User Security Configuration Guide, Cisco IOS Release 15MT

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Cisco IOS Login Enhancements-Login Block
• Configuring Security with Passwords, Privileges, and Logins
• No Service Password-Recovery
• IP Traffic Export
• Role-Based CLI Access
• AutoSecure
• Configuring Kerberos
• Lawful Intercept Architecture
• Image Verification
• IP Source Tracker
• Cisco IOS Resilient Configuration

Book Title

User Security Configuration Guide, Cisco IOS Release 15MT

Configuring Security with Passwords, Privileges, and Logins

• PDF - Complete Book (3.02 MB)PDF - This Chapter (1.35 MB) View with Adobe Reader on a variety of devices

Results

Chapter: Configuring Security with Passwords, Privileges, and Logins

• Configuring Security with Passwords, Privileges, and Logins
• Finding Feature Information
• Restrictions for Configuring Security with Passwords, Privileges, and Logins
• Information About Configuring Security with Passwords, Privileges, and Logins
  • Benefits of Creating a Security Scheme
  • Cisco IOS CLI Modes
    • User EXEC Mode
    • Privileged EXEC Mode
    • Global Configuration Mode
    • Interface Configuration Mode
    • Subinterface Configuration Mode
    • Local CLI Sessions
    • Remote CLI Sessions
    • Terminal Lines Used for Local and Remote CLI Sessions
    • Protection of Access to User EXEC Mode
    • Protection of Access to Privileged EXEC Mode
    • Password Complexity Restrictions
    • Protection of Stored Credentials
    • Blocking Repeat Failed Login Attempts
    • Networking Device Is Configured to Allow Remote CLI Sessions
    • Networking Device Is Not Configured to Allow Remote CLI Sessions
    • Networking Device Is Configured to Allow Local CLI Sessions
    • Networking Device Is Not Configured to Allow Local CLI Sessions
    • A Misconfigured Privileged EXEC Mode Password Has Not Been Saved
    • Protecting Access to User EXEC Mode
      • Configuring a Password for Remote CLI Sessions
        • Troubleshooting Tips
        • Troubleshooting Tips
        • Configuring the Enable Password
          • Troubleshooting Tips
          • Troubleshooting Tips
          • Configuring the Networking Device for the First-Line Technical Support Staff
          • Verifying the Configuration for the First-Line Technical Support Staff
            • Troubleshooting Tips
            • Example: Configuring a Device to Allow Users to Clear Remote Sessions
            • Example: Configuring a Device to Allow Users to View the Running Configuration
            • Example: Configuring a Device to Allow Users to Shut Down and Enable Interfaces
            • Example: Configuring an Encrypted Preshared Key

            Configuring Security with Passwords, Privileges, and Logins

            Cisco IOS software-based networking devices provide several features that can be used to implement basic security for command-line sessions using only the operating system running on the device. These features include the following:

            • Different levels of authorization for CLI sessions to control access to commands that can modify the status of the networking device versus commands that are used to monitor the device
            • Assigning passwords to CLI sessions
            • Requiring users to log in to a networking device with a username
            • Changing the privilege levels of commands to create new authorization levels for CLI sessions

            This module is a guide to implementing a baseline level of security for your networking devices. It focuses on the least complex options available for implementing a baseline level of security. If you have networking devices installed in your network with no security options configured, or you are about to install a networking device and you need help understanding how to implement a baseline of security, this document will help you.

            Finding Feature Information

            Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

            Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

            Restrictions for Configuring Security with Passwords, Privileges, and Logins

            Your networking device must not be configured to use any local or remote authentication, authorization, and accounting (AAA) security features. This document describes only the non-AAA security features that can be configured locally on the networking device.

            For information on how to configure AAA security features that can be run locally on a networking device, or for information on how to configure remote AAA security using TACACS+ or RADIUS servers, see the Securing User Services Configuration Guide Library .

