RE: How to disable the "Last configuration change at xxx " in

From: Tim (ccie2be@nyc.rr.com)
Date: Wed Jan 18 2006 - 15:24:33 GMT-3

While reading the Cisco Cookbook, I became interested in the same topic.
Unfortunately, the example doesn't directly answer the original question,
however, this does provide an example of how to see when and who made the
last changes.

3.1.1 Problem
You want to assign individual (or group) user IDs and passwords to network
staff.

3.1.2 Solution
Use the following set of configuration commands to enable locally
administered user IDs:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username ijbrown password oreilly
Router1(config)#username kdooley password cookbook
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#
The username command also allows you to create usernames without passwords
by specifying the nopassword keyword:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username weak nopassword
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#
However, we strongly recommend against doing this because it can severely
weaken the router's security.

3.1.3 Discussion
Enabling locally administered usernames overrides the default VTY
password-based authentication system. When you enable the aaa new-model
command, as shown in this recipe, the router immediately begins to prompt
for usernames and passwords. Assigning unique usernames to individuals or
groups provides accountability, as we will show later. The following example
shows the login prompt for a router using local authentication:

Freebsd%telnet Router1
Trying 172.25.1.5...
Connected to Router1.
Escape character is '^]'.
   
User Access Verification
   
Username: ijbrown
Password: <password>
   
Router1>
The router prompts for the username as well as the password. Compare this to
how the router behaves by default:

Freebsd%telnet Router2
Trying 172.25.1.6...
Connected to Router2.
Escape character is '^]'.
   
User Access Verification
   
Password: <password>
   
Router2>
Locally administered usernames work well in a small environment with a
limited number of administrators. However, this method does not scale well
to a large network with many administrators. Keeping usernames synchronized
across an entire network can become quite daunting. Fortunately, Cisco also
supports a centralized authentication system, which we discuss in Chapter 4.

When you configure locally administered usernames, the router prompts for
usernames on all lines, including the console and AUX ports, as well as the
VTY ports used for Telnet sessions. To avoid locking yourself out of the
router, you should always configure a username command before entering the
AAA commands. It is also a good idea to use another session terminal to test
the new authentication system before logging out of your original session.
If you do accidentally lock yourself out of the router, you will need to
follow the normal password-recovery procedures for your router type.

Enabling username support causes the router to associate certain functions
with usernames. This provides accountability for each username by showing
exactly who is doing what. For instance, the output of the show users
command includes active usernames:

Router1>show users
  Line User Host(s) Idle Location
  66 vty 0 ijbrown idle 00:36:21 freebsd.oreilly.com
  67 vty 1 kdooley idle 00:00:24 server1.oreilly.com
* 68 vty 2 weak idle 00:00:00 freebsd.oreilly.com
   
  Interface User Mode Idle Peer Address
   
Router1>
More importantly, log messages will capture the username of the individual
who invoked certain high-profile commands such as configuration changes, the
clearing of counters, and reloads. For example:

Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty2
 (172.25.1.1)
Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear counter on all interfaces by weak
on vty2
 (172.25.1.1)
Jun 27 14:00:14: %SYS-5-RELOAD: Reload requested by kdooley on vty0
 (172.25.1.1).
Note that these log messages now include the username associated with each
action. So, instead of just knowing that somebody changed the configuration
or reloaded the router, you can see exactly who did it.

In addition, the router captures the username of the last person to modify
its configuration or save the configuration to NVRAM. To see this
information, use the show running-config command:

Router1#show running-config
Building configuration...
   
Current configuration : 4285 bytes
!
! Last configuration change at 12:58:26 EDT Fri Jun 27 2003 by ijbrown
! NVRAM config last updated at 13:01:45 EDT Fri Jun 27 2003 by kdooley
!
version 12.2
The username command also has an autocommand keyword, which you can use to
assign an EXEC-level command to a particular username. This is useful when
you want to provide limited access to a particular command while restricting
access to everything else on the router. For example, you might want to set
up a special username that anybody could use to run a single router command
and then terminate the session:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username run nopassword noescape
Router1(config)#username run autocommand show ip interface brief
Router1(config)#end
Router1#
In this example, we defined the username run without a password and assigned
it an autocommand of show ip interface brief. When you log in to the router
with this username, the router will not prompt for a password. It just
automatically executes the command and then terminates the session:

Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.
   
