RE: How to disable the "Last configuration change at xxx " in

From: de Witt, Duane (duane.dewitt@siemens.com)
Date: Wed Jan 18 2006 - 15:43:07 GMT-3

I reckon the answer to the question is disable NTP and reload the router
so that the clock isn't set?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tim
Sent: 18 January 2006 08:25 PM
To: 'Ed Lui'; ccielab@groupstudy.com; 'Peter McCreesh'
Cc: 'Schulz, Dave'; 'James Ventre'; nobody@groupstudy.com; 'Brian
Dennis'; 'Chan Hong'; sh.law@pccw.com; ivan.cl.tam@pccw.com
Subject: RE: How to disable the "Last configuration change at xxx " in
configuration?

While reading the Cisco Cookbook, I became interested in the same topic.
Unfortunately, the example doesn't directly answer the original
question,
however, this does provide an example of how to see when and who made
the
last changes.

3.1.1 Problem
You want to assign individual (or group) user IDs and passwords to
network
staff.

3.1.2 Solution
Use the following set of configuration commands to enable locally
administered user IDs:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username ijbrown password oreilly
Router1(config)#username kdooley password cookbook
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#
The username command also allows you to create usernames without
passwords
by specifying the nopassword keyword:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username weak nopassword
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#
However, we strongly recommend against doing this because it can
severely
weaken the router's security.

3.1.3 Discussion
Enabling locally administered usernames overrides the default VTY
password-based authentication system. When you enable the aaa new-model
command, as shown in this recipe, the router immediately begins to
prompt
for usernames and passwords. Assigning unique usernames to individuals
or
groups provides accountability, as we will show later. The following
example
shows the login prompt for a router using local authentication:

Freebsd%telnet Router1
Trying 172.25.1.5...
Connected to Router1.
Escape character is '^]'.
   
User Access Verification
   
Username: ijbrown
Password: <password>
   
Router1>
The router prompts for the username as well as the password. Compare
this to
how the router behaves by default:

Freebsd%telnet Router2
Trying 172.25.1.6...
Connected to Router2.
Escape character is '^]'.
   
User Access Verification
   
Password: <password>
   
Router2>
Locally administered usernames work well in a small environment with a
limited number of administrators. However, this method does not scale
well
to a large network with many administrators. Keeping usernames
synchronized
across an entire network can become quite daunting. Fortunately, Cisco
also
supports a centralized authentication system, which we discuss in
Chapter 4.

When you configure locally administered usernames, the router prompts
for
usernames on all lines, including the console and AUX ports, as well as
the
VTY ports used for Telnet sessions. To avoid locking yourself out of the
router, you should always configure a username command before entering
the
AAA commands. It is also a good idea to use another session terminal to
test
the new authentication system before logging out of your original
session.
If you do accidentally lock yourself out of the router, you will need to
follow the normal password-recovery procedures for your router type.

Enabling username support causes the router to associate certain
functions
with usernames. This provides accountability for each username by
showing
exactly who is doing what. For instance, the output of the show users
command includes active usernames:

Router1>show users
  Line User Host(s) Idle Location
  66 vty 0 ijbrown idle 00:36:21
freebsd.oreilly.com
  67 vty 1 kdooley idle 00:00:24
server1.oreilly.com
* 68 vty 2 weak idle 00:00:00
freebsd.oreilly.com
   
  Interface User Mode Idle Peer
Address
   
Router1>
More importantly, log messages will capture the username of the
individual
who invoked certain high-profile commands such as configuration changes,
the
clearing of counters, and reloads. For example:

Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured from console by ijbrown on
vty2
 (172.25.1.1)
Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear counter on all interfaces by
weak
on vty2
 (172.25.1.1)
Jun 27 14:00:14: %SYS-5-RELOAD: Reload requested by kdooley on vty0
 (172.25.1.1).
Note that these log messages now include the username associated with
each
action. So, instead of just knowing that somebody changed the
configuration
or reloaded the router, you can see exactly who did it.

In addition, the router captures the username of the last person to
modify
its configuration or save the configuration to NVRAM. To see this
information, use the show running-config command:

Router1#show running-config
Building configuration...
   
