Cisco Router 860, 880 Series User Manual

							17-3
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Preventing Unauthorized Access to Your Access Point
Preventing Unauthorized Access to Your Access Point
You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration 
information. Typically, you want network administrators to have access to the wireless device while you 
restrict access to users who connect through a terminal or workstation from within the local network.
To prevent unauthorized access to the wireless device, you should configure one of these security 
features:
 Username and password pairs, which are locally stored on the wireless device. These pairs 
authenticate each user before the user can access the wireless device. You can also assign a specific 
privilege level (read only or read/write) to each username and password pair. For more information, 
see the 
“Configuring Username and Password Pairs” section on page 17-7. The default username is 
Cisco, and the default password is Cisco. Usernames and passwords are case-sensitive.
NoteCharacters TAB, ?, $, +, and [ are invalid characters for passwords.
 Username and password pairs are stored centrally in a database on a security server. For more 
information, see the 
“Controlling Access Point Access with RADIUS” section on page 17-9.
Protecting Access to Privileged EXEC Commands
A simple way of providing terminal access control in your network is to use passwords and assign 
privilege levels. Password protection restricts access to a network or network device. Privilege levels 
define what commands users can issue after they have logged into a network device.
NoteFor complete syntax and usage information for the commands used in this section, refer to the Cisco IOS 
Security Command Reference for Release 12.4.
This section describes how to control access to the configuration file and privileged EXEC commands. 
It contains this configuration information:
 Default Password and Privilege Level Configuration, page 17-4
 Setting or Changing a Static Enable Password, page 17-4
 Protecting Enable and Enable Secret Passwords with Encryption, page 17-5
 Configuring Username and Password Pairs, page 17-7
 Configuring Multiple Privilege Levels, page 17-7 
						

							17-4
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
Default Password and Privilege Level Configuration
Ta b l e 17-1 shows the default password and privilege level configuration.
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. 
NoteThe no enable password global configuration command removes the enable password, but you should 
use extreme care when using this command. If you remove the enable password, you are locked out of 
the privileged EXEC mode.
To set or change a static enable password, follow these steps beginning in privileged EXEC mode:
Ta b l e 17-1 Default Password and Privilege Levels 
FeatureDefault Setting
Username and passwordThe default username is Cisco, and the default password is Cisco.
Enable password and privilege levelThe default password is Cisco. The default is level 15 (privileged EXEC 
level). The password is encrypted in the configuration file.
Enable secret password and privilege levelThe default enable password is Cisco. The default is level 15 (privileged 
EXEC level). The password is encrypted before it is written to the 
configuration file.
Line passwordThe default password is Cisco. The password is encrypted in the 
configuration file.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2enable password passwordDefines a new password or changes an existing password for access to 
privileged EXEC mode.
The default password is Cisco.
For password, specify a string from 1 to 25 alphanumeric characters. The 
string cannot start with a number, is case sensitive, and allows spaces but 
ignores leading spaces. It can contain the question mark (?) character if 
you precede the question mark with the key combination Crtl-V when you 
create the password; for example, to create the password abc?123, do this:
1.Enter abc.
2.Enter Crtl-V.
3.Enter ?123.
When the system prompts you to enter the enable password, you need not 
precede the question mark with the Ctrl-V; you can simply enter abc?123 
at the password prompt. 
NoteCharacters TAB, ?, $, +, and [ are invalid characters for 
passwords. 
						

							17-5
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted 
and provides access to level 15 (traditional privileged EXEC mode access):
AP(config)# enable password l1u2c3k4y5
Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are 
stored on a TFTP server, you can use either the enable password or enable secret command in global 
configuration mode. Both commands accomplish the same thing; that is, you can establish an encrypted 
password that users must enter to access privileged EXEC mode (the default) or any privilege level you 
specify.
We recommend that you use the enable secret command because it uses an improved encryption 
algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; 
the two commands cannot be in effect simultaneously.
To configure encryption for enable and enable secret passwords, follow these steps beginning in 
privileged EXEC mode:
Step 3endReturns to privileged EXEC mode.
Step 4show running-configVerifies your entries.
Step 5copy running-config startup-config(Optional) Saves your entries in the configuration file.
The enable password is not encrypted and can be read in the wireless 
device configuration file.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode. 
						

