1. Section 05 Lines & Password
Let us start section number five. Section number five we have security and weightage is 20%. What topics we have we’ll start with the access control, the lines and password protection. The AAA configuration, ACL cop some of the rest API security heap with PSK. Now here you can see if you want to categorize is this you’ll find that you have the category related to the device security related to user security then wireless authentication and then finally you should know at least the basics of the endpoint security. The next generation firewall maxic or the trustee. Again these are belonging to the Ice. Then you have 800:21 XmAb and weboth. So these type of things we should know to gain full control of the security section. That way it is 20%. So let’s start with five one A and one B. One A is that we have to go and perform the lab task. Obviously we have to understand and perform the laptop related to lines and the password protection.
In upcoming section we’ll learn more about the authentication and AAA. And then we have series of lab haggard with the Ice. So Ice we are going to use as an authentication server that’s identity service engine or server engine. All right so when we are talking about the basic security on Cisco routers when any user, any remote user tried to log into the device. How we are going to provide the line security. So line VTi, what is the transport for that line vtwi? If you are using ten lead then what type of security we can do, what type of event privilege. Also we can assign to the client what type of access they have to the devices. Each and everything we can go and configure. So suppose if you have line console, line ox you can go and give the password again if you go and check show and you’ll find that these passwords are visible. So we can do the encryption of the plain text password that we are giving to the device.
So if someone can see the show and they can’t see the password so that’s the reason we have the option for the enable password. We have option for the enable secret. These are the password when we are logging into the device. So say you have done your template or SSH and then you want to gain the or you want the access for the privilege. So at that time you can go and run the plain text password or you may have the secret password recommended is that we should use the enable secret that will do some MD five hash as you can see in the show and the MD five password that’s enable secret CCI I will show you this MD five hash. This very difficult to crack again if you give normal password then it’s not recommended. And suppose if you have two password enable password and secret password.
So the enable secret will take precedence with the plaintext password. If you want to encrypt each and everything over the device means all the plain text password over the device, then we can go and run the service password encryption. It will go and encrypt all the configuration and you can see that initially this enable password was Cisco and now it is showing some MD seven hash or MD seven format. Although this MD seven is very easy to crack. There are so many online URLs. You can go and put this and it will give you the password at the moment you’ll go and put you’ll find the password as a Cisco. So that’s the reason. One recommendation is that your password should be mix of the alpha numerical or different type of characters. So even if someone tried to hack that, if someone has the MD seven try to resolve that, it will be difficult for them to figure out that password. All right, so in the next section we are going to perform on the lab for this.
2. Lines & Password Lab
Let us perform the lab task. We have the topology here we can see R one and R two and over R one we’ll go and enable the telnet SSH and all sort of a password encryption. So let’s go to R one and I can go to line Vtwise, for example one here we can go and give, say password Cisco. Then from R two and we have point to point IP configuration. Let me bring to R one first and then try to tell it. And here you can see that the tenant port is open password is Cisco. So I can go and use Cisco, because I haven’t set the enable password, so I’m not able to log in here it is telling that authentication to privilege 15 is failed because by default we have the privilege level 15. But we have option that we can go and set different type of privileges. All right, so what we can do here that we can go and do the enable password again say Cisco. And now if you go and choose this enable and if you type Cisco, you can see that we are inside Rwan, we can go ahead and check the users.
So here you can see this is the user who has logged in. Now, once we are logged in to Rwand and if you go and check show run, you will find that we are reusing the plaintext password. So for VTY zero to one, the password is Cisco and we are using login again. If we go and check shown section enable. So here you can see that the password that we have is the Cisco and it is in plain text, correct? Now, if you want to check both the password, you can see here to encrypt all type of password that is in plain text, we can go and do service and then encryption. Let me check if we have service, let’s see that what option we have. But we can go here and do this password encryption.
And then if you go and check the output, you’ll find that all the password that initially was there in the plaintext, they are going to be encrypted. Although to break this encryption is very easy, we can easily go and break this encryption. So what we want here that we should not use the enable plaintext password, rather than we can go and use the secret password. Say for example one, two, three. And now if you go and do the tent, then if you give the tent password is okay, Cisco. But the enable password is if you go and check the enable password, you’ll find that it is hashed MD five hasht. So that’s the one thing that we can do. What other things that we can go and do with line with UI, say for example, zero to one or four that we can do here, no login.
That means login is not required. This is not a recommended way to do this. But what we can do that we can do login local or you can see that you have option that login and then you can go and use these options we have login local means that now you can define the username say for example admin one and then you can give the privilege. Say for example seven and password. Again you have option that you want to use the unencrypted or the hidden password. So for example I’ll go and give Cisco as a password again I’ll go and change the privilege as ten password Cisco. So now I have I should change
the admin one and admin two. So now I have two admin and they have different level of privilege, correct? If I go out from here and try to tell it with the username admin one and password Cisco, I can go and check the privilege level.
