Configure Protections For Passwords and Terminal Lines
Configure Protections For Passwords and Terminal Lines
Topology
Addressing Table
Device Interface IP Address Subnet Mask
Objectives
Part 1: Build the Network and Configure Basic Device Settings
Part 2: Explore Password Protection Options
Part 3: Configure and Verify Terminal Line Protection Options
Background / Scenario
Securing your network devices starts at the most basic level -- physical security. Physical security establishes
restricted physical access to the devices. Most of the time you will connect to devices from a remote location.
This makes securing remote access extremely important. In this lab, you will explore several different
methods of protecting both local and remote access to your devices.
Note: This lab is an exercise in configuring options available for passwords and remote access protection and
does not necessarily reflect network troubleshooting best practices.
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
Note: The routers used with CCNP hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4
(universalk9 image). The switches used in the labs are Cisco Catalyst 3650s with Cisco IOS XE Release
16.9.4 (universalk9 image) and Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image).
Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS
version, the commands available and the output produced might vary from what is shown in the labs. Refer to
the Router Interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Make sure that the switches have been erased and have no startup configurations. If you are unsure,
contact your instructor.
Required Resources
• 1 Router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
• 1 Switch (Cisco 3650 with Cisco IOS XE Release 16.9.4 universal image or comparable)
• 1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
• 2 PCs (Operating system of choice with terminal emulation program installed)
• Console cables to configure the Cisco IOS devices via the console ports
• Ethernet cables as shown in the topology
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
Switch D1
hostname D1
no ip domain lookup
banner motd # D1, Password and Terminal Protection #
line con 0
exec-timeout 0 0
logging synchronous
exit
interface vlan 1
ip address 192.168.1.2 255.255.255.0
no shutdown
exit
ip default-gateway 192.168.1.1
interface g1/0/23
spanning-tree portfast
switchport mode access
no shutdown
exit
interface g1/0/11
spanning-tree portfast
switchport mode access
no shutdown
exit
interface range g1/0/5-6
switchport mode trunk
channel-group 1 mode active
no shutdown
exit
interface range g1/0/1-4, g1/0/7-10, g1/0/12-22, g1/0/24, g1/1/1-4
shutdown
exit
end
Switch A1
hostname A1
no ip domain lookup
banner motd # A1, Password and Terminal Protection #
line con 0
exec-timeout 0 0
logging synchronous
exit
interface vlan 1
ip address 192.168.1.3 255.255.255.0
no shutdown
exit
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
ip default-gateway 192.168.1.1
interface range f0/1-2
switchport mode trunk
channel-group 1 mode active
no shutdown
exit
interface range f0/3-24, g0/1-2
shutdown
exit
interface f0/23
switchport mode access
spanning-tree portfast
no shutdown
exit
end
b. Set the clock on each device to UTC time.
c. Save the running configuration to startup-config.
d. Verify that PC 2 receives an IP address via DHCP.
e. Verify that D1, A1, PC 1 and PC 2 can ping R1 interface G0/0/1.
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
d. Test the login requirement by exiting from the console and then logout of the router. Then attempt to
reconnect to the router. You should be prompted for a password and denied if the password you supply is
incorrect.
R1(config-line)# end
R1# logout
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
Type 7 encryption is the most protection the local device can provide to a terminal line. To provide any more
security, you must use a local login database, covered next, or use Authentication, Authorization and
Accounting (AAA), which is covered in another lab.
Username: admin
Password: <enter correct password, cisco123>
R1>
Do not let the apparent complexity of a type 5 password mislead you. A string encrypted to type 5 is not
considered secure. Search the internet for “Cisco Type 5 Password Cracker” and you will find many sites that
will reverse the encryption. Try one and you will see that the type 5 string is quickly and easily changed to
plaintext.
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
b. Reconfigure the admin account you configured earlier to use a type 9 password. Use the same password
string, cisco123.
R1(config)# username admin algorithm-type scrypt secret cisco123
c. To see the results of these entries, issue the command show run | include secret 9. As you can see, the
output strings are much longer than type 7 or type 5.
R1# show run | include secret 9
enable secret 9 $9$o.TVpUa5sYEeTU$WAA3GDD6u7GAK19Wcnh5hH325RLlG2H5EHA2ALY.GqU
username admin secret 9
$9$r5fycGQrMSV.7k$W49OJ3RnrybJjPLLpgKpqwaSja52GiKMYEQCdhwyxsg
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
R1(config)#
*Feb 11 16:27:28.354: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named
R1.CCNP.EIGHT has been generated or imported by crypto-engine
*Feb 11 16:27:28.355: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Feb 11 16:27:28.543: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named
R1.CCNP.EIGHT.server has been generated or imported by crypto-engine
d. The console output shows that SSH 1.99 has been enabled, which means that the device supports
connections using both SSH version 1 and SSH version 2. SSH version 1 has some flaws in
implementation, so it should be avoided. To restrict the device support to just SSH version 2, issue the
command ip ssh version 2.
R1(config)# ip ssh version 2
e. You should also restrict the period of time the authentication process is allowed to take and how many
authentication attempts a user is given using the ip ssh time-out and ip ssh authentication-retries
commands. The timeout value governs how long the device will wait for the authentication process
(username and password) to complete. The default is 120 seconds. Restricting this time helps to ensure
availability. Set it to 60 seconds or less. The authentication retry value, which defaults to 3, dictates how
many attempts a user gets to put the correct password in before they are disconnected. Setting it to 2 is a
common practice.
R1(config)# ip ssh time-out 30
R1(config)# ip ssh authentication-retries 2
f. Now configure the vty lines to access incoming SSH connections with the transport input ssh command.
This command disables all support for Telnet on the vty lines.
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
g. Lastly, configure the vty lines to query the local user database using the command login local.
R1(config-line)# login local
Test your SSH configuration by attempting to SSH from PC 1 and PC 2 to R1. Both attempts should be
successful. Issue the show ssh command to view both established SSH sessions to R1.
R1# show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha2-256 Session started admin
0 2.0 OUT aes256-ctr hmac-sha2-256 Session started admin
1 2.0 IN aes256-ctr hmac-sha2-256 Session started admin
1 2.0 OUT aes256-ctr hmac-sha2-256 Session started admin
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
a. Change the default inactivity timer to a shorter period using the exec-timeout [minutes] {seconds}
command. Different organizations have different requirements for this value. For our purposes, set the
exec-timeout on the vty lines to 3 minutes.
R1(config)# line vty 0 4
R1(config-line)# exec-timeout 3 0
b. On certain devices (the router only in our case) you can give the connected user a warning that they are
about to be disconnected using the logout-warning [seconds] command. Configure a logout warning for
1 minute.
R1(config-line)# logout-warning 60
c. On certain devices (the router only in our case), you have the option to use an absolute timeout, which
disconnects the user no matter if they are active or not. For our purposes, configure this value to be 15
minutes using the absolute-timeout [minutes] command.
R1(config-line)# absolute-timeout 15
d. Test these tweaks to your SSH configuration by attempting to SSH from PC 2 to one of the devices and
delay your password response to see what happens. Try again and put in the wrong password until it
disconnects you. Log in one more time and let the terminal line remain inactive until you get
disconnected.
Reflection Questions
1. What additional security can be configured on a Cisco device when implementing SSH?
Type your answers here.
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 10 www.netacad.com
Lab -Configure Protections for Passwords and Terminal Lines
2. How can you implement type 9 passwords using scrypt and avoid using the console and vty line passwords
with type 7 encryption?
Type your answers here.
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
End of document
© 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 10 www.netacad.com