User Access Verification
   
Username: run
Interface IP-Address OK? Method Status
Protocol
BRI0/0 unassigned YES NVRAM administratively down
down
Ethernet0/0 172.25.1.8 YES NVRAM administratively down
down
BRI0/0:1 unassigned YES unset administratively down
down
BRI0/0:2 unassigned YES unset administratively down
down
FastEthernet1/0 172.22.1.4 YES NVRAM up up

Loopback0 192.168.20.1 YES NVRAM up up
Connection closed by foreign host.
Freebsd%
Note that the router issued the command and then terminated the session
without providing an opportunity to issue another command.

The noescape keyword prevents the user from issuing an escape sequence to
access the router EXEC. We strongly recommend using this keyword whenever
you use autocommands.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ed
Lui
Sent: Wednesday, January 18, 2006 10:55 AM
To: ccielab@groupstudy.com; Peter McCreesh
Cc: Schulz, Dave; James Ventre; nobody@groupstudy.com; Brian Dennis; Chan
Hong; sh.law@pccw.com; ivan.cl.tam@pccw.com
Subject: Re: How to disable the "Last configuration change at xxx " in
configuration?

Hi,

To my understanding, the key point is when the time is configured on
the router. The line will be generated by the router. I tested it on
my router with clock set, not even ntp master. For the stratum thing,
I guess you should get the same result if you can make the router
thinks the time is synced and valid.

Regards,
Edward Lui

On 1/18/06, Peter McCreesh <petermccreesh@gmail.com> wrote:

> Might be the fact that when your router is stratum 1, it will not have
> another upstream ref clock other than itself. i.e. can't get better than
> stratum 1 time source. A router with stratum 3 indicates that this is not
> the "most accurate" time source as its upstream NTP source would be a
> stratum 2 (if it had one) and then a stratum 1 serving that.
>
> I'd have to test though to make sure...
>
> Regards,
>
> Pete
>
>
> On 1/18/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
> > Sounds like could we could be looking at some anomalies with the IOS.
> > Everyone is seeing something different. Hopefully, we won't have a
> > question on the lab exam that states something like... Don't let the
> > router state "Last configuration change at 13:41:15 EST
> > Mon...........blah, blah, blah". ;-)
> >
> >
> >
> >
> >
> > Dave Schulz,
> >
> > Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com %20>
> >
> >
> >
> >
> > ________________________________
> >
> > From: James Ventre [mailto:messageboard@ventrefamily.com]
> > Sent: Wednesday, January 18, 2006 7:13 AM
> > To: Schulz, Dave
> > Cc: Ed Lui; nobody@groupstudy.com; Brian Dennis; Chan Hong;
> > ccielab@groupstudy.com; sh.law@pccw.com; ivan.cl.tam@pccw.com
> > Subject: Re: How to disable the "Last configuration change at xxx " in
> > configuration?
> >
> >
> >
> > I'm not using the "ntp master" command at all (and never have on this
> > device) .... and I get it:
> >
> > ar1#sh run | inc ntp
> > ntp authentication-key 1 md5 [snip]
> > ntp authenticate
> > ntp trusted-key 1
> > ntp clock-period 14459944
> > ntp update-calendar
> > ntp server 10.7.0.1 key 1
> > ntp server 10.8.0.1 key 1
> > ar1#sh run
> > Building configuration...
> >
> > Current configuration : 37912 bytes
> > !
> > ! Last configuration change at 13:41:15 EST Mon Jan 9 2006 by Yousef
> > ! NVRAM config last updated at 08:27:22 EST Tue Jan 10 2006 by Yousef
> > !
> >
> > James
> >
> >
> >
> >
> >
> >
> >
> >
> > Schulz, Dave wrote:
> >
> > Interestingly, enough....I tried this in the lab....when you use the ntp
> > master 3, you don't get the message, but when you use the ntp master 1
> > ....then you get the message as Brian states. Going back to ntp master
> > 3 or
> > taking the ntp master off does not make the message go away. So, I am
> > assuming
> > that this will only go away after a reboot without the ntp master 1, but
> > I
> > can't test it at the moment.
> >
> > Dave
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > To: Brian Dennis
> > Cc: Chan Hong; ccielab@groupstudy.com; sh.law@pccw.com;
> > ivan.cl.tam@pccw.com
> > Sent: 1/18/2006 2:31 AM
> > Subject: Re: How to disable the "Last configuration change at xxx " in
> > configuration?
> >
> > Really open up my @y@s.
> >
> > Thanks,
> >
> >
> > On 1/17/06, Brian Dennis < bdennis@internetworkexpert.com>
> > <mailto:bdennis@internetworkexpert.com> wrote:
> >
> >
> >
> > Here is how it is enabled:
> >
> > Router#sho run
> > Building configuration...
> >
> > Current configuration : 809 bytes
> > !
> > version 12.3
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname Router
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > !
> > no aaa new-model
> > !
> > resource policy
> > !
> > ip subnet-zero
> > !
> > !
> > ip cef
> > no ip dhcp use vrf connected
> >
> > Router#conf t
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Router(config)#ntp master 1
> > Router(config)#^Z
> > Apr 6 05:48:06.474: %SYS-5-CONFIG_I: Configured from console by
> >
> >
> > console
> >
> >
> > Router#sho ntp assoc
> >
> > address ref clock st when poll reach delay
> >
> >
> > offset
> >
> >
> > disp
> > *~127.127.7.1 .LOCL. 0 0
> 64 177 0.0
> >
> >
> > 0.00
> >
> >
> > 125.0
> > * master (synced), # master (unsynced), + selected, -
> > candidate, ~
> > configured
> > Router#sho run
> > Building configuration...
> >
> > Current configuration : 870 bytes
> > !
> > ! Last configuration change at 05:48:06 UTC Tue Apr 6 1993
> > !
> > version 12.3
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname Router
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > !
> > no aaa new-model
> > !
> > resource policy
> > !
> > ip subnet-zero
> > !
> > !
> >
> > Router#
> >
> > HTH,
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> >
> >
> > Of
> >
> >
> > Chan Hong
> > Sent: Tuesday, January 17, 2006 6:57 PM
> > To: ccielab@groupstudy.com
> > Cc: sh.law@pccw.com; ivan.cl.tam@pccw.com
> > Subject: How to disable the "Last configuration change at xxx "
> > in
> > configuration?
> >
> > Dear all,
> >
> > How to disable the "Last configuration change at xxx & NVRAM
> > config
> > last updated at xxx" in configuration? Following is the sample.
> >
> > Building configuration...
> > Current configuration : 2203 bytes
> > !
> > ! Last configuration change at 10:54:09 HK Wed Jan 18 2006
> > <--
> > ! NVRAM config last updated at 10:54:10 HK Wed Jan 18 2006 <--
> > !
> > version 12.3
> > service timestamps debug datetime localtime
> > service timestamps log datetime localtime show-timezone
> > no service password-encryption
> > !
> >
> > _______________________________________
> > YM - Bw=u0T.'
> >
> >
> >
> >
> >
> 4N:b'A(S&3$W:t!A'A*:*B$M$4%i%H/d$U0T.'59'A!A7m'A$W:t.I4N/`%_'Y,](l!A%t&s
> >
> >
> > ;!8\3#IN(+%"!C
> > http://messenger.yahoo.com.hk
> >
> >
> >
> >
> >
> _______________________________________________________________________
> >
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> _______________________________________________________________________
> >
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:49 GMT-3