And now if you try to get the output even, you don’t have short and option and if you try to go to confy, you don’t have those options. Again, if you go and do the template with admin tool and password Cisco and you can go and check the privilege, you have privileged ten and if you go into showrun contain those things are disabled. Correct? So again that’s one level of security that we are discussing at this point of time. Now not only this line VTY, but we can go and give the password to line console as well. We can go and give the password for line ox as well. Like that we can go and give now these are the password related to telnet, related to enable password and then we have learned about privilege as well. Now? What about SSH? Because when we go to line VTY four and if you go and check transport input you have this option all or you can go and use SSH and that is the standard.
So we should not use telenet rather than then we should use SSH to all the devices. So if you want to enable the SSH, you should go and define the domain name and then you should create the crypto key. So crypto key generate RSA module S 100:24. Now once you have the domain name, once you have created the crypto key, if you want you can give the SSH version as well. In this example I’ll give version two and then you should go to line VTY 24 and already we have done that configuration. So let me show you that configuration, what we have done related to SSH. So now this configuration that you have the input and output, everything is related to SSH. I can do the SSH with the local user say admin one, I should use SSH and then the password is Cisco. Now you can see that directly we are logging to the device but if we go and check the privilege, the privilege is still less.
So now you can see that we are giving tighter security. We started with the line with UI plaintext password. Then we have given the service encryption or password encryption. Then we have configured the line with UI with normal username. Then we have given the previous username. Then we move to the SSH and inside SSH we have given the playlist level. We should follow this practice that is much more secure. Now what is happening in industries is that we are doing all this authentication, authorization and accounting for all the users from the Ice server or from the ACS server. At the moment, the standard is Ice Identity services engine. So in upcoming section you will learn and understand more about the use cases or use how we are going to use the Ice for all these operations.
3. AAA Concepts
In 521 B we have to learn and perform the lab related to AAA stands for authentication, authorization and accounting. You can see AAA stands for now obviously you want to do the authentication and then you’re authorized to do certain tasks and you are accountable for that’s the use of AAA. Now, one of the popular AAA server we have is the Cisco Identity services and over that you will see and learn lab related to that in the upcoming session. So let’s try to understand the basic things, the baseline and then on top of that we’ll go and perform the laptop can be used for multiple purposes like network device administration, network access like wired, wireless VPN not only the network devices but these identity services you can integrate with external ad service and then you have the user credentials. So you can give the authority to the users. That what users can do at that particular time. Apart from that there are multiple features related to say for example bring your own device user or the corporate user or the guest user or the WiFi user.
So all these profiling that we can do again, there are lots of things that we can do with the I server with AAAA service at this point of time. All right, so the basic ones are authentication, authorization and accounting. And then we have policy and rules related to all of these. What authentication will do that it will authenticate the validated user. So it can go and do the authentication with respect to username password and certificate. It will tell that okay, you are the valid user, then it will give you authorization. So how much access you want? You are privileged level 15 user or one user or two user. What commands you want to run again, which particular portion of network you belongs to, which SEL you belongs to, what is your Http security group tagging, what’s your encryption? Each and everything we can give the authority. So for example, if we have the Mac based authentication like map or user based authentication like 8021 x or maybe authentication for IP phone, maybe authentication for wireless devices, maybe authentication for any user, correct. So once you do the authentication, the first phase is done. Then in the authorization phase you will get the access. So for example to certain device or maybe certain IoT devices, how much authority you have to that device, that will be decided by the authorization phase.
And finally we have the accounting again and this is for auditing purpose or reporting purpose. That the device that get authenticated and the authorization then how much he has done the work. So here you can see that it will provide you the evidence of what you have done like auditing for network administration, different type of commands for forensic analysis, for network access, sysn system identification, like Mac IP username system state as well. Okay, so as the name suggests, accounting and starting with authentication. So authentication authorization and accounting, these are the key fundamentals we have with the AAA server. And in the upcoming session we are going to learn more and we are going to do the lab and then we have nice arrangements and set up to understand more concepts. When we are going to learn this with respect to I server.
4. Access & AAA
Let’s just learn about access and AAA. Now, I am going to do authentications with respect to users or Mac address or web authentication. In all these cases, once my devices will get authorized authenticated, then the Ice will change the authorization. Now, what is the rule, what is the principle that Ice is following to do the authorization? We’ll see that in the upcoming slides. But here you can see that, say, wired, wireless, VPN. All these endpoints they are using say 80 x and VPN is using SSL IPsec VPN. So these 80 x, say wired or wireless client, they are using EP extended authentication protocol over LAN to communicate to Ice. And we’ll see that we have different protocol. So, let me highlight here, let me draw here. So you can understand that we have three terms. One is supplicant. So your end device is Supplicant. And between Supplicant to the switch, suppose this is my switch where I am doing the authentication. So this switch is known as Authenticator. So in between the Supplicant and the authenticator, the protocol that is used is say for example, IP over local area network LAN. And in between Radius server or in between Ice server and the Authenticator.