            Note

            Starting from Cisco IOS Release 15.9 (3) M2, type-6 (strong reversible encryption) is supported for username password CLI, apart from the previously supported password types: type-0 (plain-text password type) and type-7 (weak reversible encryption). With respect to irreversible encryptions, convoluted type-9 (strong irreversible encryption with magic $14$) is supported for username secret and enable secret CLIs, apart from previously supported password types: type-0 (plain-text password type), type-5 (weak irreversible encryption with magic $1$), type-8 (strong irreversible encryption with magic $8$) and type-9 (strong irreversible encryption with magic $9$).

            Information About Configuring Security with Passwords, Privileges, and Logins

            Benefits of Creating a Security Scheme

            The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices from unauthorized access. Protecting access to the user interfaces on your networking devices prevents unauthorized users from making configuration changes that can disrupt the stability of your network or compromise your network security.

            The features described in this document can be combined in many different ways to create a unique security scheme for each of your networking devices.

            You can enable nonadministrative users to run a subset of the administrative commands available on the networking device by lowering the entitlement level for the commands to the nonadministrative privilege level. This can be useful for the following scenarios:

            Cisco IOS CLI Modes

            To aid in the configuration of Cisco devices, the Cisco IOS CLI is divided into different command modes. Each command mode has its own set of commands available for the configuration, maintenance, and monitoring of device and network operations. The commands available to you at any given time depending on the mode you are in. Entering a question mark ( ? ) at the system prompt (device prompt) allows you to obtain a list of commands available for each command mode.

            The use of specific commands allows you to navigate from one command mode to another. The standard order in which a user would access the modes is as follows: user EXEC mode; privileged EXEC mode; global configuration mode; specific configuration modes; configuration submodes; and configuration subsubmodes.

            The default configuration of a Cisco IOS software-based networking device allows you to configure passwords to protect access only to user EXEC mode (for local and remote CLI sessions) and privileged EXEC mode. This document describes how you can provide additional levels of security by protecting access to other modes, and commands, using a combination of usernames, passwords and the privilege command.

            Most EXEC mode commands are one-time commands, such as show or more commands, which show the current configuration status, and clear commands, which clear counters or interfaces. EXEC mode commands are not saved across reboots of the device.

            From privileged EXEC mode, you can enter global configuration mode. In this mode, you can enter commands that configure general system characteristics. You also can use global configuration mode to enter specific configuration modes. Configuration modes, including global configuration mode, allow you to make changes to the running configuration. If you later save the configuration, these commands are stored across device reboots.

            From global configuration mode you can enter a variety of protocol-specific or feature-specific configuration modes. The CLI hierarchy requires that you enter these specific configuration modes only through global configuration mode. For example, interface configuration mode is a commonly used configuration mode.

            From configuration modes, you can enter configuration submodes. Configuration submodes are used for the configuration of specific features within the scope of a given configuration mode. For example, the subinterface configuration mode is a submode of the interface configuration mode.

            ROM monitor mode is a separate mode used when the device cannot boot properly. If your system (router, switch, or access server) does not find a valid system image to load when it is booting, the system will enter ROM monitor mode. ROM monitor (ROMMON) mode can also be accessed by interrupting the boot sequence during startup.

            The following sections contain detailed information on these command modes.

            User EXEC Mode

            When you start a session on a device, you generally begin in user EXEC mode, which is one of two access levels of the EXEC mode. For security purposes, only a limited subset of EXEC commands are available in user EXEC mode. This level of access is reserved for tasks that do not change the configuration of the device, such as determining the device status.

            If your device is configured to require users to log in the login process will require a username and a password. If you enter incorrect password three times, the connection attempt is refused.

            User EXEC mode is set by default to privilege level 1. Privileged EXEC mode is set by default to privilege level 15. For more information see the Privileged EXEC Mode. When you are logged in to a networking device in user EXEC mode your session is running at privilege level 1. When you are logged in to a networking device in privileged EXEC mode your session is running at privilege level 15. You can move commands to any privilege level between 1 and 15 using the privilege command. See the Cisco IOS Privilege Levels for more information on privilege levels and the privilege command.

