|
|
This chapter describes the commands used to configure router security.
To log in to a remote router to make configuration changes, use the login command.
LOGIn ip address | ethernet address | REmote | connectionidNone
System or profile mode
You can only log in to a remote Cisco 700 series router that is directly connected to your terminal or has an active ISDN or Ethernet connection to your router. After five minutes of no activity, you are logged out of the remote router. Use the logout command to manually log out of the remote router.
Used without an argument or keyword, this command enables you to log in to a router directly connected to your terminal through the console port.
If access to the router has been restricted with the set local access command, you are required to enter the router system password before making any configuration changes.
The following example enables you to log in to a remote router across the ISDN connection using the remote router's IP address:
Host> login 150.150.50.25
logout
set local access
set remote access
To end any remote session initiated by the login command, use the logout command.
LOGOutThis command does not contain any keywords or arguments.
None
System or profile mode
The following example ends a remote session initiated with the login command:
Host> logout
login
To change the caller ID authentication, use the set cliauthentication command:
SEt CLIAuthentication OFf | ON [MInimummatch]| on | Enables caller ID authentication. |
| off | Disables caller ID authentication. |
| MInimummatch | Defines the minimum number of digits in the caller ID that must match, as read from right to left. The clivalidatenumber can be a subset of the caller ID number. If this parameter is not included, the numbers must match exactly. |
Off
Profile mode
The set cliauthentication command allows the router to use an incoming caller ID to direct an incoming ISDN call to the correct user profile. Within a profile, if cliauthentication is on and clivalidatenumber is specified, the router tries to match the caller ID number presented in the call setup against this clivalidatenumber. If the numbers match, incoming PPP authentication is disabled for this call and the matching profile is used for the connection. If no match is found in any of the profiles, the call is processed based on the configuration parameters.
If minimummatch value is specified, the two numbers are considered a match if the digits are exactly the same or if clivalidatenumber is a subset of the caller ID number when comparing the digits from right to left. If the caller ID number is smaller than clivalidatenumber, it is not considered a match, as shown below:
| Caller ID | clivalidatenumber | Result |
|---|---|---|
| 5551234 | 5551234 | Match |
| 4085551234 | 5551234 | Match if minimummatch specified |
| 5551234 | 4085551234 | Never a match |
The following example turns on caller ID authentication and allows the call if clivalidatenumber is a subset of the caller ID:
Host:Profile> set cliauthentication on minimummatch Host:Profile> set 1 clivalidatenumber 5261111
If the router receives an incoming call and it is passed with caller ID number 4085261111, the router tries to match 4085261111 against 5261111. Because 5261111 is a subset of 408526111, this is considered a match, and the router uses this profile to connect the call. If the numbers do not match any of the other profiles, the call is processed as dictated by the configuration. (It is not possible to specify the number of digits to match.)
Because clicallback rejects calls when a match is found and cliauthentication accepts calls when a match is found, clicallback has precedence over cliauthentication. For cliauthentication to be active, clicallback must be turned off.
set clicallback
set clivalidatenumber
To change the callback delay, use the set clicallback command:
SEt CLICallback OFf | ON [# of digit to match] [DElay seconds]| on | Enables caller ID callback. |
| off | Disables caller ID callback. |
| # of digit to match | The minimum number of digits (from right to left) to be matched. |
| seconds | The time between the rejection of incoming messages and the callback. The delay can be set to any value in the range of 3 to 30 seconds. |
Ten-second delay for all switch types.
Profile mode
In software Release 4.0(1), the callback delay was a fixed value of 3 seconds. In software Release 4.1(2) and higher, the value can be set from 3 to 30 seconds by using the set clicallback delay command.
Because clicallback rejects calls when a match is found and cliauthentication accepts calls when a match is found, clicallback has precedence over cliauthentication. For cliauthentication to be active, clicallback must be turned off.
The following example sets the callback delay to 7 seconds:
Host> set clicallback on delay 7
set caller id receive number
set clivalidatenumber
To turn the HTTP (Hypertext Transfer Protocol) server on or off, use the set clickstart command.
SEt CLICKstart ON | OFf| ON | Turns the HTTP server on, allowing access by ClickStart. |
| OFf | Turns the HTTP server off, blocking access by ClickStart. |
On
System mode
When the HTTP server is on, anyone can use ClickStart and a Web browser to change the configuration, with no restrictions. To block unauthorized access, the HTTP server can be turned off.
