Vty Line Authentication and Authorization

The system supports 20 virtual tty (vty) lines for Telnet, Secure Shell Server (SSH) and FTP services. Each Telnet, SSH, or FTP session requires one vty line. You can add security to your system by configuring the software to validate login requests. There are two modes of authentication for a vty line:

• Simple authentication - password-only authentication via the local configuration
• AAA authentication - username and password authentication via a set of authentication servers

You can enable AAA authorization, which allows you to limit the services available to a user. Based on information retrieved from a user's profile, the user is either granted or denied access to the requested server.

Configuring Simple Authentication

To configure simple authentication:

1. Specify a vty line or a range of vty lines on which you want to enable the password.

host1(config)#line vty 8 13

host1(config-line)#

2. Specify the password for the vty lines.

host1(config-line)#password 0 mypassword

3. Enable login authentication on the lines.

host1(config-line)#login

4. Display your vty line configuration.

host1#show line vty 8

no access-class in

data-character-bits 8

exec-timeout never

exec-banner enabled

motd-banner enabled

login-timeout 30 seconds 

    line

• Use to specify the vty line(s) on which you want to enable the password.
• You can set a single line or a range of lines. The range is 0-19.
• Example

host1(config)#line vty 8 13

• Use the no version to remove a vty line or a range of lines from your configuration; users will not be able to run Telnet, SSH, or FTP to lines that you remove. When you remove a vty line, the system removes all lines above that line. For example, no line vty 6 causes the system to remove lines 6 through 19. You cannot remove lines 0 through 4.

    login

• Use to enable password checking at login.
• The default setting is to enable a password.
• Example

host1(config-line)#login

• Use the no version to disable password checking and allow access without a password.

    password

• Use to specify a password on a single line or a range of lines.
• If you enable password checking but do not configure a password, the system will not allow you to access virtual terminals.
• Specify a password in plain text (unencrypted) or cipher text (encrypted). In either case, the system stores the password as encrypted.
• Use the following keywords to specify the type of password you will enter:

• 0 (zero) - unencrypted password
• 5 - secret
• 7 - encrypted password

Note: To use an encrypted password or a secret, you must follow the procedure in Setting Basic Password Parameters earlier in this chapter to obtain the encrypted password or secret. You cannot create your own encrypted password or secret; you must use a system-generated password or secret.

• Example 1 (unencrypted password)

host1(config-line)#password 0 mypassword

• Example 2 (secret)

host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6 

• Example 3 (encrypted password)

host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

• Use the no version to remove the password. By default, no password is specified.

    show line vty

• Use to display the configuration of a vty line.
• Field descriptions

• access-class - access-class associated with the vty line
• data-character-bits - number of bits per character

• 7 - setting for the standard ASCII set
• 8 - setting for the international character set

• exec-timeout - time interval that the terminal waits for expected user input

• Never - indicates that there is no time limit

• exec-banner - status for the exec banner: enabled or disabled. This banner is displayed by the CLI after user authentication (if any) and before the first prompt of a CLI session.
• motd-banner - status for the MOTD banner: enabled or disabled. This banner is displayed by the CLI when a connection is initiated.
• login-timeout - time interval during which the user must log in.

• Never - indicates that there is no time limit

• Example

host1#show line vty 0

no access-class in

data-character-bits 8

exec-timeout 3w 3d 7h 20m 0s

exec-banner enabled

motd-banner enabled

login-timeout 30 seconds 

Configuring AAA Authentication and AAA Authorization

Before you configure AAA authentication and AAA authorization, you need to configure a RADIUS and/or TACACS+ authentication server. Note that several of the steps in the configuration procedure are optional.

To configure AAA new model authentication and authorization for inbound sessions to vty lines on your system:

1. Specify AAA new model authentication.

host1(config)#aaa new-model

2. Create an authentication list that specifies the type(s) of authentication methods allowed.

host1(config)#aaa authentication login my_auth_list tacacs+ 
line enable

3. (Optional) Specify the privilege level by defining a method list for authentication.

host1(config)aaa authentication enable default tacacs+ 
radius enable

4. (Optional) Enable authorization, and create an authorization method list.

host1(config)aaa authorization commands 15 boston 
if-authenticated tacacs+

5. (Optional) Disable authorization for all Global Configuration commands.

host1(config)#no aaa authorization config-commands

6. Specify the range of vty lines.

host1(config)#line vty 6 10

host1(config-line)#

7. (Optional) Apply an authorization list to a vty line or a range of vty lines.

host1(config-line)#authorization commands 15 boston 

8. Specify the password for the vty lines.

host1(config-line)#password xyz

9. Apply the authentication list to the vty lines you specified on your system.

host1(config-line)#login authentication my_auth_list

    aaa authentication enable default

• Use to allow privilege determination to be authenticated through the TACACS+ or RADIUS server. This command specifies a list of authentication methods that are used to determine whether a user is granted access to the privilege command level.
• The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
• To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
• Requests sent to a TACACS+ or RADIUS server include the username that is entered for login authentication.
• If the authentication method list is empty, the local enable password is used.
• Example

host1(config)#aaa authentication enable default tacacs+ 
radius

• Use the no version to empty the list.

    aaa authentication login

• Use to set AAA authentication at login. This command creates a list that specifies the methods of authentication.
• Once you specify aaa new-model as the authentication method for vty lines, an authentication list called "default" is automatically assigned to the vty lines. To allow users to access the vty lines, you must create an authentication list and either:

• Name the list "default."
• Assign a different name to the authentication list, and assign the new list to the vty line using the login authentication command.

