Secure Access Control

Question 1

Types of password protection

Answer 1

1) Enable secret password
2) Line password
3) Username password

Question 2

Password Hash Types

Answer 2

1) MD5 (default, weak, Type-5)
2) SHA-256 (Type-8)
3) Scrypt (strongest available, Type-9)
4) Vigenère cipher (line passworrd default, very weak, Type-7)

Question 3

Command to configure enable secret password

Answer 3

Router(config)# enable algorithm-type scrypt secret BLAHBLAH
- default algorithm-type is md5
- global config mode
- verify with show run | i enable

Question 4

Line Password Only Configuration

Answer 4

Router(config)# line con 0
Router(config-line)# password BLAHBLAH
Router(config-line)# login
Router(config-line)# exec-timeout 5 0
Router(config)# service password-encryption

Question 5

Line Username/Password Configuration

Answer 5

Router(config)# username BLAHUSER password BLAHPASS
Router(config)# line con 0
Router(config-line)# login local

Question 6

ip http authentication local

Answer 6

• command to use the local creds for HTTP/S access

Question 7

security password min-length BLAHLENGTH

Answer 7

• (Global configuration) Ensure that all configured passwords are at least a specified length

Question 8

transport input ssh

Answer 8

• (vty lines) Allows only inbound SSH connections instead of Telnet

Question 9

login block-for BLAHSECONDS attempts BLAHTRIES within BLAHSECONDS

Answer 9

• (Global configuration) Disables logins after a specific number of failed login attempts within a specific time

Question 10

login quiet-mode access-class BLAHACL

Answer 10

• (Global configuration) Named or numbered ACL identifies permitted hosts to ensure that authorized devices can always connect

Question 11

login delay BLAHSECONDS

Answer 11

• (Global configuration) Specifies a number of seconds the user must wait between unsuccessful login attempts

Question 12

service password-encryption

Answer 12

• enables Type-7 encryption of cleartext passwords

Question 13

AAA Framework

Answer 13

1) Authentication - Who are you?
2) Authorization - What are you allowed to do?
3) Accounting - What did you do?

Question 14

Authetication Methods

Answer 14

1) Something you know - credentials
2) Something you have - certificates
3) Something you are - biometrics

Question 15

Command to configure authentication

Answer 15

Router(config)# aaa authentication BLAHSERVICE { default | BLAHLIST } BLAHMETHOD1 [ BLAHMETHOD2 …]

• service is either login, ppp, or dot1x
• method can be local, enable, none or group for tacacs/radius servers
• method2 is the fallback for method1, etc
• none method means access is allowed without creds

Question 16

Network Access Server (NAS)

Answer 16

• a client that users contact to gain access to a protected resource
• typically a router, switch, firewall, or access-point

Question 17

RADIUS Traits

Answer 17

1) RFC 2865, RFC 2866
2) UDP 1812 & 1813
3) combines authentication and authorization, and separates accounting
4) one-way, unidirectional, with a single challenge response
5) only encrypts password
6) network access

Question 18

TACACS+ Traits

Answer 18

1) Cisco proprietary
2) TCP 49
3) uses AAA model and separates three services
4) two-way, bidirectional, with simple challenge responses
5) encrypts entire packet body
6) device administration

Question 19

Network Access AAA Flow

Answer 19

• usually RADIUS
  1) Access-Request - NAS to RADIUS, contains Username, Password, NAS Info
  2) Access-Challenge (Optional) - RADIUS to NAS, contains reauthentication parameters
  3) Access-Request (if Access-Challenge), NAS to RADIUS, contains Username, Password
  4) Access-Accept / Access-Reject - RADIUS to NAS, contains Reply Attributes (User Service)
  5) Accounting Request - NAS to Radius, contains Accounting Information
  6) Accounting Response - RADIUS to NAS, contains Acknowledgement (Accounting Info Received)

Question 20

Device Access AAA Flow

Answer 20

• Communication between the NAS and TACACS+ server starts with an established TCP connection
  1) START - NAS to TACACS+, initiate authentication request
  2) GET USER - TACACS+ to NAS, Username:
  3) CONTINUE - NAS to TACACS+, Username = BLAHUSER
  4) GET PASS - TACACS+ to NAS, Password:
  5) CONTINUE - NAS to TACACS+, Password = BLAHPASS
  6) ACCEPT/REJECT - TACACS+ to NAS, final status

Question 21

Command to enable AAA

Answer 21

aaa new-model
- immediately applies to all lines and interfaces except line con 0
- to avoid being locked out, define a local username first

Question 22

RADIUS Config Steps

Answer 22

1) Configure RADIUS Server
2) Add RADIUS server to a group
3) Configure authentication to use the server group
4) Apply the authentication to lines

Question 23

Commands to configure RADIUS server

Answer 23

Router(config)# radius server BLAHRADSRV
Router(config-radius-server)# address ipv4 10.255.255.101 auth-port 1812 acct-port 1813
Router(config-radius-server)# key BLAHSECRET

Question 24

Command to associate RADIUS server with a group

Answer 24

Router(config)# aaa group server radius BLAHRADGRP
Router(config-sg-radius)# server name BLAHRADSRV

Question 25

Command to apply authentication to a line

Answer 25

Router(config)# line vty 0 4
Router(config-line)# login authentication BLAHMETHLIST

• default method list is automatically applied everywhere except con0

Question 26

Commands to configure TACACS+ server

Answer 26

Router(config)# tacacs server BLAHTACSRV
Router(config-server-tacacs)# address ipv4 10.255.255.102
Router(config-server-tacacs)# port 49
Router(config-server-tacacs)# key BLAHKEY

Question 27

Command to associate TACACS+ server with a group

Answer 27

Router(config)# aaa group server tacacs+ BLAHTACGRP
Router(config-sg-radius)# server name BLAHTACSRV

Question 28

Commands to configure authorization

Answer 28

Router(config)# aaa authorization exec BLAHTACLIST group BLAHTACGRP local if-authenticated
Router(config)# aaa authorization commands 15 BLAHTACLIST group BLAHTACGRP local
Router(config)# aaa authorization config-commands

• if-authenticated - if the user is authenticated, they will immediately be dropped into enable mode

Question 29

Commands to apply authorization to a line

Answer 29

Router(config)# line vty 0 4
Router(config-line)# authorization exec BLAHLIST
Router(config-line)# authorization commands 15 BLAHLIST

• commands - the server must return permission for any command
• config-commands - the server must return permission fro config commands
• exec - the server must return permission for the uer to run a router EXEC session

Question 30

Command to apply authorization to console lines

Answer 30

aaa authorization console

Question 31

Command to create accounting method list

Answer 31

Router(config)# aaa accounting {system | exec | commands level} {default | list-name} {start-stop | stop-only | wait-start | none} method1 [method2…]

• system - major router events such as reload are recorded
• exec - user authentication into an EXEC is recorded, along with inof about user addr, time, and duration of the session
• commands level - info about any command running at a specific privilege level is recorded along with the user who issued the command
• start-stop - events are recorded when they start and stop
• stop-only - events are recorded only when they stop
• none - no events are recorded

Question 32

Command to apply accounting to a line

Answer 32

Router(config-line)# accounting {commands level | connection | exec} {default | list-name}