							17-6
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and 
set a password, give the password only to users who need to have access at this level. Use the privilege 
level command in global configuration mode to specify commands accessible at various levels. For more 
information, see the 
“Configuring Multiple Privilege Levels” section on page 17-7.
If you enable password encryption, it applies to all passwords, including username passwords, 
authentication key passwords, the privileged command password, and console and virtual terminal line 
passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level 
level] global configuration command. To disable password encryption, use the no service 
password-encryption command in global configuration mode.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for 
privilege level 2:
AP(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Step 2enable password [level level] {password | 
encryption-type encrypted-password}
or
enable secret [level level] {password | 
encryption-type encrypted-password}
Defines a new password or changes an existing password for 
access to privileged EXEC mode.
or
Defines a secret password, which is saved using a 
nonreversible encryption method.
 (Optional) For level, the range is from 0 to 15. Level 1 is 
normal user EXEC mode privileges. The default level is 
15 (privileged EXEC mode privileges).
 For password, specify a string from 1 to 25 
alphanumeric characters. The string cannot start with a 
number, is case sensitive, and allows spaces but ignores 
leading spaces. By default, no password is defined. 
 (Optional) For encryption-type, only type 5, a Cisco 
proprietary encryption algorithm, is available. If you 
specify an encryption type, you must provide an 
encrypted password—an encrypted password you copy 
from another access point wireless device configuration.
NoteIf you specify an encryption type and then enter a 
clear text password, you can not re-enter privileged 
EXEC mode. You cannot recover a lost encrypted 
password by any method.
Step 3service password-encryption(Optional) Encrypts the password when the password is 
defined or when the configuration is written.
Encryption prevents the password from being readable in the 
configuration file.
Step 4endReturns to privileged EXEC mode.
Step 5copy running-config startup-config(Optional) Saves your entries in the configuration file.
Command Purpose 
						

							17-7
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
Configuring Username and Password Pairs
You can configure username and password pairs, which are locally stored on the wireless device. These 
pairs are assigned to lines or interfaces, and they authenticate each user before that user can access the 
wireless device. If you have defined privilege levels, you can also assign a specific privilege level (with 
associated rights and privileges) to each username and password pair.
To establish a username-based authentication system that requests a login username and a password, 
follow these steps beginning in privileged EXEC mode:
To disable username authentication for a specific user, use the no username name command in global 
configration mode. 
To disable password checking and allow connections without a password, use the no login command in 
line configuration mode.
NoteYou must have at least one username configured and you must have login local set to open a 
Telnet session to the wireless device. If you enter no username for the only username, you can 
be locked out of the wireless device.
Configuring Multiple Privilege Levels
By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. 
You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple 
passwords, you can allow different sets of users to have access to specified commands.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2username name [privilege level] 
{password encryption-type password} Enters the username, privilege level, and password for each user.
 For name, specify the user ID as one word. Spaces and quotation 
marks are not allowed.
 (Optional) For level, specify the privilege level the user has after 
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC 
mode access. Level 1 gives user EXEC mode access.
 For encryption-type, enter 0 to specify that an unencrypted password 
will follow. Enter 7 to specify that a hidden password will follow.
 For password, specify the password the user must enter to gain access 
to the wireless device. The password must be from 1 to 25 characters, 
can contain embedded spaces, and must be the last option specified 
in the username command.
Step 3login localEnables local password checking at login time. Authentication is based on 
the username specified in Step 2.
Step 4endReturns to privileged EXEC mode.
Step 5show running-configVerifies your entries.
Step 6copy running-config startup-config(Optional) Saves your entries in the configuration file. 
						

