The solution of WorldSkills tasks of the Network module in the competence of CCA Part 1 - Basic Setup

Published on June 23, 2019

The solution of WorldSkills tasks of the Network module in the competence of CCA Part 1 - Basic Setup

The WorldSkills movement aims to provide participants with mainly practical skills that are in demand on the modern labor market. The competency “Network and System Administration” consists of three modules: Network, Windows, Linux. Tasks vary from championship to championship, the conditions of the meeting change, however, the structure of tasks for the most part remains unchanged.

The Network Island will be the first due to its simplicity with respect to the Linux and Windows islands.

The following tasks will be considered in the article:

  1. Name ALL devices according to topology
  2. Assign a wsrvuz19.ru domain name for ALL devices
  3. Create user wsrvuz19 on ALL devices with cisco password
    • The user password must be stored in the configuration as a result of the hash function.
    • The user must have the maximum privilege level.
  4. For ALL devices, implement the AAA model.

    • Authentication on the remote console must be done using the local database (except for RTR1 and RTR2)
    • After successful authentication, when logging in from the remote console, the user must immediately enter the mode with the maximum privilege level.
    • Configure the need for authentication on the local console.
    • Upon successful authentication on the local console, the user must enter the mode with the minimum privilege level.
    • On BR1, upon successful authentication on the local console, the user must enter the mode with the maximum privilege level
  5. On ALL devices, set the wsr password to enter privileged mode.
    • The password must be stored in the configuration NOT as a result of the hash function.
    • Set the mode in which all passwords in the configuration are stored in encrypted form.

The network topology at the physical level is presented in the following diagram:



If information is easier to perceive in video format, then the entire solution to these tasks can be found in the following video:



1. Set the names of ALL devices according to the topology


To set the device name (hostname), it is necessary to enter a command from the global configuration mode , where instead of SW1 it is necessary to write the equipment name given in the tasks. You can even check the settings visually - instead of the preset Switch, it became SW1 :hostname SW1



Switch(config)# hostname SW1
SW1(config)#

The main task after any settings is to save the configuration.

You can do this from the global configuration mode using the command do write:

SW1(config)# do write
Building configuration...
Compressed configuration from 2142 bytes to 1161 bytes[OK]

Or from privileged mode with the command write:

SW1# write
Building configuration...
Compressed configuration from 2142 bytes to 1161 bytes[OK]

2. Assign the wsrvuz19.ru domain name for ALL devices


You can set the default wsrvuz19.ru domain name from the global configuration mode using the command ip domain-name wsrvuz19.ru.

Verification is done with the do show hosts summary command from global configuration mode:

SW1(config)# ip domain-name wsrvuz19.ru
SW1(config)# do show hosts summary
Name lookup view: Global
Default domain is wsrvuz19.ru
...

3. Create a wsrvuz19 user on ALL devices with the cisco password


It is necessary to create such a user so that he has the maximum level of privileges, and the password is stored as a hash function. All these conditions are taken into account by the team username wsrvuz19 privilege 15 secret cisco.

Here:

username wsrvuz19- username;
privilege 15- level of privileges (0 - the minimum level, 15 - the maximum level);
secret cisco- password storage in the form of an MD5 hash function.

The show command running-configallows you to check the settings of the current configuration, where you can find the line with the user added and make sure that the password is stored in encrypted form:

SW1(config)# username wsrvuz19 privilege 15 secret cisco
SW1(config)# do show running-config
...
username wsrvuz19 privilege 15 secret 5 $1$EFRK$RNvRqTPt5wbB9sCjlBaf4.
...

4. For ALL devices, implement the AAA model


The AAA model is an authentication, authorization and event accounting system. To complete this task, the first step is to enable the AAA model and indicate that authentication will be performed using the local database:

SW1(config)# aaa new-model
SW1(config)# aaa authentication login default local

a. Authentication on the remote console must be done using the local database (except for RTR1 and RTR2)

The tasks define two types of consoles: local and remote. The remote console allows you to implement remote connections, for example, via the SSH or Telnet protocols.

To complete this task, you must enter the following commands:

SW1(config)# line vty 0 4
SW1(config-line)# login authentication default
SW1(config-line)# exit
SW1(config)#

The team proceeds line vty 0 4to configure the virtual terminal lines from 0 to 4.

The command login authentication defaultenables the default authentication mode on the virtual console, and the default mode was set in the last task by the command aaa authentication login default local.

Exiting the remote console configuration mode is performed using the command exit.

A reliable test will be a Telnet test connection from one device to another. It should be borne in mind that for this, basic switching and ip-addressing on the selected equipment must be configured.

SW3#telnet 2001:100::10
User Access Verification
Username: wsrvuz19
Password:
SW1>

b. After successful authentication, when logging in from the remote console, the user must immediately enter the mode with the maximum privilege level

To solve this problem, you need to go back to configuring the virtual terminal lines and set the privilege level with the command privilege level 15, where 15 is the maximum level again, and 0 is the minimum privilege level:

SW1(config)# line vty 0 4
SW1(config-line)# privilege level 15
SW1(config-line)# exit
SW1(config)#

The solution from the last subclause - remote Telnet connection will serve as a check:

SW3#telnet 2001:100::10
User Access Verification
Username: wsrvuz19
Password:
SW1#

After authentication, the user immediately enters privileged mode, bypassing the unprivileged mode, which means that the task is completed correctly.

cd. Configure the need on the local console and if authentication is successful, the user must enter the mode with the minimum privilege level

The structure of the teams in these tasks coincides with previously solved tasks 4.a and 4.b. The command line vty 0 4is replaced by console 0:

SW1(config)# line console 0
SW1(config-line)# login authentication default
SW1(config-line)# privilege level 0
SW1(config-line)# exit
SW1(config)#

As already mentioned, the minimum privilege level is determined by the number 0. Verification can be performed as follows:

SW1# exit
User Access Verification
Username: wsrvuz19
Password:
SW1>

After authentication, the user enters unprivileged mode, as stated in the tasks.

e. On BR1, upon successful authentication on the local console, the user must enter the mode with the maximum privilege level

Setting up the local console on BR1 will look like this:

BR1(config)# line console 0
BR1(config-line)# login authentication default
BR1(config-line)# privilege level 15
BR1(config-line)# exit
BR1(config)#

Verification is carried out in the same way as in the previous paragraph:

BR1# exit
User Access Verification
Username: wsrvuz19
Password:
BR1#

After authentication, transitions to privileged mode occur.

5. On ALL devices, set the wsr password to enter privileged mode


The tasks say that the password for privileged mode should be stored standardly in clear form, but the encryption mode of all passwords will not allow you to see the password in clear form. To set a password to enter privileged mode, you need to use the command enable password wsr. Using the keyword password, the type in which the password will be stored is determined. If the password must be encrypted when creating the user, then the key word was the word secret, and is used for open storage password.

You can check the settings by viewing the current configuration:

SW1(config)# enable password wsr
SW1(config)# do show running-config
...
enable password wsr
!
username wsrvuz19 privilege 15 secret 5 $1$5I66$TB48YmLoCk9be4jSAH85O0
...

It can be seen that the user password is stored in encrypted form, and the password for entering privileged mode is stored in the clear, as stated in the tasks.
In order for all passwords to be stored in encrypted form, you should use the command service password-encryption. Viewing the current configuration will now look like this:

SW1(config)# do show running-config
...
enable password 7 03134819
!
username wsrvuz19 privilege 15 secret 5 $1$5I66$TB48YmLoCk9be4jSAH85O0
...

Password is no longer available for viewing in clear text.