index_150
Router Security Configuration Guide
UNCLASSIFIED
150
UNCLASSIFIED
Version 1.0g
Central
LAN 2
14.2.9.0/24
Facility Network
14.1.0.0/16
14.2.9.250
14.1.15.250
South
Protected Enclave
14.2.10.0/24
14.2.9.64/24
14.2.10.64
East
LAN 1
14.2.6.0/24
14.1.1.20
14.2.6.250
Authentication
Server
14.2.6.18
eth 0
eth 1
eth 0/0
eth 0/1
eth 0/0
eth 0/1
Figure 4-9: Routers and their Authentication Server
Authorization will not be used in these examples since all the administrators in these
examples need configuration access and there is no dial-in access. For a more
complete example, including authorization and some discussion of dial-in security
concerns, see Section 4.6.3.
Central Router Configuration:
Central(config)# enable secret 3rRsd$y
Central(config)# username fredadmin password d$oyTld1
Central(config)# username bethadmin password hs0o3TaG
Central(config)# username johnadmin password an0!h3r(
Central(config)# service password-encryption
Central(config)# banner motd ^T
.
.
^T
Central(config)# radius-server host 14.2.6.18
Central(config)# radius-server key i*Ma5in@u9p#s5wD
Central(config)# aaa new-model
Central(config)# aaa authentication login default radius local
Central(config)# aaa accounting exec default start-stop radius
Central(config)# aaa accounting exec remoteacc wait-start radius
Central(config)# aaa accounting connection default start-stop
radius
Central(config)# access-list 91 permit 14.2.9.0 0.0.0.255 log
Central(config)# access-list 91 deny any log