Troubleshooting
What we’ll do now is create a fresh
router configuration to do some troubleshooting, so if you’re following along,
then start again from scratch.
First we’ll assign an IP address to
the router so we can connect to it.
R1(config)#interface
loopback 0
R1(config-if)#ip
address 10.0.0.1 255.255.255.0
Create a
user with privilege level 15
R1(config)#username
admin privilege 15 secret password
Enable aaa
and create authentication, and authorisation lists.
The exec
authorisation list will create an exec shell and place the user in in their
privilege level automatically. The
commands list will require authorisation for every level 15 command issued.
R1(config)#aaa
new-model
R1(config)#aaa
authentication login LOCALAUTH local
R1(config)#aaa
authorization exec EXECPROMPT local
R1(config)#aaa
authorization commands 15 PRIV15COMM local
Apply the
lists to the telnet port
R1(config)#line
vty 0 4
R1(config-line)#login
authentication LOCALAUTH
R1(config-line)#authorization
exec EXECPROMPT
R1(config-line)#authorization
commands 15 PRIV15COMM
R1(config-line)#exit
Issue the
debug commands so that we can see the output when we try to connect.
R1#debug aaa
authentication
R1#debug aaa
authorization
R1#telnet
10.0.0.1
Trying
10.0.0.1 ... Open
User Access
Verification
Username:
admin
*Nov 24
16:10:57.615: AAA/BIND(0000000D): Bind i/f
*Nov 24
16:10:57.623: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'LOCALAUTH'
Password:
R1#
*Nov 24
16:11:05.963: AAA/AUTHOR (0xD): Pick method list 'EXECPROMPT'
*Nov 24
16:11:05.971: AAA/AUTHOR/EXEC(0000000D): processing AV cmd=
*Nov 24
16:11:05.975: AAA/AUTHOR/EXEC(0000000D): processing AV priv-lvl=15
*Nov 24
16:11:05.975: AAA/AUTHOR/EXEC(0000000D): Authorization successful
Above we can
see that it picks the list ‘LOCALAUTH’ to authenticate the users which is the
list we specified earlier. We can also
see it picking the ‘EXECPROMPT’ list.
R1#conf t
Enter
configuration commands, one per line. End with CNTL/Z.
R1(config)#
*Nov 24
16:11:36.291: AAA/AUTHOR: auth_need : user= 'admin' ruser= 'R1'rem_addr=
'10.0.0.1' priv= 15 list= 'PRIV15COMM' AUTHOR-TYPE= 'command'
*Nov 24
16:11:36.295: AAA: parse name=tty2 idb type=-1 tty=-1
*Nov 24
16:11:36.295: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2
channel=0
*Nov 24
16:11:36.295: AAA/MEMORY: create_user (0x68733894) user='admin' ruser='R1'
ds0=0 port='tty2' rem_addr='10.0.0.1' authen_type=ASCII service=NONE priv=15
initial_task_id='0', vrf= (id=0)
*Nov 24
16:11:36.299: tty2 AAA/AUTHOR/CMD (3587652350): Port='tty2' list='PRIV15COMM'
service=CMD
*Nov 24
16:11:36.299: AAA/AUTHOR/CMD: tty2 (3587652350) user='admin'
*Nov 24
16:11:36.299: tty2 AAA/AUTHOR/CMD (3587652350): send AV service=shell
*Nov 24
16:11:36.299: tty2 AAA/AUTHOR/CMD (3587652350): send AV cmd=configure
*Nov 24
16:11:36.299: tty2 AAA/AUTHOR/CMD (3587652350): send AV cmd-arg=terminal
*Nov 24
16:11:36.303: tty2 AAA/AUTHOR/CMD (3587652350): send AV cmd-arg=<cr>
*Nov 24
16:11:36.303: tty2 AAA/AUTHOR/CMD(3587652350): found list "PRIV15COMM"
*Nov 24
16:11:36.303: tty2 AAA/AUTHOR/CMD (3587652350): Method=LOCAL
*Nov 24
16:11:36.303: AAA/AUTHOR (3587652350): Post authorization status = PASS_ADD
*Nov 24
16:11:36.303: AAA/MEMORY: free_user (0x68733894) user='admin' ruser='R1'
port='tty2' rem_addr='10.0.0.1' authen_type=ASCII service=NONE priv=15 vrf=
(id=0)
When we
issue the ‘conf t’ command, the debug log shows a reference to the "PRIV15COMM"
list.