            In general, the user EXEC commands allow you to connect to remote devices, change terminal line settings on a temporary basis, perform basic tests, and list system information.

            To list the available user EXEC commands, enter a question mark ( ? ). The list of commands will vary depending on the software feature set and platform you are using.

            The user EXEC mode prompt consists of the hostname of the device followed by an angle bracket (>), for example, Device>.

            The default hostname is generally Device, unless it has been changed during initial configuration using the setup EXEC command. You can also change the hostname using the hostname global configuration command.

            Examples in Cisco IOS documentation assume the use of the default name of “Device.” Different devices (for example, access servers) may use a different default name. If the device (router, access server, or switch) has been named with the hostname command, that name appears as the prompt instead of the default name.

            You can enter commands in uppercase, lowercase, or mixed case. Only passwords are case-sensitive. However, Cisco IOS documentation convention is to always present commands in lowercase.

            Privileged EXEC Mode

            In order to have access to all commands, you must enter privileged EXEC mode, which is the second level of access for the EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. In privileged EXEC mode, you can enter any EXEC command, because privileged EXEC mode is a superset of the user EXEC mode commands.

            Because many privileged EXEC mode commands set operating parameters, privileged EXEC level access should be password protected to prevent unauthorized use. The privileged EXEC command set includes those commands contained in user EXEC mode. Privileged EXEC mode also provides access to configuration modes through the configure command, and includes advanced testing commands, such as debug .

            Privileged EXEC mode is set by default to privilege level 15. User EXEC mode is set by default to privilege level 1. For more information see the User EXEC Mode. By default the EXEC commands at privilege level 15 are a superset of those available at privilege level 1. You can move commands to any privilege level between 1 and 15 using the privilege command. See the Cisco IOS Privilege Levels for more information on privilege levels and the privilege command.

            The privileged EXEC mode prompt consists of the hostname of the device followed by a pound sign (#), for example, Device#.

            To access privileged EXEC mode, use the enable command. If a privileged EXEC mode password has been configured the system will prompt you for a password after you issue the enable command. Use the exit command to leave privileged EXEC mode.

            Privileged EXEC mode is sometimes referred to as “enable mode,” because the enable command is used to enter the mode.

            If a password has been configured on the system, you will be prompted to enter it before being allowed access to privileged EXEC mode. The password is not displayed on the screen and is case-sensitive. If an enable password has not been set, privileged EXEC mode can be accessed only by a local CLI session (terminal connected to the console port).

            If you attempt to access privileged EXEC mode on a device over a remote connection, such as aTelnet connection, and you have not configured a password for privileged EXEC mode, you will see the % No password set error message. For more information on remote connections see the Remote CLI Sessions. The system administrator uses the enable secret or enable password global configuration command to set the password that restricts access to privileged EXEC mode. For information on configuring a password for privileged EXEC mode, see the Protecting Access to Privileged EXEC Mode.

            To return to user EXEC mode, use the disable command:

            Note that the password will not be displayed as you type, but is shown here for illustrational purposes. To list the commands available in privileged EXEC mode, issue question mark ( ?) at the prompt. From privileged EXEC mode you can access global configuration mode, which is described in the following section.

            Because the privileged EXEC command set contains all of the commands available in user EXEC mode, some commands can be entered in either mode. In Cisco IOS documentation, commands that can be entered in either user EXEC mode or privileged EXEC mode are referred to as EXEC mode commands. If user or privileged is not specified in the documentation, assume that you can enter the referenced commands in either mode.

            Global Configuration Mode

            The term “global” is used to indicate characteristics or features that affect the system as a whole. Global configuration mode is used to configure your system globally, or to enter specific configuration modes to configure specific elements such as interfaces or protocols. Use the configure terminal privileged EXEC command to enter global configuration mode.

            To access global configuration mode, use the configure terminal command in privileged EXEC mode:

            Note that the system prompt changes to indicate that you are now in global configuration mode. The prompt for global configuration mode consists of the hostname of the device followed by (config) and the pound sign ( # ). To list the commands available in privileged EXEC mode, issue ? at the prompt.

            Commands entered in global configuration mode update the running configuration file as soon as they are entered. In other words, changes to the configuration take effect each time you press the Enter or Return key at the end of a valid command. However, these changes are not saved into the startup configuration file until you issue the copy running-config startup-config EXEC mode command.

            The system dialog prompts you to end your configuration session (exit configuration mode) by pressing the Control (Ctrl) and “z” keys simultaneously; when you press these keys, ^Z is printed to the screen. You can actually end your configuration session by entering the Ctrl-Z key combination, using the end command, and using the Ctrl-C key combination. The end command is the recommended way to indicate to the system that you are done with the current configuration session.

            If you use Ctrl-Z at the end of a command line in which a valid command has been typed, that command will be added to the running configuration file. In other words, using Ctrl-Z is equivalent to hitting the Enter (Carriage Return) key before exiting. For this reason, it is safer to end your configuration session using the end command. Alternatively, you can use the Ctrl-C key combination to end your configuration session without sending a Carriage Return signal.

            You can also use the exit command to return from global configuration mode to EXEC mode, but this only works in global configuration mode. Pressing Ctrl-Z or entering the end command will always take you back to EXEC mode regardless of which configuration mode or configuration submode you are in.

            To exit global configuration command mode and return to privileged EXEC mode, use the end or exit command.

            From global configuration mode, you can enter a number of protocol-specific, platform-specific, and feature-specific configuration modes.

            Interface configuration mode, described in the following section, is an example of a configuration mode you can enter from global configuration mode.

            Interface Configuration Mode

            One example of a specific configuration mode you can enter from global configuration mode is interface configuration mode.

            Many features are enabled on a per-interface basis. Interface configuration commands modify the operation of an interface such as an Ethernet, FDDI, or serial port. Interface configuration commands always follow an interface global configuration command, which defines the interface type.

            For details on interface configuration commands that affect general interface parameters, such as bandwidth or clock rate, refer to the Cisco IOS Interface Configuration Guide .

            To access and list the interface configuration commands, use the interface type number command.

            To exit interface configuration mode and return to global configuration mode, enter the exit command.

            Configuration submodes are configuration modes entered from other configuration modes (besides global configuration mode). Configuration submodes are for the configuration of specific elements within the configuration mode. One example of a configuration submode is subinterface configuration mode, described in the following section.

            Subinterface Configuration Mode

            From interface configuration mode, you can enter subinterface configuration mode. Subinterface configuration mode is a submode of interface configuration mode. In subinterface configuration mode you can configure multiple virtual interfaces (called subinterfaces) on a single physical interface. Subinterfaces appear to be distinct physical interfaces to the various protocols.

            For detailed information on how to configure subinterfaces, refer to the appropriate documentation module for a specific protocol in the Cisco IOS software documentation set.

            To exit subinterface configuration mode and return to interface configuration mode, use the exit command. To end your configuration session and return to privileged EXEC mode, press Ctrl-Z or enter the end command.

            Cisco IOS CLI Sessions

            Local CLI Sessions

            Local CLI sessions require direct access to the console port of the networking device. Local CLI sessions start in user EXEC mode. See the Cisco IOS CLI Modes for more information on the different modes that are supported on your networking device. All of the tasks required to configure and manage a networking device can be done using a local CLI session. The most common method for establishing a local CLI session is to connect the serial port on a PC to the console port of the networking device and then to launch a terminal emulation application on the PC. The type of cable and connectors required and the settings for the terminal emulation application on the PC depend on the type of networking device that you are configuring. See the documentation for your networking device for more information on setting it up for a local CLI session.