The following example turns the HTTP server off:
Host> set clickstart off
show security
To set the callback validation number, use the set clivalidatenumber command:
SEt [link] CLIValidatenumber [= number subaddress]| link | A logical 64/56 kbps data path assigned to users, numbered sequentially beginning with 1. The unit is limited to two links. |
| number | The ISDN telephone number used for validation. |
| subaddress | Subaddress of a device on a multipoint ISDN line. Can consist of 1 to 10 digits. |
None
Profile mode
Callback support for software Release 4.0(1) compared the caller ID number in the call setup message against the called number of every user-defined profile. If there was a match and clicallback was on, the router rejected the call and originated a callback using the called number.
In software Release 4.1(2), the caller ID number can be different from the called number. If clivalidatenumber is specified within a profile, the router tries to match the caller ID number with clivalidatenumber. If the numbers match, the router calls back to the remote device using the called number listed in the profile, or it uses the backup number if the first attempt failed.
If clivalidatenumber is not specified or the numbers do not match, the router tries to match the caller ID number with the called number. If the numbers match, the router calls back to the remote device using the called number listed in the profile, or it uses the backup number if the first attempt fails.
If cliauthentication is on, clicallback is off, and clivalidatenumber is specified, the router tries to match the caller ID number against clivalidatenumber in the profile. If the numbers match, incoming PPP authentication is disabled for this call, and the matching profile is used for the connection. If no match is found in any of the profiles, the call is processed based on the configuration parameters.
Because clicallback rejects calls when a match is found and cliauthentication accepts calls when a match is found, clicallback has precedence over cliauthentication. For cliauthentication to be active, clicallback must be turned off.
In the following example, the router tries to match the caller ID number in the call setup against 0191112345 (clivalidatenumber). If the numbers match, the router rejects the call and originates a callback using the number 013452341234 (called number). If the call back fails, the router tries the number 013453333111 (backup number). If the clivalidatenumber and caller ID numbers do not match, the router tries to match the number 013452341234 (called number) and proceeds normally.
host:profile> set clicallback ON host:profile> set 1 clivalidatenumber 0191112345 host:profile> set 1 number 013452341234 host:profile> set 1 backupnumber 013453333111
Note that clivalidatenumber is used to match the caller ID number only. This number is not used to call back to the remote device.
set backupnumber
set caller id receive number
set clicallback
set number
To restrict the commands allowed at the local port, use the set local access command.
SEt LOcalaccess ON | PArtial | PROtected| on | Sets commands to be performed without restriction. |
| partial | Sets commands to be performed with partial restrictions. |
| protected | Sets commands to be performed with system password only. |
On (enabled for all commands)
System mode
The set password command must be set. Table 4-1 describes the set local access command settings.
| Commands | On | Partial | Protected |
|---|---|---|---|
| call | See Note1 | P2 | |
| demand | P | P | |
| disconnect | P | ||
| help | P | ||
| log commands | P | ||
| login | |||
| logout | |||
| reboot | P | ||
| reset commands | P | P | |
| set commands | P | P | |
| show commands | P | ||
| software load | P | P | |
| test commands | P | ||
| timeout | P | P | |
| unset commands | P | P | |
| upload | P | ||
| version | P | ||
| CD | P | ||
| establish | P | ||
| ping | P | ||
| release | P | ||
| unlearn | P |
The following example configures local configuration access to protected:
Host> set localaccess protected
set password
To set the inactivity timer for remote logins, use the set logout command.
SEt LOGout minutes| minutes | After the specified number of minutes of inactivity on a remote login Telnet session, the remote user is logged out. To disable the auto logout feature, use a logout value of 0. |
Five minutes
System mode
This command sets the inactivity timer for remote logins.
Enter the following command to disable the remote inactivity timer session:
Set logout 0
To set the password, use the set password command.
SEt PAssword SYstem [<ENcrypted>] [<password>]| system | Configures the system password that authenticates users requesting a local or remote configuration session. The system keyword can consist of 1 to 30 characters. The router can have one system password. The system keyword is used in system mode only. |
| encrypted | Specifies the password is encrypted on the router. |
| password | The password used for authentication. If password is absent from the command statement, you are prompted for the entry. |
No passwords are configured.
System mode
The set password system command should be preceded with the set remote access or set local access command. If a password is not included in the command line, you are prompted to enter the password. When configuring a system password, you are also prompted for a user name to associate with the password. This user name can consist of one to seven characters.
Previously, the password could not be contained in a configuration file and downloaded through TFTP because the set password command required an interactive response. Now the password can be included in the command line.
The password can be included in a configuration file, which can generate a set password command that includes unencrypted or encrypted passwords for PPP authentication.
Note that the system password protects remote access, but not local access. Before downloading a configuration, a remote user has to enter a system password (if it has been set), but a local user does not. For example, an unauthorized user can use the upload command to generate PPP CHAP or PAP authentication and cut-and paste the password to a local console.
The following example configures a host password for profile 2503:
Step 1 Enter the set password command:
Step 2 At the prompt, enter your host password. Your password will not be echoed on the screen:
Step 3 At the prompt, reenter your host password again for confirmation:
Step 4 At the prompt, enter the user name you wish to associate with the host password:
set local access
set remote access
To set the PPP authentication for incoming and outgoing ISDN calls, use the set ppp authentication command.
SEt PPp AUthentication INcoming | OUtgoing [CHap] [PAp] [NOne] incoming chap and pap
outgoing none
System or profile mode
You can specify different authentication types. You can specify one, two or all of the authentication options. They are negotiated in the following order: chap, pap, none. If the none keyword is not specified and authentication fails, the call is terminated.
This command has no effect on how the router responds to remote authentication requests. The router always responds to PAP or CHAP authentication requests. A client password must be configured with the set ppp password or set ppp secret command to make the authentication response succeed (unless a null password is used by the peer).
The authentication sequence is no longer required for leased line connections. For 64K or 128K leased line connections, previous versions of Cisco 700 IOS software required PAP/CHAP authentication when the connection is made.
set ppp authentication incoming works in system mode only. set ppp authentication outgoing works in system mode and profile mode. Whatever is set in system mode becomes the default setting for each profile. The outgoing authentication method applies to outgoing WAN calls, and provides users with the option of 2-way authentication. In other words, when acting as a remote router dialing into an access server, the router not only is authenticated by the access server but it can authenticate the access server with the protocol specified by set ppp authentication outgoing.
The following example sets the router to use incoming PAP authentication for incoming calls:
Host> set PPP authentication incoming pap
The following example sets the router to use outgoing PAP authentication for outgoing calls:
Host> set PPP authentication outgoing pap
To set up a leased line configuration, authentication should be disabled and a user-defined profile named leasedline (the name is not case sensitive) must be created or another user-defined profile must be renamed. If the leasedline profile is not present upon call connect, the router requires authentication to select the correct profile. If the call cannot be authenticated, the call is dropped.
The following example disables PPP authentication for outgoing calls:
Host:leasedline> set PPP authentication outgoing none
Within the leasedline profile, verify that PPP authentication is set to none (the default) using the show security command:
Host:leasedline>show security
The switch types that support this feature are PERM64 and PERM128.
set system name
Use the set ppp callback command to set the callback mode for point-to-point encapsulation. This command ensures a level of callback security.
SEt PPP CAllback REquest | REply ON | OFf | ALways| request | Specifies if the router will request a callback when it places a call. |
| reply | Specifies if the router will agree to a callback when requested to do so by a remote router. |
| on | Enables callback. |
| off | Disables callback. |
| always | Forces callback at all times. |
Off (disabled)
Profile mode
When the calling unit's request is set to on, the calling unit initiates a callback request. If the callback request is acknowledged by the called unit, the call stays connected until one of the following occurs:
The following example sets the profile to reply always:
Host> set ppp callback reply always
set number
set ppp bacp
set security
set ringback
show security
To set a CHAP filter to authenticate the remote device for CHAP security purposes, use the set ppp chaprefuse command.
SEt PPp CHaprefuse ALl | NOne | [INcall] [REsponsefirst] [SAmehost][DIrectionwrong]| all | Refuse to authenticate CHAP. |
|---|---|
| none | Clear the current filter. |
| incall | Refuse to authenticate CHAP incoming calls. |
| responsefirst | Ignore the challenge if the remote device has not sent a valid response to a previous challenge sent by the Cisco 700 series router. |
| samehost | Ignore the challenge if the hostname field matches the hostname field of the Cisco 700 series router. |
| directionwrong | Ignore the challenge if the caller indicates that the call was originated by the Cisco 700 series router. |
NOne
System mode
To avoid a race condition when using two Cisco 700 series routers authenticate CHAP, set the responsefirst filter set on only one router.
The following example sets a filter for common security protection:
Host> set ppp chaprefuse responsefirst samehost directionwrong
set ppp authentication
set ppp password
To configure the passwords used during PAP and CHAP PPP authentication, use the set ppp password command.
SEt PPP PAssword | SEcret HOst | CLient [ENcrypted] [<password>]| password | Indicates the password is used for PAP authentication. |
| secret | Indicates the password is used for CHAP authentication. |
| host | Profile configurations used by the router to authenticate a remote router. The remote device client password must match the Cisco 700 series router host password. |
| client | Local configurations used by the remote device to authenticate the router. The Cisco 700 series router client password must match the remote device host password. |
| encrypted | Specifies the password is encrypted. |
| password | The password used for authentication. If the password is absent from the command statement, you are prompted for the entry. |
No passwords are configured.