So this is my authentication server or authenticator server. In between that I have protocol called Radius. Okay, so we have two protocols here. Here you can see that Cisco supports third party solution via standard Radius, 80 x, EEP, VPN protocol, et cetera. So, in between endpoint and the authenticator, I have EEP overlap. And here we have the Radius protocol working. Now, we’ll see more on these things in the upcoming recording and section. It’s just an overview. That how things are there inside our network. Again, you can see all those terms that I have my Supplicant here, then I have my Authenticator, and then I have my Radius server, I server. In between, I’m using the protocol, say Radius or Tachycus plus. So here I have authenticator server.
These are the terms used or I’m going to use in the upcoming sections. Let’s see that what network access components we have. So in this animation you’ll come to know that, okay, we have Endpoints, we have network devices, authentication server, identity Store. So you may have identity a store such as or for example, where you are storing the RSA tokens or some other card or some Flashcards, et cetera. Something where you are storing the identities. So that’s why you have the Identity store. Now, the endpoint user either using Azurax or SSL L. Two L 3 may be over Ethernet LAN WLAN Internet. They are coming and authenticating. So these are my Supplicants, this is my authenticate Tor, this is my server, correct? So, how this process will follow. So endpoint, they try to communicate with the Authenticator. Authenticator example, say Ethernet switch, wireless access point, VPN, gateway, et cetera.
Now, in between that, you can see that I’m using layer three protocol, radius SNMP, I have my Ice server here and the Ice server is storing its identity here in the form of a token server, active Directory, Open LDAP, et cetera. So here one thing I can mark or highlight that for Ice they are using internal database, either Sam database or they can use external database, say for example Active Directory or you have some identity store server. So you may have these two databases. Either I can use internal or they can use external as ad or other servers. So up to this point, I hope that you understand that how this phase of authentication happens.
In between this you have EAP over land epaul. Here you have layer three protocol called radius. And then you may have internal database inside Ice or you may have external databases. So next what I’m going to do, I’m going to log into the Ice and I am going to show you some of the tabs. These things like what are the components we have for Ice while we are doing the deployment. So I’ll come to know that we have policy service node that is making the policy decision radius tacky service. We have policy administration node, single plane pane of glass, pane of glass for Ice, admin replication hub for all database config changes. We have MNT monitoring and troubleshooting nodes just for reporting purposes. We have Pixie grid to connect to some third party devices where you can facilitate or where you can send the context where data. Okay, so we’ll see all these things in the upcoming section where we’ll learn understand about deployment of Ice and what are the key components inside that. I’m going to cover these things. Now, what I’m going to do here that I’m going to log to the Ice and I’m going to show you some of the tabs. On the top here you can see that you have what type of tabs available.
Say you can go to home and then you can see the endpoints guest, et cetera. Then you have contact summary, operation, policy administration, work center, et cetera. So one by one I’ll show you a few of the tabs that you can go and check over the dashboard. Okay, so let me go and log to my eyes and then I will show you all these things in the Ice dashboard. So here I have my eyes, let me log into my server and it will start logging. Once I will log in, then I’ll show you few of the tabs on the top. If you are logging first time, it will start loading. Now it depends upon your server capability. If you have good server hardware resources, then it will log immediately. Now here it is showing login message successful. I am able to log in successfully.
On the top you can see all the tabs are small, but you can see that we have the home, then we have endpoints. At the moment everything is blank, nothing is connected. Here we have guest vulnerability, threat. Then here you can see that context, visibility, endpoint user, network, device applications. Then operation. We have radius, we can check the live logs, live session, tachikas, live lock. So all these locks related things we have inside operation. Then policy. We can create policy. Say for authentication, authorization, authorization profile, et cetera. So you can go inside policy and you can go to authorization. And then you can create authorization profile. You have downloadable ackers, all these things. You may have some of the profile pushes created by default.
But you can go and create your own as well. Then inside administration you can see we have very important tabs. So we have system deployment, license, certificate login, maintenance, upgrade, et cetera. Identity management is also very important. You are creating user accounts, group account like active directory or some third party groups. Means you are creating groups to connect to some third party databases as well. So that option you have identity store, identity store sequence, network resources. You can add switches, firewall routers inside the ice for the authentication authorization purposes. Then you have network, device group, external radio server, et cetera. You have device portal management where you can do blacklist, buoyed, certificate provisioning, client provisioning, all those things.
We have Pixie grid that we can send the contextual information to the other third party software. Then I’m going to click to the last tab. That is the work center. If I click there, you’ll see that how many options we have. You see. So here you can see inside work center I have network access, guest access, trust. One of the very important feature of is that from where you can use SXP as well. You can use tag list policies as well. Complete bring your own device policy, set profiler, posters, device administration, passive IDs. So all these things you can see how many options we have. And inside option also you’ll find some options to add or to delete or to enforce policy. So all these things we have inside the ice