Current configuration : 4285 bytes
!
! Last configuration change at 12:58:26 EDT Fri Jun 27 2003 by ijbrown
! NVRAM config last updated at 13:01:45 EDT Fri Jun 27 2003 by kdooley
!
version 12.2
The username command also has an autocommand keyword, which you can use
to
assign an EXEC-level command to a particular username. This is useful
when
you want to provide limited access to a particular command while
restricting
access to everything else on the router. For example, you might want to
set
up a special username that anybody could use to run a single router
command
and then terminate the session:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username run nopassword noescape
Router1(config)#username run autocommand show ip interface brief
Router1(config)#end
Router1#
In this example, we defined the username run without a password and
assigned
it an autocommand of show ip interface brief. When you log in to the
router
with this username, the router will not prompt for a password. It just
automatically executes the command and then terminates the session:

Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.
   
User Access Verification
   
Username: run
Interface IP-Address OK? Method Status
Protocol
BRI0/0 unassigned YES NVRAM administratively
down
down
Ethernet0/0 172.25.1.8 YES NVRAM administratively
down
down
BRI0/0:1 unassigned YES unset administratively
down
down
BRI0/0:2 unassigned YES unset administratively
down
down
FastEthernet1/0 172.22.1.4 YES NVRAM up
up

Loopback0 192.168.20.1 YES NVRAM up
up
Connection closed by foreign host.
Freebsd%
Note that the router issued the command and then terminated the session
without providing an opportunity to issue another command.

The noescape keyword prevents the user from issuing an escape sequence
to
access the router EXEC. We strongly recommend using this keyword
whenever
you use autocommands.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ed
Lui
Sent: Wednesday, January 18, 2006 10:55 AM
To: ccielab@groupstudy.com; Peter McCreesh
Cc: Schulz, Dave; James Ventre; nobody@groupstudy.com; Brian Dennis;
Chan
Hong; sh.law@pccw.com; ivan.cl.tam@pccw.com
Subject: Re: How to disable the "Last configuration change at xxx " in
configuration?

Hi,

To my understanding, the key point is when the time is configured on
the router. The line will be generated by the router. I tested it on
my router with clock set, not even ntp master. For the stratum thing,
I guess you should get the same result if you can make the router
thinks the time is synced and valid.

Regards,
Edward Lui

On 1/18/06, Peter McCreesh <petermccreesh@gmail.com> wrote:

> Might be the fact that when your router is stratum 1, it will not have
> another upstream ref clock other than itself. i.e. can't get better
than
> stratum 1 time source. A router with stratum 3 indicates that this is
not
> the "most accurate" time source as its upstream NTP source would be a
> stratum 2 (if it had one) and then a stratum 1 serving that.
>
> I'd have to test though to make sure...
>
> Regards,
>
> Pete
>
>
> On 1/18/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
> > Sounds like could we could be looking at some anomalies with the
IOS.
> > Everyone is seeing something different. Hopefully, we won't have a
> > question on the lab exam that states something like... Don't let the
> > router state "Last configuration change at 13:41:15 EST
> > Mon...........blah, blah, blah". ;-)
> >
> >
> >
> >
> >
> > Dave Schulz,
> >
> > Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com %20>
> >
> >
> >
> >
> > ________________________________
> >
> > From: James Ventre [mailto:messageboard@ventrefamily.com]
> > Sent: Wednesday, January 18, 2006 7:13 AM
> > To: Schulz, Dave
> > Cc: Ed Lui; nobody@groupstudy.com; Brian Dennis; Chan Hong;
> > ccielab@groupstudy.com; sh.law@pccw.com; ivan.cl.tam@pccw.com
> > Subject: Re: How to disable the "Last configuration change at xxx "
in
> > configuration?
> >
> >
> >
> > I'm not using the "ntp master" command at all (and never have on
this
> > device) .... and I get it:
> >
> > ar1#sh run | inc ntp
> > ntp authentication-key 1 md5 [snip]
> > ntp authenticate
> > ntp trusted-key 1
> > ntp clock-period 14459944
> > ntp update-calendar
> > ntp server 10.7.0.1 key 1
> > ntp server 10.8.0.1 key 1
> > ar1#sh run
> > Building configuration...
> >
> > Current configuration : 37912 bytes
> > !
> > ! Last configuration change at 13:41:15 EST Mon Jan 9 2006 by Yousef
> > ! NVRAM config last updated at 08:27:22 EST Tue Jan 10 2006 by
Yousef
> > !
> >
> > James
> >
> >
> >
> >
> >
> >
> >
> >
> > Schulz, Dave wrote:
> >
> > Interestingly, enough....I tried this in the lab....when you use the
ntp
> > master 3, you don't get the message, but when you use the ntp master
1
> > ....then you get the message as Brian states. Going back to ntp
master
> > 3 or
> > taking the ntp master off does not make the message go away. So, I
am
> > assuming
> > that this will only go away after a reboot without the ntp master 1,
but
> > I
> > can't test it at the moment.
> >
> > Dave
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > To: Brian Dennis
> > Cc: Chan Hong; ccielab@groupstudy.com; sh.law@pccw.com;
> > ivan.cl.tam@pccw.com
> > Sent: 1/18/2006 2:31 AM
> > Subject: Re: How to disable the "Last configuration change at xxx "
in
> > configuration?
> >
> > Really open up my @y@s.
> >
> > Thanks,
> >
> >
> > On 1/17/06, Brian Dennis < bdennis@internetworkexpert.com>
> > <mailto:bdennis@internetworkexpert.com> wrote:
> >
> >
> >
> > Here is how it is enabled:
> >
> > Router#sho run
> > Building configuration...
> >
> > Current configuration : 809 bytes
> > !
> > version 12.3
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname Router
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > !
> > no aaa new-model
> > !
> > resource policy
> > !
> > ip subnet-zero
> > !
> > !
> > ip cef
> > no ip dhcp use vrf connected
> >
> > Router#conf t
> > Enter configuration commands, one per line. End with
CNTL/Z.
> > Router(config)#ntp master 1
> > Router(config)#^Z
> > Apr 6 05:48:06.474: %SYS-5-CONFIG_I: Configured from
console by
> >
> >
> > console
> >
> >
> > Router#sho ntp assoc
> >
> > address ref clock st when poll reach
delay
> >
> >
> > offset
> >
> >
> > disp
> > *~127.127.7.1 .LOCL. 0 0
> 64 177 0.0
> >
> >
> > 0.00
> >
> >
> > 125.0
> > * master (synced), # master (unsynced), + selected, -
> > candidate, ~
> > configured
> > Router#sho run
> > Building configuration...
> >
> > Current configuration : 870 bytes
> > !
> > ! Last configuration change at 05:48:06 UTC Tue Apr 6 1993
> > !
> > version 12.3
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname Router
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > !
> > no aaa new-model
> > !
> > resource policy
> > !
> > ip subnet-zero
> > !
> > !
> >
> > Router#
> >
> > HTH,
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> > Behalf
> >
> >
> > Of
> >
> >
> > Chan Hong
> > Sent: Tuesday, January 17, 2006 6:57 PM
> > To: ccielab@groupstudy.com
> > Cc: sh.law@pccw.com; ivan.cl.tam@pccw.com
> > Subject: How to disable the "Last configuration change at
xxx "
> > in
> > configuration?
> >
> > Dear all,
> >
> > How to disable the "Last configuration change at xxx &
NVRAM
> > config
> > last updated at xxx" in configuration? Following is the
sample.
> >
> > Building configuration...
> > Current configuration : 2203 bytes
> > !
> > ! Last configuration change at 10:54:09 HK Wed Jan 18 2006
> > <--
> > ! NVRAM config last updated at 10:54:10 HK Wed Jan 18 2006
<--
> > !
> > version 12.3
> > service timestamps debug datetime localtime
> > service timestamps log datetime localtime show-timezone
> > no service password-encryption
> > !
> >
> > _______________________________________
> > YM - Bw=u0T.'
> >
> >
> >
> >
> >
>
4N:b'A(S&3$W:t!A'A*:*B$M$4%i%H/d$U0T.'59'A!A7m'A$W:t.I4N/`%_'Y,](l!A%t&s
> >
> >
> > ;!8\3#IN(+%"!C
> > http://messenger.yahoo.com.hk
> >
> >
> >
> >
> >
>

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:49 GMT-3