            Remote CLI Sessions

            Remote CLI sessions are created between a host such as a PC and a networking device such as a router over a network using a remote terminal access application such as Telnet and SSH. Local CLI sessions start in user EXEC mode. See the Cisco IOS CLI Modes for more information on the different modes that are supported on your networking device. Most of the tasks required to configure and manage a networking device can be done using a remote CLI session. The exceptions are tasks that interact directly with the console port (such as recovering from a corrupted operating system (OS) by uploading a new OS image over the console port) and interacting with the networking device when it is in ROMMON mode.

            Telnet is the most common method for accessing a remote CLI session on a networking device.

            SSH is a more secure alternative to Telnet. SSH provides encryption for the session traffic between your local management device such as a PC and the networking device that you are managing. Encrypting the session traffic with SSH prevents hackers that might intercept the traffic from being able to decode it. See Secure Shell Version 2 Support feature module for more information on using SSH.

            Terminal Lines Used for Local and Remote CLI Sessions

            Cisco networking devices use the word “lines” to refer to the software components that manage local and remote CLI sessions. You use the line console 0 global configuration command to enter line configuration mode to configure options, such as a password, for the console port.

            Remote CLI sessions use lines that are referred to as vty lines. You use the line vty line-number [ ending-line-number ] global configuration command to enter line configuration mode to configure options, such as a password, for remote CLI sessions.

            Protection of Access to Cisco IOS EXEC Modes

            Protection of Access to User EXEC Mode

            The first step in creating a secure environment for your networking device is protecting access to user EXEC mode by configuring passwords for local and remote CLI sessions.

            You can protect access to user EXEC mode for local CLI sessions by configuring a password on the console port. See the Configuring a Password for Local CLI Sessions.

            You can protect access to user EXEC mode for remote CLI sessions by configuring a password on the vtys. See the Configuring a Password for Remote CLI Sessions for instructions on how to configure passwords for remote CLI sessions.

            Protection of Access to Privileged EXEC Mode

            The second step in creating a secure environment for your networking device is protecting access to privileged EXEC mode with a password. The method for protecting access to privileged EXEC mode is the same for local and remote CLI sessions.

            You can protect access to privileged EXEC mode by configuring a password for it. This is sometimes referred to as the enable password because the command to enter privileged EXEC mode is enable .

            Cisco IOS Password Encryption Levels

            Some of the passwords that you configure on your networking device are saved in the configuration in plain text. This means that if you store a copy of the configuration file on a disk, anybody with access to the disk can discover the passwords by reading the configuration file. The following password types are stored as plain text in the configuration by default:

            • Console passwords for local CLI sessions.
            • Virtual terminal line passwords for remote CLI sessions.
            • Username passwords using the default method for configuring the password.
            • Privileged EXEC mode passwords when they are configured with the enable password password command.
            • Authentication key chain passwords used by Routing Information Protocol version 2 (RIPv2) and Enhanced Interior Gateway Routing Protocol (EIGRP).
            • BGP passwords for authenticating BGP neighbors.
            • Open Shortest Path First (OSPF) authentication keys for authenticating OSPF neighbors.
            • Intermediate System-Intermediate System (IS-IS) passwords for authenticating ISIS neighbors.

            The following excerpt from a router configuration file shows examples of passwords and authentication keys that are stored as clear text:

             ! enable password O9Jb6D ! username username1 password 0 kV9sIj3 ! key chain trees key 1 key-string key1 ! interface Ethernet1/0.1 ip address 172.16.6.1 255.255.255.0 ip router isis ip rip authentication key-chain key2 ip authentication key-chain eigrp 1 key2 ip ospf authentication-key j7876 no snmp trap link-status isis password u7865k ! line vty 0 4 password V9jA5M !

            You can encrypt these clear text passwords in the configuration file by using the service password-encryption command. This should be considered as a minimal level of security because the encryption algorithm used by the service password-encryption command to encrypt passwords creates text strings that can be decrypted using tools that are publicly available. You should still protect access to any electronic or paper copies of your configuration files after you use the service password-encryption command.

