25 - Implementing Secure Access Control Flashcards
What command will give full privileges on a router. By default, the password appears in the running config as a MD5 hash.
Enable secret
What command changes the algorithm type used to hash a configured password?
Enable algorithm-type
When viewed in the running config, a password hashed with SHA256 will show the number _ preceding the has value, while a password hashed with SCRYPT will show the number _. The SCRYPT algorithm is considered more resistant to brute force attacks than SHA-256. The MD5 algorithm is now considered insecure and should be avoided. If used, the number _ will appear before the hash value.
8, 9, 5
What command defines line password but still shows up in the runnin config in clear text?
Password
What command encrypts a password but the encryption isn’t very strong? This uses a Vigenere cipher also know as type 7 encryption
Service password-encryption
While this type of encryption can protect passwords from a casual observer, it can be easily deciphered if someone were to get the routers running config. Therefore Cisco recommends configured username/password combinations.
Vigenere cipher also know as type 7 encryption
What command enables the ability for someone to log in to the console port, supplying the configured password as their only authentication credential?
login
What command prevents users from remaining connected to a console port when they leave a station? When no user input is detected for 5 minutes, the user is automatically disconnected.
Exec-timeout 5 0
What command populates the locally stored user database?
Username privilege secret password –
Using the username command caused a __ hash of the password in the routers running config, which is more secure than type 7 encryption but could be still improved upon by either using type 8 or type 9
MD5
When viewing the running config, all passwords are hashed according to their individual encryption algorithms. What are these?
- 5 for MD5
- 9 for type 9 (SCRYPT)
- 8 for type 8 (SHA256)
- 7 for Vigenere
What command ensures all configured passwords are at least a specific length?
Security password min-length
What command allows only inbound SSH connections instead of telnet?
Transport input ssh
What command disables logins after a specific number of failed login attempts with a specific time?
Login block-for attempts within
What command allows named or numbered ACLs to identify permitted hosts to ensure that authorised devices can always connect?
Login quiet-mode access-class
What command specifies a number of seconds the user must wait between unsuccessful login attempts?
Login delay
What are the 3 A’s of AAA?
Authentication – who are you?
Authorisation – what are you allowed to do?
Accounting – what did you do?
RADIUS and TACACS+ are __ protocols.
AAA
Both RADIUS and TACACS+ protocols use the __model.
client-server
What is the AAA process when using TACACS+ or RADIUS?
- A user or machine sends request to a client. The client is also called a Network Access Server (NAS). Typically, this is a router, switch, firewall or AP.
- The client then communicates with a server by exchanging RADIUS or TACACS+ messages.
- If authentication is successful, the user is granted access to a protected resource such as a device CLI, network, and so on.
What are the features of RADIUS?
- Transport protocol = UDP ports 1812/1813
- AAA support - Combines authentication and authorisations and separates accounting
- Challenge response - One-way, unidirectional, with a single challenge response
- Security - Encrypts only password in packet
- Type – network access
What are the features of TACACS+?
- Cisco proprietary
- Transport protocol = TCP port 49
- AAA support – uses AAA model and separates 3 services
- Challenge response – Two way, bidirectional, with multiple challenge responses
- Security - Encrypts entire packet body
- Type – device administration
Which command enables AAA services?
aaa new model
Which command configures a local username?
username admin secret adminpass
