Home > Articles > Cisco Certification > CCIE > CCIE Security Practice Labs

CCIE Security Practice Labs

Section 8.0: Advanced Security

8.1: Password Protection

  1. Configure service password-encryption on all the routers to encrypt the enable password; otherwise, they will appear in clear text in the configuration.

8.2: EXEC Authentication

  1. Configure enable secret on R2.

  2. Configure authentication for shell EXEC without using the AAA engine using the enable use-tacacs command. Note that this is not TACACS+ but TACACS server (without the +). CiscoSecure ACS is not a TACACS server but TACACS+ only.

  3. Configure fallback to pass authentication in the event the TACACS server is down or not found using enable last-resort succeed.

8.3: Access Control

  1. In this case, you can configure autocommand for a user to Telnet to the router. autocommand will execute the required command and exit the session. This way the user will not be able to keep its Telnet session:

  2. username testconfig privilege 15 password 7 15060E1F1029242A2E3A32
    username testconfig autocommand show run
    !
    line vty 0 4
     privilege level 15
     password 7 110A1016141D
     login local
    !
    end

    Test by Telnetting from R1 to 10.50.13.2.

    r1#telnet 10.50.13.2
    Trying 10.50.13.2 ... Open
    
    User Access Verification
    
    Username: testconfig
    Password: testconfig
    Building configuration...
    
    Current configuration : 7022 bytes
    !
    ! Last configuration change at 23:46:49 AEDT Sun Jan 19 2003
    ! NVRAM config last updated at 00:15:25 AEDT Mon Jan 20 2003
    !
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname r3
    !
    snipped
    !
    end
    
    [Connection to 10.50.13.2 closed by foreign host]
    r1#

    As you can see, as soon as the show run command output finished, the session was closed.

  3. Configure R5 Telnet access to permit host 133.133.133.133 only:

  4. access-list 3 permit 133.133.133.133
    !
    line vty 0 4
     access-class 3 in
     password 7 13061E010803
     login
    !
    end
23. Section 9.0: IP Services and Protocol-Independent Features | Next Section Previous Section