            The service password-encryption command does not encrypt the passwords when they are sent to the remote device. Anybody with a network traffic analyzer who has access to you network can capture these passwords from the packets as they are transmitted between the devices. See the Configuring Password Encryption for Clear Text Passwords for more information on encrypting clear text passwords in configuration files.

            Many of the Cisco IOS features that use clear text passwords can also be configured to use the more secure message digest algorithm 5 (MD5). The MD5 algorithm creates a text string in the configuration file that is much more difficult to decrypt. The MD5 algorithm does not send the password to the remote device. This prevents people using a traffic analyzer to capture traffic on your network from being able to discover your passwords.

            You can determine the type of password encryption that has been used by the number that is stored with the password string in the configuration file of the networking device.

            Cisco IOS CLI Session Usernames

            After you have protected access to user EXEC mode and privileged EXEC mode by configuring passwords for them you can further increase the level of security on your networking device by configuring usernames to limit access to CLI sessions to your networking device to specific users.

            Usernames that are intended to be used for managing a networking device can be modified with additional options such as:

            See the Cisco IOS Security Command Reference for more information on how to configure the username command.

            Cisco IOS Privilege Levels

            The default configuration for Cisco IOS software-based networking devices uses privilege level 1 for user EXEC mode and privilege level 15 for privileged EXEC. The commands that can be run in user EXEC mode at privilege level 1 are a subset of the commands that can be run in privileged EXEC mode at privilege 15.

            The privilege command is used to move commands from one privilege level to another. For example, some ISPs allow their first level technical support staff to enable and disable interfaces to activate new customer connections or to restart a connection that has stopped transmitting traffic. See the Example: Configuring a Device to Allow Users to Shut Down and Enable Interfaces for an example of how to configure this option.

            The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session runs at the privilege level specified by the privilege command. For example, if you want your technical support staff to view the configuration on a networking device which will help them to troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The user’s session will be logged out automatically after the user has viewed the last line of the configuration. See the Example: Configuring a Device to Allow Users to View the Running Configuration for an example of how to configure this option. To access the running configuration of a device using the show running-config command at a privilege level lower than level 15, see the Configuring a Device to Allow Users to View the Running Configuration task under the Protecting Access to Privileged EXEC Mode section.

            These command privileges can also be implemented when you are using AAA with TACACS+ and RADIUS. For example, TACACS+ provides two ways to control the authorization of router commands on a per-user or per-group basis. The first way is to assign privilege levels to commands and have the router verify with the TACACS+ server whether the user is authorized at the specified privilege level. The second way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed. For more information about implementing AAA with TACACS+ and RADIUS, see the technical note How to Assign Privilege Levels with TACACS+ and RADIUS .

            Cisco IOS Password Configuration

            Cisco IOS software does not prompt you to repeat any passwords that you configure to verify that you have entered the passwords exactly as you intended. New passwords, and changes to existing passwords, go into effect immediately after you press the Enter key at the end of a password configuration command string. If you make a mistake when you enter a new password and have saved the configuration on the networking device to its startup configuration file and exited privileged EXEC mode before you realize that you made a mistake, you may find that you are no longer able to manage the device.

            The following are common situations that can happen:

            • You make a mistake when configuring a password for local CLI sessions on the console port.
              • If you have properly configured access to your networking device for remote CLI sessions, you can Telnet to it and reconfigure the password on the console port.
              • If you have properly configured access to your networking device for local CLI sessions, you can connect a terminal to it and reconfigure the password for the remote CLI sessions.
              • You will have to perform a lost password recovery procedure.
              • If you do not have access to another account name, you will have to perform a lost password recovery procedure.

