[Config] Hhow to configure Cisco IOS for students
I am working in one litle faculty, and have some troubles in our practic testing enviroment.
Also, we have 20 3660, with modules for FR, VoIP, ATM, etc.
The problem is, after a testing houres, some "smart" stundents configure (offical ) mistakently the Console interface.
After the end of his practice i reconfigure the Cisco's with an RS-232 I/O card, that have 32 RS-232 interfaces, and i just deliver the base config.
My problem is that after the changes of console on cisco (password and so) i can't deliver the base config. Until now, have i done this job manualy, but i wish to prevent the students to take a config of console interface.
I need that a students can do anything on router, configure all, but exclude of console.
How to do this?
Sorry for my bad english.
|reply to ciscofax |
If the problem is causing you unable to console in due to unknown password, then you can simply do password recovery. Check out this forum's FAQ for details.
»Cisco Forum FAQ »Password Recovery Procedures - proper BREAK key sending
For the future, you may consider setting up some kind of AAA (Authentication, Authorization, and Accounting) system to restrict certain admin the ability of issuing commands. With this AAA system, you can lock down console port to only certain admin while other admin can only access routers via telnet or ssh. Using the AAA system, you can also see what other admins were doing in "messing up" the configurations.
LCPTeck already point you in right direction. You can also check out this forum's FAQ for introduction to AAA and some AAA sample configurations.
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
In addition, you may want to also setup configuration backup system that can run either automatically or manually. Anytime configuration changes are in place, you can see which changes those are. This ability is helpful during troubleshooting or to reverse changes.
There are many free or cheap configuration backup system out there. One of the good one is Kiwi Cattools.
As previously suggested by aryoba enable AAA. Using different levels of authorization will help lock down the devices. This will determine the users who can enter specific CLI commands that you are allowing.
username ciscofax privilege 15 secret password
username labUser1 privilege 5 secret labstuden1
username labUser2 privilege 10 secret labstuden1
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 10 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
In addition you can use the IOS resilient commands to help with the default config/image, so you do not have to console in to do so. T
|reply to ciscofax |
If they have changed the baud rate of the console in the config, you should be able to reset it back to default using the same method as the password reset.
If they have changed the baud rate through a config-register, there is typically a jumper on the mainboard which can be used to reset the UART to its default settings.
This is less than an ideal procedure if you have to do it on multiple devices, but it may be your only choice.
I wouldnt consider TACACS to be a suitable command authorisation method in a lab. A lab usually has frequently changing and clearing of configs, and can be circumvented using ... the password reset method. Changes to routing config may cause the TACACS server to become unreachable, and this only slows you down as before you can execute each command you have to wait for the TACACS request to timeout.
I suppose your best bet might be to note who is using which piece of equipment so that if anything is damaged, missing, etc, you can pull up that user and ask them how it happened.
said by TomS_:This is why you should lock down console port to only certain admin while other admin can only access routers via telnet or ssh.
I wouldnt consider TACACS to be a suitable command authorisation method in a lab. A lab usually has frequently changing and clearing of configs, and can be circumvented using ... the password reset method.
But that doesnt stop the other admins from changing the console port configuration.
It wont stop them from performing the password reset procedure either, if they have physical access to the device, which in an educational environment the students most likely will for the purpose of learning.
|reply to ciscofax |
Yes, it is a problem
Let me to explain the situation. 3 different classess use the lab, about 200 students, and about 100 from other facultis.
I say the students to DONT CHANGE the console port, but some students mistakly chage the config.
The problem is that all the students comming into lab for 45 minutes, and i have just 15 minutes to reset the config. Is no problem if just one or 2 routers are involved, but what to do, if the change about 5-10 routers?
To using "software routers" is not a choise, because the stundents must have a way to making peers, and to see the way of working in real situation (howto make an ISP, VoIP provider, company situations) and we have the routers for other facultis, to do the same.
The problem is a way to find out an automatical cisco config reset.
One of the way, which i try to go is to make some bash (linux shell) scipts to done this.
I find a tools to bind the console interface to one TCP port, so after the telnet to this port, i have the same like on minicom or hyperterminal.
Also, i must now to configure my script, so done the config reset, and after this, i will be just need to pool the main power cable, and leave the script to reset the configs.
This can be done, but i have hope that exists an another, more "soft" way to solve this problem.
If somebody have any other idea, please, let me know
You need to start establishing procedures and perimeter of accessing the routers. Everybody including students and faculties must understand these procedures and perimeter and their purpose. It is a good thing to understand anyway since in the real world, all engineers sooner or later will face this situation.
Yes, you can create some script to automate things. However without procedures and perimeter in place, your job will be more energy-wasted if not time-wasted.
First to consider is to separate production network from lab network to avoid some clueless student or faculty mess up production network routers.
If your networks don't have AAA and TACACS server in place, then it is a good time to start one. You can use AAA not only to protect the network, but you can also track how far the student's understanding and comfortability around IOS and CLI.
When locking down console port to only certain people is possible as mentioned previously, then you should do it. If you really don't trust anybody else to access console port as TomS_ brought up, then you may want lock down console port only to you so nobody else (including students and faculties) have console access.