Securing VTY configuration

[trevorh13]

I am a CCNA and am involved with the delivery of CCNA training courses. I want to hook a couple of 2501's up to dial in lines via the AUX port so students on distance study courses can practise doing basic configs. What I am wondering is this:-

Is tere a way of preveting students from having access to a particular configuration mode. EG. Permit them access to global config but deny them the ability to access VTY configuration. Eg it prompts for a password when the command line vty 0 4 is entered?

Any help would be greatly appreciated.


Many thanks.

Trev

 

[IPKONFIG]

If your students have global privlages, then that's what they'll have. They can then change pretty much what they want. If you want to restrict them on commands, then you need to set up an TACACS+ v3.0 server and have them authenticate through the server. Then you can assign them a privilage level (lower than 15) and then assign commands to that privilage level.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[rburke]

Do you know any good reference sites, preferably with examples on how to setup and configure a TACACS server? I've looked, but haven't found any ones with useful information in initial configs.

Thanks,
Burke

 

[IPKONFIG]

Try this:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book09186a008007dea1.html

This is the users guide to ACS v3.0





"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[wybnormal]

Yep.. TACACS+ or Radius will let you set up command authentication. In other words, each command is checked to see if you have the *rights* to use it. You could also set it with privilage levels tied to users but it would be ugly.

aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login old_way none

!commands are autheticiated here
aaa authorization commands 1 tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
! notice BOTH levels of commands are authenticated. Just an experiement on my part
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting connection start-stop tacacs+
aaa accounting system start-stop tacacs+

MikeS

Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[trevorh13]

Is Tacacs a cisco product then or is it simply some kind of Authentication Service. MikeS mentioned Radius - If I installed the IAS Sevice on a 2K server that provides RADIUS support. Would this be sufficient or do I need a Cisco feature pack? I have never come across TACACS previously.

Many thanks for your assistance so far folks it is appreciated

 

[IPKONFIG]

TACACS is a Cisco product. You can purchase it by contacting your local Cisco Rep. I don't know about the Win2k that you mentioned.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[trevorh13]

Many thanks everybody for you help and assistance. Looks like another piece of software for me to learn - sometimes it seems never ending but guess thats the fun of the IT world!

 

[wybnormal]

Sorry but TACACS is not a *cisco product* per say. It's offered for free without support. There are other free TACACS+ servers available. We have several listed on our download page at packetattack.com

TACACS+ Freeware for First-Time Users

http://www.cisco.com/warp/public/480/tacplus.shtml

MikeS

Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu