Настройка паролей на маршрутизаторе cisco

Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 3650 Switches)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

  • Preventing Unauthorized Access
  • Controlling Switch Access with Passwords and Privilege Levels
  • Configuring TACACS+
  • Configuring RADIUS
  • Configuring Kerberos
  • MACsec Encryption
  • Configuring Local Authentication and Authorization
  • Configuring Secure Shell
  • Configuring SSH File Transfer Protocol
  • X.509v3 Certificates for SSH Authentication
  • Configuring Secure Socket Layer HTTP
  • IPv4 ACLs
  • IPv6 ACLs
  • Configuring DHCP
  • CAPWAP Access Controller DHCPv6 Option
  • Configuring IP Source Guard
  • Configuring Dynamic ARP Inspection
  • Configuring IPv6 First Hop Security
  • Configuring SISF-Based Device Tracking
  • Configuring IEEE 802.1x Port-Based Authentication
  • Web-Based Authentication
  • Configuring Port-Based Traffic Control
  • Configuring Control Plane Policing
  • Configuring Authorization and Revocation of Certificates in a PKI

Book Title

Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 3650 Switches)

Controlling Switch Access with Passwords and Privilege Levels

  • PDF — Complete Book (7.63 MB)PDF — This Chapter (1.2 MB) View with Adobe Reader on a variety of devices
  • ePub — Complete Book (2.33 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi — Complete Book (5.59 MB) View on Kindle device or Kindle app on multiple devices

Results

Chapter: Controlling Switch Access with Passwords and Privilege Levels

  • Controlling Switch Access with Passwords and Privilege Levels
  • Restrictions for Controlling Switch Access with Passwords and Privileges
    • Restrictions and Guidelines for Reversible Password Types
    • Restrictions and Guidelines for Irreversible Password Types
    • Default Password and Privilege Level Configuration
    • Additional Password Security
    • Password Recovery
    • Terminal Line Telnet Configuration
    • Username and Password Pairs
    • Privilege Levels
    • AES Password Encryption and Master Encryption Keys
    • Setting or Changing a Static Enable Password
    • Protecting Enable and Enable Secret Passwords with Encryption
    • Disabling Password Recovery
    • Setting a Telnet Password for a Terminal Line
    • Configuring Username and Password Pairs
    • Setting the Privilege Level for a Command
    • Changing the Default Privilege Level for Lines
    • Logging into and Exiting a Privilege Level
    • Configuring an Encrypted Preshared Key
    • Example: Setting or Changing a Static Enable Password
    • Example: Protecting Enable and Enable Secret Passwords with Encryption
    • Example: Setting a Telnet Password for a Terminal Line
    • Example: Setting the Privilege Level for a Command
    • Example: Configuring an Encrypted Preshared Key

    Controlling Switch Access with Passwords and Privilege Levels

    Restrictions for Controlling Switch Access with Passwords and Privileges

    The following are the restrictions for controlling switch access with passwords and privileges:

    • Disabling password recovery will not work if you have set the switch to boot up manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.

    Restrictions and Guidelines for Reversible Password Types

    • Password type 0 and type 7 are deprecated. So password type 0 and type 7, used for administrator login to Console, Telnet, SSH, webUI, and NETCONF, must be migrated to password type 8 or type 9.
    • No action is required if username and password are type 0 and type 7 for local authentication such as CHAP, EAP and so on for ISG and Dot1x.
    • Enable password type 0 and type 7 must be migrated to password type 8 or type 9.
    • Type 6 encrypted password is supported for username and password. Auto-conversion of password type 0 and password type 7 to password type 6 is also supported.

    Restrictions and Guidelines for Irreversible Password Types

    • Password type 5 is deprecated. Password type 5 must be migrated to stronger password type 8 or type 9.
    • For username secret password type 5 and for enable secret password type 5, migrate to type 8 or type 9.
    • Plain text passwords are converted to non-reversible encrypted password type 9.
    • Secret password type 4 is not supported.

    Information About Passwords and Privilege Levels

    Default Password and Privilege Level Configuration

    A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.

    This table shows the default password and privilege level configuration.

    Enable password and privilege level

    No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file.

    Enable secret password and privilege level

    No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.

    Additional Password Security

    To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.

    We recommend that you use the enable secret command because it uses an improved encryption algorithm.

    If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.

    If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.

    Password Recovery

    By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.

    The password-recovery disable feature protects access to the switch password by disabling part of this functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, you can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.

    If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.

    To re-enable password recovery, use the service password-recovery global configuration command.

    Terminal Line Telnet Configuration

    When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password. If you did not configure this password during the setup program, you can configure it when you set a Telnet password for a terminal line.

    Username and Password Pairs

    You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.

    Privilege Levels

    Cisco devices use privilege levels to provide password security for different levels of switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

    Privilege Levels on Lines

    Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.

    For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.

    Command Privilege Levels

    When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.

    AES Password Encryption and Master Encryption Keys

    You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a master encryption key, which is used to encrypt and decrypt passwords.

    After you enable AES password encryption and configure a master key, all existing and newly created clear-text passwords for supported applications are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure the device to convert all existing weakly encrypted passwords to type-6 encrypted passwords.

    Type 0 and type 7 passwords can be autoconverted to type 6 if the AES password encryption feature and master encryption key are configured.

    Type 6 username and password are backward compatible to Cisco IOS XE Gibraltar 16.10.x . If you downgrade to any release version lower than Cisco IOS XE Gibraltar 16.10.1 , type 6 username and password will be rejected. After autoconversion, to avoid an administrator password getting rejected during a downgrade, migrate the passwords used for administrator logins (management access) to irreversible password types manually.

    How to Control Switch Access with Passwords and Privilege Levels

    Setting or Changing a Static Enable Password

    The enable password controls access to the privileged EXEC mode. Follow these steps to set or change a static enable password:

    SUMMARY STEPS

    1. enable
    2. configure terminal
    3. enable password password
    4. end
    5. show running-config
    6. copy running-config startup-config

    Источник

    Читайте также:  Tele2 usb модем роутер
Оцените статью
Adblock
detector