User Security Configuration Guide, Cisco IOS XE Release ...

User Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright ? 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

? 2015 Cisco Systems, Inc. All rights reserved.

CONTENTS

CHAPTER 1

Configuring Security with Passwords, Privileges, and Logins 1 Finding Feature Information 2 Restrictions for Configuring Security with Passwords, Privileges, and Logins 2 Information About Configuring Security with Passwords, Privileges, and Logins 2 Benefits of Creating a Security Scheme 2 Cisco IOS XE CLI Modes 3 User EXEC Mode 4 Privileged EXEC Mode 5 Global Configuration Mode 7 Interface Configuration Mode 8 Subinterface Configuration Mode 9 Cisco IOS XE CLI Sessions 9 Local CLI Sessions 9 Remote CLI Sessions 10 Terminal Lines are Used for Local and Remote CLI Sessions 10 Protect Access to Cisco IOS XE EXEC Modes 10 Protecting Access to User EXEC Mode 10 Protecting Access to Privileged EXEC mode 11 Cisco IOS XE Password Encryption Levels 11 Cisco IOS XE CLI Session Usernames 12 Cisco IOS XE Privilege Levels 13 Cisco IOS XE Password Configuration 13 How To Configure Security with Passwords Privileges and Logins 14 Protecting Access to User Exec Mode 14 Configuring and Verifying a Password for Remote CLI Sessions 14 Troubleshooting Tips 16 What to Do Next 16 Configuring and Verifying a Password for Local CLI Sessions 16

User Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) iii

Contents

CHAPTER 2

Troubleshooting Tips 18 What to Do Next 18 Protecting Access to Privileged EXEC Mode 18 Configuring and Verifying the Enable Password 18 Troubleshooting Tips 20 What to Do Next 20 Configuring Password Encryption for Clear Text Passwords 20 Configuring and Verifying the Enable Secret Password 21 Troubleshooting Tips 23 What to Do Next 23 Configuring a Device to Allow Users to View the Running Configuration 23 Configuring Security Options to Manage Access to CLI Sessions and Commands 25 Configuring the Networking Device for the First-Line Technical Support Staff 25 Verifying the Configuration for the First-Line Technical Support Staff 28 Troubleshooting Tips 30 What to Do Next 30 Configuring a Device to Require a Username for the First-Line Technical Support Staff 31 Recovering from a Lost or Misconfigured Password for Local Sessions 34 Networking Device Is Configured to Allow Remote CLI Sessions 34 Networking Device Is Not Configured to Allow Remote CLI Sessions 34 Recovering from a Lost or Misconfigured Password for Remote Sessions 35 Networking Device Is Configured to Allow Local CLI Sessions 35 Networking Device Is Not Configured to Allow Local CLI Sessions 35 Recovering from Lost or Misconfigured Passwords for Privileged EXEC Mode 35 A Misconfigured Privileged EXEC Mode Password Has Not Been Saved 35 Configuration Examples for Configuring Security with Passwords Privileges and Logins 36 Example: Configuring a Device to Allow Users to Clear Remote Sessions 36 Example: Configuring a Device to Allow Users to View the Running Configuration 37 Example: Configuring a Device to Allow Users to Shutdown and Enable Interfaces 38 Where to Go Next 39 Additional References 39 Feature Information for Configuring Security with Passwords Privileges and Logins 41

Image Verification 43

User Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) iv

Contents

Finding Feature Information 43 Restrictions for Image Verification 43 Information About Image Verification 44

Benefits of Image Verification 44 How Image Verification Works 44 How to Use Image Verification 44 Globally Verifying the Integrity of an Image 44

What to Do Next 45 Verifying the Integrity of an Image That Is About to Be Copied 45 Verifying the Integrity of an Image That Is About to Be Reloaded 46 Configuration Examples for Image Verification 47 Global Image Verification Example 47 Image Verification via the copy Command Example 48 Image Verification via the reload Command Example 48 Verify Command Sample Output Example 48 Additional References 48 Feature Information for Image Verification 50

User Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) v

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download