Role-based access configuration
What we are
doing here is assigning commands to a custom privilege level, in this case
privilege level 10. If a user connects
at privilege level 10, they will now be able to issue the ‘configure terminal’
command. We are also issuing a new
enable password specifically for privilege level 10.
R1(config)#privilege
exec level 10 configure terminal
R1(config)#enable
secret level 10 0 newpassword
R1>show
privilege
Current
privilege level is 1
R1>enable
?
<0-15> Enable level
view Set into the existing view
<cr>
Log in as
privilege 10, enter configuration mode, and with the ‘?’ you can see what
commands are available to you. Because
we haven’t configured any custom commands apart from the configure terminal,
this is the default for level 10.
R1>enable
10
Password:
R1#conf t
R1(config)#?
Configure
commands:
beep Configure BEEP (Blocks Extensible Exchange
Protocol)
call Configure Call parameters
default Set a command to its defaults
end Exit from configure mode
exit Exit from configure mode
help Description of the interactive help system
netconf Configure NETCONF
no Negate a command or set its defaults
oer Optimized Exit Routing configuration submodes
sasl Configure SASL
wsma Configure Web Services Management Agents
Custom views
Begin the
view creating process, using the enable secret configured earlier.
R1#enable
view
Password:
Create a
view called ‘TESTVIEW’, assign it a secret, and assign the commands available
to that view. In this case we are allowing
all show commands, plus ping and traceroute, this might be a view you use for
first line troubleshooting to allow them to investigate incidents but not allowing
any configuration changes.
R1(config)#parser
view TESTVIEW
R1(config-view)#secret
testviewpassword
R1(config-view)#commands
exec include ping
R1(config-view)#commands
exec include all show
R1(config-view)#commands
exec include traceroute
R1#enable
view TESTVIEW
Password:
Switch to
the new view and by issuing the ‘?’ command we can see what is available to us.
R1#show
parser view
Current view
is 'TESTVIEW'
R1#?
Exec
commands:
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information
traceroute Trace route to destination
Lastly, we
can assign views to users, so when the use logs in they are automatically put
into this view, with the associated commands available to them.
R1(config)#username
TEST view TESTVIEW secret ciscoSSH and HTTPS
We’re going
to start with a fresh config again, so issue the ‘write erase’ command if you’ve
been applying the configuration so far.
In order to
allow connectivity by SSH we have to generate a public/private key pair.
As we can
see with these commands, first we need to define a custom hostname, and a
custom domain name.
Router(config)#crypto
key generate rsa
% Please
define a hostname other than Router.
Router(config)#hostname
TestRouter
TestRouter(config)#crypto
key generate rsa
% Please
define a domain-name first.
TestRouter(config)#ip
domain-name test.com
TestRouter(config)#crypto
key generate rsa
The name for
the keys will be: TestRouter.test.com
Choose the
size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus
greater than 512 may take
a few minutes.
How many
bits in the modulus [512]: 1024
% Generating
1024 bit RSA keys, keys will be non-exportable...[OK]
TestRouter(config)#username
test secret testpassword
TestRouter(config)#aaa
new-model
TestRouter(config)#aaa
authentication login TESTLIST local
TestRouter(config)#line
vty 0 4
TestRouter(config-line)#login
authentication TESTLIST
TestRouter(config)#int loopback 0
TestRouter(config-if)#ip address
*Nov 25 10:13:52.159:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
TestRouter(config-if)#ip address 10.0.0.1
255.255.255.0
We can now use our test account to
verify that we can SSH to the router.
TestRouter#ssh -l test 10.0.0.1
Password:
TestRouter>show ssh
Connection Version Encryption State Username
0 1.5 3DES Session started test
%No SSHv2 server connections
running.
TestRouter>
TestRouter(config)#ip http
secure-server
% Generating 1024 bit RSA keys, keys
will be non-exportable...[OK]
TestRouter(config)#
*Nov 25 11:19:45.691:
%PKI-4-NOAUTOSAVE: Configuration was modified.
Issue "write memory" to save new certificate
TestRouter(config)#ip http
authentication local
TestRouter#wr mem
Logging
Logging is incredibly important for troubleshooting
so we will run through some basic logging tasks.
First we can see that currently
there is no time associated with the current logging details, so let’s fix
that.
TestRouter(config)#int fa 0/0
TestRouter(config-if)#no shut
TestRouter(config-if)#
%LINK-3-UPDOWN: Interface
FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol
on Interface FastEthernet0/0, changed state to up
TestRouter(config)#service
timestamps log datetime
TestRouter(config)#int fa0/0
TestRouter(config-if)#shut
TestRouter(config-if)#
*Nov 25 11:24:39: %LINK-5-CHANGED:
Interface FastEthernet0/0, changed state to administratively down
*Nov 25 11:24:40:
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state
to down
We also can configure logging to a
syslog server, and logging to the buffer.
We ca configure custom logging levels to include as well, note that any
logging level we choose will also include any messages at a higher
importance. So if we set logging to debugging,
it will include all events, but if we set it to informational, then it will
include all higher, but will exclude debugging messages.
First point the logging to a
configured syslog server, and set the level to debugging.
TestRouter(config)#logging
192.168.0.1
TestRouter(config)#logging trap
debugging
We can also output logs to the
buffer, and configure the size of the buffer at the same time. Due to the size of the buffer we will only
include more important messages:
TestRouter(config)#logging buffered
8192 errorsSNMP
Simple Network Management Protocol
(SNMP) is the protocol which we use to manage network nodes; it is most often
used as a way of centralising information about all our network devices and providing
overview of issues that may have occurred in the network.
SNMP consists of 3 components:
·
SNMP
manager – Sometimes called a Network Management Server (NMS)
·
SNMP
agent – software which runs on the network device
·
Management
Information Base (MIB) – defined by a series of objects, which is defined by
the MIB. A collection of unique numbers
associated with each of the individual components of the device.
There are also 3 main varieties of
SNMP messages:
·
GET
– used to retrieve information from a device
·
SET
– used to set a variable in a device
·
Trap
– a message from a device to the manager about an event.
SNMP can pose a major security to
our network, particularly if we use SNMPv or v2c. If an attacker were able to get a rogue NMS
onto our network, not only could they gain information about all the devices in
our network, using SET messages they could potentially alter our device configuration. Versions 1 and 2c of SNMP both use the
concept of community strings to verify access to a device, essentially passwords;
however these weaknesses have been addressed in version 3.
SNMP version 3 introduces the
concept of security levels:
·
noAuthNoPriv
– no authentication of devices and no encryption of traffic.
·
authNoPriv
– authenticate devices using HMAC with MD5 or SHA, no encryption
·
authPriv
– authenticate as above, and provide encryption of traffic using CBC-DES
(DES-56)
This allows us to ensure integrity,
authentication and encryption in version 3.
Configuration is relatively simple:
Set the server location, contact,
community string and the host:
TestRouter(config)#snmp-server
location 10.0.0.25
TestRouter(config)#snmp-server
contact Test User
TestRouter(config)#snmp-server
community super-secret TEST
TestRouter(config)#snmp-server host
10.0.0.25 traps STRING
NTP
NTP version 3 also supports
authentication to ensure we are not getting an incorrect time from a rogue NTP
server.
TestRouter(config)#ntp
update-calendar
TestRouter(config)#ntp
authentication-key 1 md5 AUTHKEY
TestRouter(config)#ntp authenticate
TestRouter(config)#ntp trusted-key 1
TestRouter(config)#ntp server
10.0.0.27 key 1 source FastEthernet 0/0 prefer
Securing configuration files
To secure the boot image and
configuration files we just need to issue two commands. These commands ensure that the boot image and
configuration files cannot be deleted by a remote user:
The secure boot-image will fail in
GNS3 but the secure boot-config will work.
TestRouter(config)#secure boot-image
TestRouter(config)#secure
boot-config
TestRouter(config)#
*Nov 25 12:21:00:
%IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive
[disk0:.runcfg-20141125-122059.ar]
Well that was a long couple of blog
posts, next up we’ll be looking at getting AAA running on IOS with an ACS
server.
No comments:
Post a Comment