HostedDB - Dedicated UNIX Servers
index_151
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 151   Central(config)# line con 0 Central(config-line)# transport input none Central(config-line)# exec-timeout 5 0 Central(config-line)# login local Central(config-line)# exit Central(config)# line vty 0 4 Central(config-line)# access-class 91 Central(config-line)# exec-timeout 5 0 Central(config-line)# login local Central(config-line)# transport input telnet Central(config-line)# accounting exec remoteacc Central(config-line)# exit Central(config)# line aux 0 Central(config-line)# transport input none Central(config-line)# login local Central(config-line)# exec-timeout 0 1 Central(config-line)# no exec Central(config-line)# end The first thing to do when configuring access to a router is to setup the local access.   The enable secret command sets the password on the priv ileged exec level and the username commands setup all the local accounts.  Now when AAA is turned on the default authorization will not lock out the console. The message of the day should be used to provide the legal document for controlling access to the device and allowing for monitoring.  This message should be generic and hopefully the same on all of your routers, firewalls, servers, workstations, etc. Next configure the security server and turn on AAA mechanisms.  Since the shared secret to the RADIUS server is stored in the clear do not use the same shared secret for the router with any other device.  Since communications to the security server are protected and the connection does not go outside the corporate boundary it is acceptable to allow communications to the server outside the router. With the aaa authentication login command make sure local is in the list as described earlier.  Also, notice that the default accounting for exec is set to start-stop and that a named list was created for wait-start.  This way by applying the named list to external connections and allowing the default list to automatically apply to console you will not be locked out of the router.  Use connection accounting to track outbound connections generated by users logged onto the router, these should be minimal. Create and apply an access-list to the vty's to limit remote access to internal networks only and if possible limit the remote hosts by actual host IP addresses instead of a network address.  Issue the login local command on the console and vty's incase AAA services get turned off.  This will continue to allow limited remote access based upon the local database and will be ignored while AAA mechanisms are still running.   Also limit remote access to telnet only and limit the connection idle time to 5 minutes.  The auxiliary port is disabled in this example.