System or profile mode
Profiles that do not have passwords configured explicitly use the password configured in system mode.
The following example configures the router with a PAP client password by prompting you for the password and verification of the password:
The following example deletes the CHAP client password by leaving the password field and verification field blank:
set password
set ppp authentication
To restrict remote configuration access to the router, use the set remote access command.
SEt REmoteaccess OFF | PRotected | PArtial| off | No remote login sessions are allowed. |
| protected | Sets commands to be performed with system password only. |
| partial | Sets commands to be performed with partial restrictions. |
Off
System mode
Table 4-2 describes the set remote access command settings.
| Commands | Partial | Protected | Off |
|---|---|---|---|
| call | See Note1 | P2 | X3 |
| demand | P | P | X |
| disconnect | P | X | |
| help | P | X | |
| log commands | P | X | |
| login | X | ||
| logout | X | ||
| reboot | P | X | |
| reset commands | P | P | X |
| set commands | P | P | X |
| show commands | P | X | |
| software load | P | P | X |
| test commands | P | X | |
| timeout | P | P | X |
| unset commands | P | P | X |
| upload | P | X | |
| version | P | X | |
| CD | P | ||
| establish | P | ||
| ping | P | ||
| release | P | ||
| unlearn | P |
The following example configures the router for protected remote access:
Host> set remote access protected
set password
To display the router's security configurations, use the show security command.
SHow SEcurity [ALl]| all | In profile mode, displays all security configurations. |
Use this command in system mode with the all keyword to display all security configurations. Use this command while in profile mode to display the security configurations for that profile.
Table 4-3 lists the significant fields shown in the display.
| Field | Description |
|---|---|
| System Parameters | Security configurations that apply to system mode. |
| Access Status | Indicates if remote access is enabled. Can be on or off. |
| System Password | Indicates if a system password has been entered with the set password system command. Can be none or exists. |
| Remote Configuration | Remote access restriction as configured with the set remote access command. |
| Local Configuration | Local configuration restriction as configured with the set local access command. |
| Caller ID Security | Indicates if caller ID is enabled. Can be on or off. |
| Caller ID Number | The phone numbers entered with the set caller id receive number command. |
| PPP Authentication In | The PPP authentication method used for incoming calls. Can be PAP, CHAP, none, or any combination of these three. Set with the set ppp authentication in command. |
| Profile Parameters | Security configurations that apply to the profile. If you are using the show security command in system mode, these configurations make up the profile template for security parameters. |
| PPP Authentication Out | PPP authentication method used for outgoing calls. Can be PAP, CHAP, none, or any combination of these three. Set with the set ppp authentication out command. |
| PAP Client Password | Indicates if a PAP client password has been entered with the set ppp password command. Can be none or exists. |
| CHAP Client Secret | Indicates if a CHAP client password has been entered with the set ppp secret command. Can be none or exists. |
| Callback ID Security | Indicates if callback authentication is enabled. Can be on or off. |
| Callback | Indicates if callback is enabled. Can be on or off. |
| Callback Numbers | Numbers entered with the set callback id receive number command. |
| Number of Host Passwords | Number of host passwords that have been entered with the set password command. |
| PAP Host Password | Indicates if a PAP host password has been entered with the set ppp password command. Can be none or exists. |
| CHAP Host Secret | Indicates if a CHAP host password has been entered with the set ppp secret command. Can be none or exists. |
| Callback Request | Indicates if the router will request a callback from the remote unit, can be on or off. |
| Callback Reply | Indicates if the router will perform a callback if requested to do so by the remote router, can be on or off. |
The following example shows output from the show security command in system mode:
Host> show security
System Parameters
Security
Access Status ON
System Password NONE
Remote Configuration PROTECTED
Local Configuration ON
Logout Timeout 5
Caller ID Security OFF
Caller Id Numbers
PPP Security
PPP Authentication IN CHAP PAP
Profile Parameters
PPP Security
PPP Authentication OUT NONE
Client
User Name NONE
PAP Password NONE
CHAP Secret NONE
Host
PAP Password NONE
CHAP Secret NONE
Callback
Request OFF
Reply OFF
In profile mode, the show security command displays the following:
temp> show security Callback ID Security OFF PPP Security PPP Authentication OUT NONE PPP Client Name joe PAP Client Password EXISTS CHAP Client Secret NONE PAP Host Password NONE CHAP Host Secret NONE Callback Request OFF Callback Reply OFF
|
|