|
|
This chapter describes the commands used to manage router security as it relates to modifying the configuration and monitoring the activity of the router.
To log into a remote router to make configuration changes, use the login command.
LOGIn [ipaddress | ethernetaddress | connectionid | REmote]
ipaddress | IP address of a device on the same IP network or to a remote router connected across the ISDN line. The IP address must be entered in four-part dotted decimal format. |
ethernetaddress | |
connectionid | User profile connection identification used for remote login. |
REmote | Log into a router connected to the ISDN line. Use this keyword while in profile mode. |
None
System or profile mode
If access to the router has been restricted with the set local access command, you are required to enter the router system password before making any configuration changes.
You can only log into a remote Cisco 700 series router directly connected to your terminal or to a remote Cisco 700 series router with an active ISDN or Ethernet connection to your router. After 5 minutes of no activity, the remote router logs you out. Use the logout command to manually log out of the remote router.
Used without an argument or keyword, this command logs you into the router directly connected to your terminal through the console port.
The following example shows how to log into a remote router, from a profile, across the ISDN connection by using the remote router IP address:
Host> login 150.150.50.25 remote
logout
set local access
set remote access
To end any remote session initiated with the login command, use the logout command.
LOGOutNone
System or profile mode
The following example ends a remote session initiated with the login command:
Host> logout
login
set local access
set remote access
number | Remote router telephone number entered with the set callidreceive command. |
ALl | Delete all remote router telephone numbers entered with the set callidreceive command. |
None
System mode
The following example deletes a caller ID receive number entered with the set callidreceive command:
Host> reset callidreceive 5559020
set calledrid
set callidreceive
To enable ISDN caller ID authentication, use the set callerid command.
SEt CALLErid ON | OFf
ON | |
OFf | Disable ISDN caller ID authentication. |
Off (disabled)
System level
The calling device is authenticated by its telephone number using caller ID (a service offered by the ISDN service provider).
The following example enables caller ID checking for all ISDN connections:
Host> set callerid on
To change the callback delay, use the set clicallback command:
SEt CLICallback OFf | ON [# of digit to match] [DElay seconds]
ON | Enables caller ID callback. |
OFf | Disables caller ID callback. |
# of digit to match | Minimum number of digits (from right to left) to be matched. |
seconds | Time between the rejection of incoming messages and the callback. Valid range is 3 to 30 seconds. |
10-second delay for all switch types.
Profile mode
In software Release 4.0(1), the callback delay was a fixed value of 3 seconds. In software Release 4.1(2) and higher, the value can be set from 3 to 30 seconds by using the set clicallback delay command.
Because clicallback rejects calls when a match is found and cliauthentication accepts calls when a match is found, clicallback has precedence over cliauthentication. For cliauthentication to be active, clicallback must be turned off.
The following example sets the callback delay to 7 seconds:
Host> set clicallback on delay 7
To enter the ISDN telephone number from which the router accepts calls when caller ID checking is enabled, use the set callidreceive command.
SEt CALLIdreceive number
number | ISDN phone number of a remote router from which the router accepts calls when caller ID checking is enabled with the set callerid command. |
No caller ID receive number is configured.
System level
To delete a telephone number set with this command, use the reset calleridreceive command.
The following example enters the telephone number for a remote router authenticated when caller ID checking is enabled:
Host> set callidreceive 4085559020
reset calleridreceive
set callerid
To restrict the commands allowed at the local port, use the set localaccess command.
SEt LOcalaccess ON | PArtial | PROtected
ON | Set commands to be performed without restriction. |
PArtial | Set commands to be performed with partial restriction. |
PROtected | Set commands to be performed with system password only. |
On (enabled for all commands)
System mode
To use dual tone multifrequency (DTMF) commands from the telephone keypad, the set local access command must be set to on. The set password command must be set. Table 4-1 describes the set local access command settings.
| Command | On | Partial | Protected |
|---|---|---|---|
call | See Note1 |
| P2 |
cd |
|
| P |
demand |
| P | P |
disconnect |
|
| P |
establish |
|
| P |
help |
|
| P |
log |
|
| P |
login and logout |
|
|
|
ping |
|
| P |
reboot |
| P | P |
release |
|
| P |
reset commands |
| P | P |
set commands |
| P | P |
show commands |
|
| P |
software load |
| P | P |
test commands |
|
| P |
timeout |
| P | P |
unlearn |
|
| P |
unset commands |
| P | P |
upload |
| P | P |
version |
|
| P |
| 1An empty cell indicates that the command can be performed remotely without restrictions. 2P indicates that the system password must be entered before using the command. |
The following example configures local configuration access to protected:
Host> set localaccess protected
set password
To set the inactivity timer for remote logins, use the set logout command.
SEt LOGout minutes
minutes | Number of minutes of inactivity on a remote login Telnet session before the remote user is logged out. To disable the auto logout feature, use a logout value of 0. |
5 minutes
System mode
The following example disables the remote inactivity timer session:
Set logout 0
To set a password, use the set password command.
SEt PAssword SYstem [ENcrypted] [<password>]
SYstem | Configure the system password that authenticates users requesting a local or remote configuration session. |
ENcrypted | Used by the computer when loading a saved configuration text file (UPL output) into the router. |
password | Password used for authentication. If the password is absent from the command statement, you are prompted for the entry. |
No passwords
System mode
The system password can consist of 1 to 30 characters. The command should be preceded with the set remote access or set local access command. If a password is not included in the command line, you are prompted to enter the password. When configuring a system password, you are also prompted for a username to associate with the password. This username can consist of 1 to 7 characters.