							17-8
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
For example, if you want many users to have access to the clear line command, you can assign it 
level
 2 security and distribute the level 2 password fairly widely. But if you want more restricted access 
to the configure command, you can assign it level 3 security and distribute that password to a more 
restricted group of users.
This section includes this configuration information:
 Setting the Privilege Level for a Command, page 17-8
 Logging Into and Exiting a Privilege Level, page 17-9
Setting the Privilege Level for a Command
To set the privilege level for a command mode, follow these steps beginning in privileged EXEC mode:
When you set a command to a privilege level, all commands whose syntax is a subset of that command 
are also set to that level. For example, if you set the show ip route command to level 15, the show 
commands and show ip commands are automatically set to privilege level 15 unless you set them 
individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command 
command in global configuration mode.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2privilege mode level level commandSets the privilege level for a command.
 For mode, enter configure for global configuration mode, exec for 
EXEC mode, interface for interface configuration mode, or line for 
line configuration mode.
 For level, the range is from 0 to 15. Level 1 is for normal user EXEC 
mode privileges. Level 15 is the level of access permitted by the 
enable password.
 For command, specify the command to which you want to restrict 
access.
Step 3enable password level level passwordSpecifies the enable password for the privilege level.
 For level, the range is from 0 to 15. Level 1 is for normal user EXEC 
mode privileges. 
 For password, specify a string from 1 to 25 alphanumeric characters. 
The string cannot start with a number, is case sensitive, and allows 
spaces but ignores leading spaces. By default, no password is 
defined. 
NoteCharacters TAB, ?, $, +, and [ are invalid characters for 
passwords.
Step 4endReturns to privileged EXEC mode.
Step 5show running-config
or
show privilege
Verifies your entries.
The first command displays the password and access level configuration. 
The second command displays the privilege level configuration.
Step 6copy running-config startup-config(Optional) Saves your entries in the configuration file. 
						

							17-9
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 
as the password users must enter to use level 14 commands:
AP(config)# privilege exec level 14 configure
AP(config)# enable password level 14 SecretPswd14
Logging Into and Exiting a Privilege Level
To log in to a specified privilege level or to exit to a specified privilege level, follow these steps beginning 
in privileged EXEC mode:
Controlling Access Point Access with RADIUS 
This section describes how to control administrator access to the wireless device using Remote 
Authentication Dial-In User Service (RADIUS). For complete instructions on configuring the wireless 
device to support RADIUS, see the 
“Configuring Radius and TACACS+ Servers” chapter in the 
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points.
RADIUS provides detailed accounting information and flexible administrative control over 
authentication and authorization processes. RADIUS is facilitated through Authentication, 
Authorization, and Accounting (AAA) and can be enabled only through AAA commands.
NoteFor complete syntax and usage information for the commands used in this section, refer to the Cisco IOS 
Security Command Reference.
These sections describe RADIUS configuration:
 Default RADIUS Configuration, page 17-9
 Configuring RADIUS Login Authentication, page 17-10 (required)
 Defining AAA Server Groups, page 17-11 (optional)
 Configuring RADIUS Authorization for User Privileged Access and Network Services, page 17-13 
(optional)
 Displaying the RADIUS Configuration, page 17-14
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management 
application. When enabled, RADIUS can authenticate users accessing the wireless device through the 
command line interface (CLI).
CommandPurpose
Step 1enable levelLogs in to a specified privilege level.
For level, the range is 0 to 15.
Step 2disable levelExits to a specified privilege level.
For level, the range is 0 to 15. 
						

							17-10
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that 
list to various interfaces. The method list defines the types of authentication to be performed and the 
sequence in which they are performed; it must be applied to a specific interface before any defined 
authentication methods are performed. The only exception is the default method list (which, by 
coincidence, is named default). The default method list is automatically applied to all interfaces except 
those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. 
You can designate one or more security protocols to be used for authentication, thus ensuring a backup 
system for authentication in case the initial method fails. The software uses the first method listed to 
authenticate users; if that method fails to respond, the software selects the next authentication method in 
the method list. This process continues until there is successful communication with a listed 
authentication method or until all defined methods are exhausted. If authentication fails at any point in 
this cycle—meaning that the security server or local username database responds by denying the user 
access—the authentication process stops, and no other authentication methods are attempted.
To configure login authentication, follow these steps beginning in privileged EXEC mode. This 
procedure is required.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2aaa new-modelEnables AAA.
Step 3aaa authentication login {default | 
list-name} method1 [method2...]Creates a login authentication method list.
 To create a default list that is used when a named list is not specified 
in the login authentication command, use the default keyword 
followed by the methods that are to be used in default situations. The 
default method list is automatically applied to all interfaces.
 For list-name, specify a character string to name the list you are 
creating. 
 For method1..., specify the actual method the authentication 
algorithm tries. The additional methods of authentication are used 
only if the previous method returns an error, not if it fails.
Select one of these methods:
 local—Use the local username database for authentication. You must 
enter username information in the database. Use the username 
password global configuration command.
 radius—Use RADIUS authentication. You must configure the 
RADIUS server before you can use this authentication method. For 
more information, see the 
“Identifying the RADIUS Server Host” 
section of the “Configuring Radius and TACACS+ Servers” chapter 
in the Cisco IOS Software Configuration Guide for Cisco Aironet 
Access Points.
Step 4line [console | tty | vty] line-number 
[ending-line-number]Enters line configuration mode, and configure the lines to which you want 
to apply the authentication list. 
						

