Section 8.0: Advanced Security
8.1: Password Protection
Configure service password-encryption on all the routers to encrypt the enable password; otherwise, they will appear in clear text in the configuration.
8.2: EXEC Authentication
Configure enable secret on R2.
Configure authentication for shell EXEC without using the AAA engine using the enable use-tacacs command. Note that this is not TACACS+ but TACACS server (without the +). CiscoSecure ACS is not a TACACS server but TACACS+ only.
Configure fallback to pass authentication in the event the TACACS server is down or not found using enable last-resort succeed.
8.3: Access Control
In this case, you can configure autocommand for a user to Telnet to the router. autocommand will execute the required command and exit the session. This way the user will not be able to keep its Telnet session:
Configure R5 Telnet access to permit host 220.127.116.11 only:
username testconfig privilege 15 password 7 15060E1F1029242A2E3A32 username testconfig autocommand show run ! line vty 0 4 privilege level 15 password 7 110A1016141D login local ! end
Test by Telnetting from R1 to 10.50.13.2.
r1#telnet 10.50.13.2 Trying 10.50.13.2 ... Open User Access Verification Username: testconfig Password: testconfig Building configuration... Current configuration : 7022 bytes ! ! Last configuration change at 23:46:49 AEDT Sun Jan 19 2003 ! NVRAM config last updated at 00:15:25 AEDT Mon Jan 20 2003 ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname r3 ! snipped ! end [Connection to 10.50.13.2 closed by foreign host] r1#
As you can see, as soon as the show run command output finished, the session was closed.
access-list 3 permit 18.104.22.168 ! line vty 0 4 access-class 3 in password 7 13061E010803 login ! end