Remote Management Access to IOS Devices
The examples analyzed in the previous section assumed local access to the console port of the IOS device. This section looks at remote management connections that rely on protocols such as Telnet, SSH, and HTTPS.
Remote Access Using Telnet
IOS uses the concept of Virtual Terminal (VTY) lines to receive connections related to protocols such as Telnet and SSH. The settings entered on a VTY line apply to session requests arriving on any of the router interfaces. The typical VTY-level settings follow:
- Timeout value: Defines the inactivity timeout for the terminal lines. The parameters of the exec-timeout command are respectively MINUTES and SECONDS.
- Password: The combination of the password and login commands requires a generic user initiating a Telnet session to the router to inform this password.
Example 3-22 shows the basic parameters concerning VTY configuration and the authentication sequence for a Telnet session. Privileged mode access requires an enable secret to be configured at the global level.
Example 3-22. VTY Lines for Telnet Access
line vty 0 4 exec-timeout 5 0 password cisco login ! enable secret 5 $1$k6BB$cldMRpv4a6hQ.EmbS0EPJ/ ! ! Authentication Experience for a Generic User when using Telnet User Access Verification Password:**** R1>enable Password:***** R1# !! Following authentication, the generic user obtains information about the session R1# show tcp brief TCB Local Address Foreign Address (state) 838F2330 192.168.1.201.23 192.168.1.15.3547 ESTAB
Remote Access Using SSH
The previous section demonstrated the creation of a Telnet session for generic users. (Only the password is presented; no user information is entered.) SSH, on the opposite range of the spectrum from Telnet, requires nongeneric users, meaning that the username is always requested by the device (acting as an SSH server).
Example 3-23 shows a typical sequence of tasks to enable SSH on an IOS device. The preliminary activities of setting and verifying the clock, and verifying the existence of an RSA key-pair, are still recommended and employ exactly the same commands as those analyzed for ASA in Example 3-16. A few points that deserve special attention for IOS follow:
- The aaa new-model must be enabled, so that authentication methods for each type of access can be specified. The example shows that users of the VTY lines (Telnet or SSH) are authenticated through the method-list called TERMINAL-LINES, which points to the local database.
- Specifying a hostname (distinct from the default name Router) and creating an ip domain-name). These two elements are grouped to generate a name for the RSA key-pair. It is interesting to clearly associate this key-pair to SSH usage as illustrated in the example (ip ssh keypair-name command).
Example 3-23. Enabling SSH on IOS
! Creating a username in the local database R1(config)# username user1password ##### ! ! Enabling aaa new-model (allowing an authentication method for each type of access) R1(config)# aaa new-model ! ! The authentication method for the VTY lines uses the local database R1(config)# aaa authentication login TERMINAL-LINES local R1(config)# line vty 0 4 R1(config-line)# login authentication TERMINAL-LINES ! ! Changing the default host name and creating a domain name Router(config)# hostname R1 R1(config)# ip domain-name mylab.net ! ! Generating the RSA key pair R1(config)# crypto key generate rsa The name for the keys will be: R1.mylab.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] %SSH-5-ENABLED: SSH 1.99 has been enabled ! ! Determining the key pair to be used for SSH R1(config)# ip ssh rsa keypair-name R1.mylab.net ! ! Displaying the SSH sessions R1# show ssh Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes256-cbc hmac-sha1 Session started user1 0 2.0 OUT aes256-cbc hmac-sha1 Session started user1 %No SSHv1 server connections running. ! R1# show tcp brief TCB Local Address Foreign Address (state) 83FC0F0C 192.168.1.201.22 192.168.1.15.3756 ESTAB
Remote Access Using HTTP and HTTPS
IOS enables remote access using HTTP and HTTPS; the latter, of course, being preferable. Example 3-24 shows how to enable the HTTP Server and unveils what goes on behind the scenes when the ip http secure-server command is issued.
Example 3-25 registers how to control the web connections to the routers both from the user database and source addresses perspectives. (Chapter 14 examines the usage of more sophisticated user databases in a great level of detail.)
Example 3-24. Enabling HTTP and HTTPS on IOS
! Enabling the HTTP server R1(config)# ip http server ! ! Enabling the HTTPS Server R1(config)# ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] CRYPTO_PKI: Generating self signed cert TP-self-signed-681151852 CRYPTO_PKI: Creating trustpoint TP-self-signed-681151852 CRYPTO_PKI:Insert Selfsigned Certificate: [output suppressed] CRYPTO_PKI: Self signed cert TP-self-signed-681151852 created %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate ! ! Saving the self-signed certificate R1# write memory Building configuration... PKI: Removing old cert file nvram:IOS-Self-Sig#6.cer crypto_ca_certificate: saved cert to nvram:IOS-Self-Sig#6.cer [OK][OK] ! ! Information about the self-signed certificate R1# show crypto pki certificates Router Self-Signed Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: cn=IOS-Self-Signed-Certificate-681151852 Subject: Name: IOS-Self-Signed-Certificate-681151852 cn=IOS-Self-Signed-Certificate-681151852 Validity Date: start date: 00:04:19 UTC Sep 14 2009 end date: 00:00:00 UTC Jan 1 2020 Associated Trustpoints: TP-self-signed-681151852 Storage: nvram:IOS-Self-Sig#6.cer ! R1# show running-config | include crypto|key crypto pki trustpoint TP-self-signed-681151852 rsakeypair TP-self-signed-681151852 crypto pki certificate chain TP-self-signed-681151852 hidekeys
Example 3-25. Controlling HTTP and HTTPS access
! Using the local database for web authentication ip http authentication local ! ! Defining allowed source addresses for web access access-list 1 permit 192.168.1.0 0.0.0.255 ip http access-class 1