              To protect yourself from having to perform a lost password recovery procedure open two CLI sessions to the networking device and keep one of them in privileged EXEC mode while you reset the passwords using the other session. You can use the same device (PC or terminal) to run the two CLI sessions or two different devices. You can use a local CLI session and a remote CLI session or two remote CLI sessions for this procedure. The CLI session that you use to configure the password can also be used to verify that the password was changed properly. The other CLI session that you keep in privileged EXEC mode can be used to change the password again if you made a mistake the first time you configured it.

              You should not save password changes that you have made in the running configuration to the startup configuration until you have verified that your password was changed successfully. If you discover that you made a mistake configuring a password, and you were not able to correct the problem using the local and remote CLI session technique, you can power cycle the networking device so that it returns to the previous passwords that are stored in the startup configuration.

              Product Security Baseline Password Encryption and Complexity Restrictions

              Product security baseline (PSB) mandates basic security functions and features for all Cisco platforms and products.

              There are 12 priority security requirements out of the 110 mandatory requirements in version 2.0 of the product security baseline that must be met to allow the shipping of any product.

              The following two sections discuss restrictions that are relevant in AAA technology:

              • Password complexity restrictions
              • Protection of stored credentials

              Password Complexity Restrictions

              The PSB states the following requirements for password complexity restrictions on Cisco products:

              • Whenever a user or an administrator wants to create or change a password, the following restrictions apply to the products:
                • The new password contains characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.
                • No character in the new password should be repeated more than three times consecutively.
                • The new password should not be the same as the associated username, and should not be the username reversed. The password obtained by capitalization of the username or username reversed also is not accepted.
                • The new password should not be “cisco”, “ocsic”, or any variant obtained by changing the capitalization of letters therein, or by substituting “1”, “|”, or “!” for i, and substituting “0” for “o”, and substituting “$” for “s”.

                The first restriction need not be applied to passwords that are expected to be used via a numerical pin pad; in this case, passwords consisting only of digits are permitted. However, such passwords must be used only for access to messaging services, and not for general computer networking services.

                For an administrator to enable the restrictions, no particular default setting is required. Restrictions should be enabled by default on products that permit nonadministrative end users to change their own passwords.

                AAA enforces these restrictions on creating passwords used in a AAA context which includes passwords created using the username command and passwords created to download authorization data.

                The complexity restrictions are enabled or disabled using the aaa password restriction command. The behavior should be backward-compatible in allowing passwords that were configured before the complexity restrictions were enabled. The CLI should be disabled by default. When the CLI is enabled on a running device, the passwords configured prior to enabling the command should not be subject to the complexity restrictions. The passwords configured following the command should be subject to complexity restrictions. When a device is rebooted using a startup configuration containing the password complexity command enabled, the passwords present in the startup configuration should be allowed without the complexity restrictions; any passwords that are configured after the device has booted should be subject to the complexity restrictions.

                Protection of Stored Credentials

                The PSB states the following requirement for password complexity restrictions on Cisco products:

                • If the product authenticates remote entities using protocols that do not require the product to possess recoverable copies of the remote entities’ credentials, then no recoverable copies of credentials which are used only in this way are to be stored.
                • In the specific case where the product authenticates remote entities using the traditional password interchange in which the remote entity discloses its credential to the product for direct comparison against a database, stored credentials must be protected by a method at least as strong as a SHA-1 digest. The use of SHA-256 or SHA-384 instead of SHA-1 is recommended.

                To be compliant with the PSB, AAA enforces the protection of stored credentials using SHA-256.

                Blocking Repeat Failed Login Attempts

                Before you begin

                If the user attempts to login multiple times within a set time period, the device blocks further login attempts for a preset time duration. For example, if three unsuccessful login attempts are made within, 20 seconds, the user is blocked for the next 300 seconds.

                Sample Configuration

                 Device(config)#aaa authentication rejected ? Fail attempts max value Device(config)#aaa authentication rejected 3 ? in Watch time period Device(config)#aaa authentication rejected 3 in 20 ? ban Ban time period Device(config)#aaa authentication rejected 3 in 20 ban 300

                Recovering from a Lost or Misconfigured Password for Local Sessions

                Three methods can be used to recover a lost or misconfigured password for local CLI sessions over console port. The method that you will use depends on the current configuration of your networking device.

