Sunday, March 19, 2006

 

Configuring Authentication and Authorization. (Question #44)

Configure a router with AAA to do the following -

  1. User with username "user1" should have password "foo1".
  2. User with username "admin" should have password "foo2".
  3. User "user1" should be able to issue the "show version" command but not the "show running" command.
  4. User "admin" should be able to issue both the "show version" command and the "show running" commands.
  5. When users attempt to log into the router , they should be prompted with the prompt "Enter username now : "
  6. The password should be prompted as "Enter password now : "
  7. User "user1" should be able to telnet to 10.10.10.10 but not to 10.10.10.1
  8. User "admin" should be able to telnet to both 10.10.10.10 and 10.10.10.1

 

Using the reload command for fun and profit.

If I ever teach a class on Cisco IOS, here is one trick I want to use in class. I will log into the console of a router and claim that the router has been upgraded to a version of IOS that responds to voice commands. I will then proceed to speak in a slow and measured voice and say, "reload". Nothing will happen and I will tell the class that this is new functionality in IOS and perhaps not quite ready for prime time yet. Then I will get closer to the mic on the my laptop through which I would be connected to the network and say again, "router, reload now!" for emphasis. The students would see on the screen that the router will actually respond to my command, and indeed reload. In particular, they would see the following -

***
*** --- SHUTDOWN NOW ---
***

Configuration register is 0x2102

A reload is imminent.
Router1#
13w1d: %SYS-5-RELOAD: Reload requested by console.
System Bootstrap, Version 12.2(14r)SZ1, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2003 by cisco Systems, Inc.

I will probably let them believe for a while that it responded to my voice and then introduce them to the reload in command. Of course, I would have issued a reload in command in advance on the router and would have to time myself properly to make the trick work. The reload in command is a very useful command that turns out to be quite useful to schedule reloads in advance usually as a recovery mechanism and cancel them with a reload cancel if the scheduled reload turns out to be unnecessary.

One common usage I have seen is when people are playing with setting up their AAA configuration. What happens sometimes is that people mess up the AAA configuration and lock themselves out of the system. What one can do to avoid getting locked out like that is to issue a reload in command to reload in an hour (say) and then start playing with the AAA configuration being careful not to save anything to NVRAM. The startup-config is set to be the old working AAA config that will certainly let you back in. That way, if you happen to lock yourself out of the router as you are experimenting with new config, you are guaranteed due to the scheduled reload to get back in under an hour. If you manage to change the AAA config to your satisfaction without locking yourself out accidentally, do remember to cancel the
scheduled reload using the reload cancel command.

This page is powered by Blogger. Isn't yours?