• The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
• The system traverses the list of authentication methods to determine whether a user is allowed to start a Telnet session. If a specific method is available but the user information is not valid (such as an incorrect password), the system does not continue to traverse the list and denies the user a session.
• If a specific method is unavailable, the system continues to traverse the list. For example, if tacacs+ is the first authentication type element on the list and the TACACS+ server is unreachable, the system attempts to authenticate with the next authentication type on the list, such as radius.
• The system assumes an implicit denial of service if it reaches the end of the authentication list without finding an available method.
• Example

host1(config)#aaa authentication login my_auth_list tacacs+ 
radius line none

• Use the no version to remove the authentication list from your configuration.

    aaa authorization

• Use to set the parameters that restrict access to a network.
• Use the keyword exec to determine if the user is allowed to run User Exec mode commands. The commands you can execute from User Exec mode provide only user-level access.
• Use the keyword commands to run authorization for all commands at the specified privilege level (0- 15). See Table 6-1 for a description of privilege levels.
• You can enter up to three authorization types to use in an authorization method list. Options include: if-authenticated, none, and tacacs+.

Note: For information about TACACS+, see the ERX Broadband Access Configuration Guide, Chapter 4, Configuring TACACS+.

• Authorization method lists define the way authorization is performed and the sequence in which the methods are performed. You can designate one or more security protocols in the method list to be used for authorization. If the initial method fails, the next method in the list is used. The process continues until either there is successful communication with a listed authorization method or all methods defined are exhausted.
• Example

host1(config)#aaa authorization exec

• Use the no version to delete method list.

    aaa authorization config-commands

• Use to reestablish the default created when the aaa authorization commands command was issued.
• After the aaa authorization commands command has been issued, aaa authorization config-commands is enabled by default, which means that all configuration commands in Exec mode are authorized.
• Example

host1(config)#aaa new-model

host1(config)#aaa authorization command 15 parks tacacs+ 
none

host1(config)#no aaa authorization config-commands

• Use the no version to disable AAA configuration command authorization.

    aaa new-model

• Use to specify AAA new model as the authentication method for the vty lines on your system.
• If you specify AAA new model and you do not create an authentication list, users will not be able to access the system through a vty line.
• Example

host1(config)#aaa new-model

• Use the no version to restore simple authentication.

    authorization

• Use to apply AAA authorization to a specific vty line or group of lines.
• Use the exec keyword to apply this authorization to CLI access in general.
• Use the commands keyword to apply this authorization to user commands of the privilege level you specify.
• You can specify the name of an authorization method list; if no method list is specified, the default is used.
• After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined list to the appropriate lines for authorization to take place.
• Example

host1(config)#line vty 6 

host1(line-config)#authorization commands 15 sonny

• Use the no version to disable authorization.

    line

• Use to specify the virtual terminal lines.
• You can set a single line or a range of lines. The range is 0-19.
• Example

host1(config)#line vty 6 10

• Use the no version to remove a vty line or a range of lines from your configuration; users will not be able to run Telnet, SSH, or FTP to lines that you remove. When you remove a vty line, the system removes all lines above that line. For example, no line vty 6 causes the system to remove lines 6 through 19. You cannot remove lines 0 through 4.

    login authentication

• Use to apply an authentication list to the vty lines you specified on your system.
• Example

host1(config-line)#login authentication my_auth_list

• Use the no version to specify that the system should use the default authentication list.

    password

• Use to specify a password on a line or a range of lines if you specified the line option with the aaa authentication login command.
• If you enable password checking but do not configure a password, the system will not allow you to access virtual terminals.
• Use the following keywords to specify the type of password you will enter:

• 0 (zero) - unencrypted password
• 5 - secret
• 7 - encrypted password

Note: To use an encrypted password or a secret, you must follow the procedure in Setting Basic Password Parameters earlier in this chapter to obtain the encrypted password or secret. You cannot create your own encrypted password or secret; you must use a system-generated password or secret.

• Example 1 (unencrypted password)

host1(config-line)#password 0 mypassword

• Example 2 (secret)

host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6 

• Example 3 (encrypted password)

host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

• Use the no version to remove the password. By default, no password is specified.