                The following sections describes the three methods that can be used to recover a lost or misconfigured password:

                Networking Device Is Configured to Allow Remote CLI Sessions

                The fastest method to recover from a lost or misconfigured password for local CLI sessions is to establish a remote CLI session with the networking device and repeat the steps in the Configuring a Password for Local CLI Sessions. Your networking device must be configured to allow remote CLI sessions and you must know the remote CLI session password to perform this procedure.

                Networking Device Is Not Configured to Allow Remote CLI Sessions

                • If you cannot establish a remote session to your networking device, and you have not saved the misconfigured local CLI session password to the startup configuration, you can restart the networking device. When the networking device starts up again it will read the startup configuration file. The previous local CLI session password is restored.

                Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services that are running on the networking device, such as a DHCP server service. You should restart a networking device only during a period of time that has been allocated for network maintenance.

                Recovering from a Lost or Misconfigured Password for Remote Sessions

                Three methods that can be used to recover from a lost or misconfigured remote CLI session password. The method that you will use depends on the current configuration of your networking device.

                Networking Device Is Configured to Allow Local CLI Sessions

                The fastest method to recover from a lost or misconfigured password for remote CLI sessions is to establish a local CLI session with the networking device and repeat the steps in the Configuring a Password for Remote CLI Sessions. Your networking device must be configured to allow local CLI sessions and you must know the local CLI session password to perform this procedure.

                Networking Device Is Not Configured to Allow Local CLI Sessions

                • If you cannot establish a local CLI session to your networking device, and you have not saved the misconfigured remote CLI session password to the startup configuration, you can restart the networking device. When the networking device starts up again it will read the startup configuration file. The previous remote CLI session password is restored.

                Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services that are running on the networking device, such as a DHCP server service. You should restart a networking device only during a period of time that has been allocated for network maintenance.

                Recovering from Lost or Misconfigured Passwords for Privileged EXEC Mode

                Two methods can be used to recover from a lost or misconfigured privileged EXEC mode password. The method that you will use depends on the current configuration of your networking device.

                A Misconfigured Privileged EXEC Mode Password Has Not Been Saved

                • If you have not saved the misconfigured privileged EXEC mode password to the startup configuration, you can restart the networking device. When the networking device starts up again it will read the startup configuration file. The previous privileged EXEC mode password is restored.

                Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services that are running on the networking device, such as a DHCP server service. You should restart a networking only device during a period of time that has been allocated for network maintenance.

                How to Configure Security with Passwords, Privileges, and Logins

                Protecting Access to User EXEC Mode

                Configuring a Password for Remote CLI Sessions

                This task will assign a password for remote CLI sessions. After you have completed this task the networking device will prompt you for a password the next time that you start a remote CLI session with it.

                Cisco IOS software-based networking devices require that you have a password configured for remote CLI sessions. If you attempt to start a remote CLI session with a device that does not have a password configured for remote CLI sessions you will see a message that a password is required and the password is not set. The remote CLI session will be terminated by the remote host.

                Before you begin

                If you have not previously configured a password for remote CLI sessions, you must perform this task over a local CLI session using a terminal or a PC running a terminal emulation application attached to the console port.

                Your terminal, or terminal emulation application, must be configured with the settings that are used by the console port on the networking device. The console ports on most Cisco networking devices require the following settings: 9600 baud, 8 data bits, 1 stop bit, no parity, and flow control is set to “none”. See the documentation for your networking device if these settings do not work for your terminal.

                If you have not previously configured a password for remote CLI sessions, you must perform this task over a local CLI session using a terminal attached to the console port.

                SUMMARY STEPS

                1. enable
                2. configure terminal
                3. line vty line-number [ ending-line-number ]
                4. password password
                5. end
                6. telnet ip-address
                7. exit