config)#line console 0
- R1(config-line)#login local
- R1(config)#line vty 0 15
- R1(config-line)#login local
How many privilege levels of admin access are there on Cisco devices?
16 (0-15)
By default, what 3 levels of privilege are used?
Zero
User
Privileged
What does zero-level access provide?
5 commands only (logout, enable, disable, help and exit)
What does User Level 1 access provide?
Very limited read only access to the device
What does privilege level 15 provide?
Complete control over the device
What level of access would this command have?
R1(config)#username {username} secret {secret}
Level 1 Access
How do you enable SSH?
- R1(config)#ip domain-name {domain-name}
- R1(config)#crypto key generate rsa
How do you configure SSH after enabling it?
- R1(config)#line vty 0 15
- R1(config-line)#transport input ssh
- R1(config-line)#login local
- R1(config)#ip ssh version 2
What is the command from a CMD to login via SSH
ssh -l {username} {ip-address}
What AAA stand for?
Authentication, Authorization and Accounting
What is Cisco’s AAA Server called?
ISE (Indentity Services Engine)
Commonly used for end user level services, such as VPN
Radius
What are the protocols used for AAA?
RADIUS and TACACS+
Commonly used for administrator access on Cisco devices as it has more granular authorization capabilities
TACACS+
How would you configure a RADIUS configuration for older IOS Versions?
- R1(config)#username {username} secret {password}
- This is configuring a local user in case connectivity to the AAA server is lost
- R1(config)#aaa new-model
- This command is just configuring AAA on this device
- R1(config)#radius-server host {ip-address} key {key}
- R1(config)#radius-server host {ip-address} key {key}
- Redundancy is being used here. You don’t have to put this command in twice.
- The keys need to be configured the same in this command as on the AAA server
- This allows them to connect to each other
- R1(config)#aaa group server radius {group-name}
- This command is optional
- R1(config-sg-radius)#server {ip-address}
- R1(config-sg-radius)#server {ip-address}
- Again, redundant servers here
- These are the servers that are being into the group you just created
- Again, this optional
- R1(config)#aaa authentication login default group radius local
- Use all RADIUS servers configured on this particular device
- OR
- R1(config)#aaa authentication login default group {group-name} local
- Use servers in specified group
How would you configure a TACACS+ configuration for old IOS Versions?
- R1(config)#username {username} secret {password}
- Creating our backup user in case AAA server isn’t available
- R1(config)#aaa new-model
- R1(config)#tacacs-server host {ip-address} key {key}
- You can also add another one here for redundancy as well
- R1(config)#aaa group server tacacs+ {group-name}
- R1(config-sg-tacacs+)#server {ip-address}
- R1(config)#aaa authentication login default group {group-name} local
What are some services you should disable on Cisco devices?
HTTP Server, CDP, etc
How would you configure a RADIUS configuration for new IOS Versions?
- R1(config)#radius-server host {ip-address}
- R1(config)#aaa new-model
- R1(config)#radius server {server-name}
- R1(config-radius-server)#address ipv4 {ip-address}
- R1(config-radius-server)#key {key}
- Again, this should match the key configured on the AAA Server
- You can also configure a redundant server using different variables
- Configuring the Radius Group to group those servers together
- R1(config-radius-server)#aaa group server radius {group-name}
- R1(config-sg-radius)#server name {server-name}
- R1(config-sg-radius)#aaa authentication login default group {group-name} local
How would you configure a TACACS+ configuration for new IOS Versions?
- R1(config)#tacacs-server host {ip-address}
- R1(config)#username {username} secret {password}
- R1(config)#aaa new-model
- R1(config)#tacacs server {server-name}
- R1(config-server-tacacs)#address ipv4 {ip-address}
- R1(config-server-tacacs)#key {key}
- You can configure redundancy here as well with the same commands
- R1(config-radius-server)#aaa group server tacacs+ {group-name}
- R1(config-sg-tacacs+)#server name {server-name}
- Don’t forget to include the other server here if you’ve added it for redundancy
- R1(config-sg-tacacs+)#aaa authentication login default group {group-name} local
What does NTP stand for?
Network Time Protocol
How do you configure a device to be an NTP Client?
- R1(config)#clock timezone {timezone} {- how many hours it’s behind UTC}
- Example: clock timezone PST -8
- R1(config)#ntp server {ip-address-of-NTP-server}
What commands would you use to verify NTP?
- R1#show clock
- R1#show ntp status