The encrypted parameter is used by the computer when loading a saved configuration into the router. If UPL is run, the system password is displayed. For example:
set password system encrypted 053b2b3c09641f
When this command is loaded back into the original router (or another router), the router knows the password is already encrypted by examining the encrypted parameter.
The password can be included in a configuration file, which can generate a set password command that includes unencrypted or encrypted passwords for PPP authentication.
The following example configures a host password for profile 2503:
Step 1 Enter the set password command:
Host:2503> set password system
Step 2 Enter your host password. (Your password is not echoed on the screen.):
Enter new Password: <new password>
Step 3 Reenter your host password for confirmation:
Re-Type new Password: <new password>
Step 4 Enter the username you want associated with the host password:
Enter User Name: johndoe
login
logout
set local access
set remote access
To restrict remote configuration access to the router, use the set remote access command.
SEt REmoteaccess OFf | PRotected | PArtial
OFf | No remote login sessions are allowed. |
PRotected | Set commands to be performed with system password only. |
PArtial | Set commands to be performed with partial restrictions. |
Off
System mode
Table 4-2 describes the set remote access command settings.
| Commands | Partial | Protected | Off |
|---|---|---|---|
call | See Note.1 | P2 | X3 |
demand | P | P | X |
disconnect |
| P | X |
help |
| P | X |
log commands |
| P | X |
login |
|
| X |
logout |
|
| X |
reboot |
| P | X |
reset commands | P | P | X |
set commands | P | P | X |
show commands |
| P | X |
software load | P | P | X |
test commands |
| P | X |
timeout | P | P | X |
unset commands | P | P | X |
upload |
| P | X |
version |
| P | X |
cd |
|
| P |
establish |
|
| P |
ping |
|
| P |
release |
|
| P |
unlearn |
|
| P |
The following example configures the router for protected remote access:
Host> set remote access protected
To display the security configurations, use the show security command.
SHow SEcurity [ALl]
ALl | In profile mode, display all security configurations as if the command were issued in system mode. Ignored in system mode. |
System or profile mode
The following example shows output from the show security command in system mode:
Host> show security SystemParameters SecurityAccessStatus SystemPasswordNE RemoteConfigurationPROTECTED LocalConfiguration LogoutTimeout5 CallerIDSecurityOFF CallerIdNumbers
PPPSecurityPPPAuthenticationINCHAPPAP CHAP REFUSE NONE CHAP ALLOW MULTIHOST OFF
ProfileParametersPPPSecurity
PPPAuthenticationOUTNONE
TokenAuthenticationSupportTASClient0.0.0.0
UseLocalCHAPSecretON
ClientUserNameNONE PAPPasswordNONE
CHAPSecretNONEHost
PAPPasswordNONE CHAPSecretNONE
CallbackRequestOFF ReplyOFF
The following example shows output from the show security command in profile mode:
Host:temp> show security >PPP Security PPP Authentication OUT NONE PPP Authentication ACCEPT EITHER Token Authentication SupportTAS Client 0.0.0.0 Use Local CHAP Secret ON
ClientUser Name odc7 PAP Password NONE CHAP Secret NONE
HostPAP Password NONE CHAP Secret NONE
CallbackRequest OFF Reply OFF
Table 4-3 lists the significant fields shown in the display.
| Field | Description |
|---|---|
System Parameters | |
Access Status | Indicates remote access is enabled. Can be on or off. |
System Password | Indicates a system password has been entered with the set password system command. Can be none or exists. |
Remote Configuration | Remote access restriction as configured with the set remote access command. |
Local Configuration | Local configuration restriction as configured with the set local access command. |
Caller ID Security | Indicates caller ID is enabled. Can be on or off. |
Caller ID Number | Phone numbers entered with the set calleridreceive command. |
PPP Authentication In | PPP authentication method for incoming calls. Can be PAP, CHAP, none, or any combination of these three. Set with the set ppp authentication in command. |
Profile Parameters | Security configurations that apply to the profile. If you are using the show security command in system mode, these configurations make up the profile template for security parameters. |
PPP Authentication Out | PPP authentication method used for outgoing calls. Can be PAP, CHAP, none, or any combination of these three. Set with the set ppp authentication out command. |
PAP Client Password | PAP client password entered with the set ppp password command. Can be none or exists. |
CHAP Client Secret | CHAP client password entered with the set ppp secret command. Can be none or exists. |
Callback ID Security | Indicates callback authentication is enabled. Can be on or off. |
CHAP Refuse | Indicates rejection of CHAP challenges. |
CHAP Allow Multihost | Indicates whether chap challenges with multiple hostnames are allowed. Can be on or off. |
Callback | Indicates callback is enabled. Can be on or off. |
Callback Numbers | Numbers entered with the set clicallback command. |
Number of Host Passwords | Number of host passwords that have been entered with the set password command. |
PAP Host Password | PAP host password entered with the set ppp password command. Can be none or exists. |
CHAP Host Secret | CHAP host password entered with the set ppp secret command. Can be none or exists. |
Callback Request | Request a callback from the remote unit. Can be on or off. |
Callback Reply | Perform a callback if requested to do so by the remote router. Can be on or off. |
set clicallback
set local access
set password
set ppp authentication
set ppp password
set ppp secret
set remote access
Posted: Thu Jul 8 12:48:57 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.