The WorldSkills movement is aimed at obtaining by participants mainly practical skills that are in demand in the modern labor market. The Network and System Administration competency consists of three modules: Network, Windows, Linux. Tasks change from championship to championship, the conditions of the competition change, but the structure of tasks for the most part remains the same.
The Network island will be the first due to its simplicity relative to the Linux and Windows islands.
The following tasks will be considered in the article:
- Name ALL devices according to the topology
- Assign the domain name wsrvuz19.ru for ALL devices
- Create user wsrvuz19 on ALL devices with password cisco
- The user password must be stored in the configuration as the result of a hash function.
- The user must have the highest privilege level.
- For ALL devices, implement the AAA model.
- Authentication on the remote console must be done using the local database (except for RTR1 and RTR2 devices)
- After successful authentication, when logging in from a remote console, the user should immediately enter the mode with the maximum privilege level.
- Set the need for authentication on the local console.
- Upon successful authentication to the local console, the user should enter the least privileged mode.
- On BR1, upon successful authentication on the local console, the user should enter the mode with the maximum privilege level
- On ALL devices, set the wsr password to enter privileged mode.
- The password must be stored in the configuration NOT as the result of a hash function.
- Set the mode in which all passwords in the configuration are stored in encrypted form.
The network topology at the physical layer is presented in the following diagram:
1. Name ALL devices according to the topology
To set the device name (hostname), enter the command from the global configuration mode hostname SW1, where instead of SW1 you must write the name of the equipment given in the tasks.
You can even check the setting visually - instead of the preset Switch was SW1:
Switch(config)# hostname SW1
SW1(config)#
The main task after making any settings is to save the configuration.
This can be done from the global configuration mode with the command do write:
SW1(config)# do write
Building configuration...
Compressed configuration from 2142 bytes to 1161 bytes[OK]
Or from privileged mode with the command write:
SW1# write
Building configuration...
Compressed configuration from 2142 bytes to 1161 bytes[OK]
2. Assign the domain name wsrvuz19.ru for ALL devices
You can set the domain name wsrvuz19.ru by default from the global configuration mode with the command ip domain-name wsrvuz19.ru.
The check is performed by the do show hosts summary command from the global configuration mode:
SW1(config)# ip domain-name wsrvuz19.ru
SW1(config)# do show hosts summary
Name lookup view: Global
Default domain is wsrvuz19.ru
...
3. Create user wsrvuz19 on ALL devices with password cisco
It is necessary to create such a user so that he has the maximum level of privileges, and the password is stored in the form of a hash function. All these conditions are taken into account by the team username wsrvuz19 privilege 15 secret cisco.
Here:
username wsrvuz19 - Username;
privilege 15 - privilege level (0 - minimum level, 15 - maximum level);
secret cisco - storing the password in the form of an MD5 hash function.
show command running-config allows you to check the current configuration settings, where you can find the line with the added user and make sure that the password is stored in encrypted form:
SW1(config)# username wsrvuz19 privilege 15 secret cisco
SW1(config)# do show running-config
...
username wsrvuz19 privilege 15 secret 5 $1$EFRK$RNvRqTPt5wbB9sCjlBaf4.
...
4. For ALL devices, implement the AAA model
The AAA model is a system of authentication, authorization and accounting of events. To complete this task, the first step is to enable the AAA model and specify that authentication will be performed using a local database:
SW1(config)# aaa new-model
SW1(config)# aaa authentication login default local
a. Authentication on the remote console must be done using the local database (except for RTR1 and RTR2 devices)
Jobs define two kinds of consoles: local and remote. The remote console allows you to implement remote connections, for example, via the SSH or Telnet protocols.
To complete this task, enter the following commands:
SW1(config)# line vty 0 4
SW1(config-line)# login authentication default
SW1(config-line)# exit
SW1(config)#
Team line vty 0 4 proceeds to the configuration of virtual terminal lines from 0 to 4.
Team login authentication default turns on the default authentication mode on the virtual console, and the default mode was set in the last job with the command aaa authentication login default local.
Exiting the remote console configuration mode is done using the command exit.
A reliable check will be a test connection via the Telnet protocol from one device to another. It should be borne in mind that basic switching and ip-addressing on the selected equipment must be configured for this.
SW3#telnet 2001:100::10
User Access Verification
Username: wsrvuz19
Password:
SW1>
b. After successful authentication, when logging in from a remote console, the user should immediately enter the mode with the maximum privilege level
To solve this problem, you need to go back to setting up virtual terminal lines and set the privilege level with the command privilege level 15, where 15 is again the maximum privilege level and 0 is the minimum privilege level:
SW1(config)# line vty 0 4
SW1(config-line)# privilege level 15
SW1(config-line)# exit
SW1(config)#
The test will be the solution from the previous subparagraph - remote connection via Telnet:
SW3#telnet 2001:100::10
User Access Verification
Username: wsrvuz19
Password:
SW1#
After authentication, the user immediately enters the privileged mode, bypassing the unprivileged one, which means that the task was completed correctly.
cd. Set the need on the local console and upon successful authentication, the user should enter the minimum privilege mode
The command structure in these tasks is the same as previously solved tasks 4.a and 4.b. Team line vty 0 4 replaced by console 0:
SW1(config)# line console 0
SW1(config-line)# login authentication default
SW1(config-line)# privilege level 0
SW1(config-line)# exit
SW1(config)#
As already mentioned, the minimum privilege level is determined by the number 0. The check can be done as follows:
SW1# exit
User Access Verification
Username: wsrvuz19
Password:
SW1>
After authentication, the user enters non-privileged mode, as stated in the tasks.
e. On BR1, upon successful authentication on the local console, the user should enter the mode with the maximum privilege level
Setting up a local console on BR1 would look like this:
BR1(config)# line console 0
BR1(config-line)# login authentication default
BR1(config-line)# privilege level 15
BR1(config-line)# exit
BR1(config)#
The check is carried out in the same way as in the previous paragraph:
BR1# exit
User Access Verification
Username: wsrvuz19
Password:
BR1#
After authentication, transitions to privileged mode occur.
5. On ALL devices, set password wsr to enter privileged mode
The tasks say that the password for the privileged mode should be stored as standard in clear text, but the encryption mode of all passwords will not allow you to see the password in clear text. To set a password to enter privileged mode, use the command enable password wsr. Using keyword password, determines the type in which the password will be stored. If the password must be encrypted when creating a user, then the keyword was the word secret, and for storage in an open form is used password.
You can check the settings from the current configuration view:
SW1(config)# enable password wsr
SW1(config)# do show running-config
...
enable password wsr
!
username wsrvuz19 privilege 15 secret 5 $1$5I66$TB48YmLoCk9be4jSAH85O0
...
It can be seen that the user's password is stored in encrypted form, and the password to enter the privileged mode is stored in clear text, as stated in the tasks.
In order for all passwords to be stored in encrypted form, you should use the command service password-encryption. Viewing the current configuration will now look like this:
SW1(config)# do show running-config
...
enable password 7 03134819
!
username wsrvuz19 privilege 15 secret 5 $1$5I66$TB48YmLoCk9be4jSAH85O0
...
The password is no longer viewable in the clear.
Source: habr.com