							17-11
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
To disable AAA, use the no aaa new-model command in global command mode. To disable AAA 
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] 
command in global command mode. To either disable RADIUS authentication for logins or to return to 
the default value, use the no login authentication {default | list-name} command in line configuraton 
mode.
Defining AAA Server Groups
You can configure the wireless device to use AAA server groups to group existing server hosts for 
authentication. You select a subset of the configured server hosts and use them for a particular service. 
The server group is used with a global server-host list, which lists the IP addresses of the selected server 
hosts. 
Server groups also can include multiple host entries for the same server if each entry has a unique 
identifier (the combination of the IP address and UDP port number), allowing different ports to be 
individually defined as RADIUS hosts providing a specific AAA service. If you configure two different 
host entries on the same RADIUS server for the same service (such as accounting), the second 
configured host entry acts as a failover backup to the first one.
You use the server group server configuration command to associate a particular server with a defined 
group server. You can either identify the server by its IP address or identify multiple host instances or 
entries by using the optional auth-port and acct-port keywords.
Tto define the AAA server group and associate a particular RADIUS server with it, follow these steps 
beginning in privileged EXEC mode:
Step 5login authentication {default | 
list-name}Applies the authentication list to a line or set of lines.
 If you specify default, use the default list created with the aaa 
authentication login command.
 For list-name, specify the list created with the aaa authentication 
login command.
Step 6endReturns to privileged EXEC mode.
Step 7show running-configVerifies your entries.
Step 8copy running-config startup-config(Optional) Saves your entries in the configuration file.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2aaa new-modelEnables AAA. 
						

							17-12
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
Step 3radius-server host {hostname | 
ip-address} [auth-port port-number] 
[acct-port port-number] [timeout 
seconds] [retransmit retries] [key 
string]Specifies the IP address or hostname of the remote RADIUS server host.
 (Optional) For auth-port port-number, specify the UDP destination 
port for authentication requests.
 (Optional) For acct-port port-number, specify the UDP destination 
port for accounting requests.
 (Optional) For timeout seconds, specify the time interval that the 
wireless device waits for the RADIUS server to reply before 
retransmitting. The range is 1 to 1000. This setting overrides the 
radius-server timeout global configuration command setting. If no 
timeout is set with the radius-server host command, the setting of 
the radius-server timeout command is used.
 (Optional) For retransmit retries, specify the number of times a 
RADIUS request is resent to a server if that server is not responding 
or responding slowly. The range is 1 to 1000. If no retransmit value is 
set with the radius-server host command, the setting of the 
radius-server retransmit global configuration command is used.
 (Optional) For key string, specify the authentication and encryption 
key used between the wireless device and the RADIUS daemon 
running on the RADIUS server. 
NoteThe key is a text string that must match the encryption key used 
on the RADIUS server. Always configure the key as the last item 
in the radius-server host command. Leading spaces are ignored, 
but spaces within and at the end of the key are used. If you use 
spaces in your key, do not enclose the key in quotation marks 
unless the quotation marks are part of the key.
To configure the wireless device to recognize more than one host entry 
associated with a single IP address, enter this command as many times as 
necessary, making sure that each UDP port number is different. The 
wireless device software searches for hosts in the order in which you 
specify them. Set the timeout, retransmit, and encryption key values to use 
with the specific RADIUS host.
Step 4aaa group server radius group-nameDefines the AAA server-group with a group name.
This command puts the wireless device in a server group configuration 
mode.
Step 5server ip-address Associates a particular RADIUS server with the defined server group. 
Repeat this step for each RADIUS server in the AAA server group.
Each server in the group must be previously defined in Step 2.
Step 6endReturns to privileged EXEC mode.
Step 7show running-configVerifies your entries.
Step 8copy running-config startup-config(Optional) Saves your entries in the configuration file.
Step 9Enables RADIUS login authentication. See the “Configuring RADIUS 
Login Authentication” section of the “Configuring Radius and TACACS+ 
Servers” chapter in the Cisco IOS Software Configuration Guide for Cisco 
Aironet Access Points.
Command Purpose