Ethan Banks On productivity.

OECG – Chapter 21 “Security” – Passwords + AAA


This chapter is not all that long. It’s broken up into major sections of “Router and Switch Device Security” – securing access to the management interfaces of the devices themselves; “Layer 2 Security” – limit who can plug into an available switch port and what they can do once lit; and “Layer 3 Security” – controlling network traffic flowing to and through a router.

CLI Basic Password Protection

  • Real men (and women, although I don’t meet many in the networking biz for whatever reason) use the command line interface to manage their Cisco devices. It’s telling that although Cisco has made strides in the GUI arena, there’s nary a mention of GUI configuration options in this book. I’ve looked at some of the SNMP device managers and built-in web engines that offer GUI windows into the switch/router world. They’re okay, I guess, but for whatever reason I can’t get excited about them. I know and trust the CLI. And to that end, I want to secure the CLI from dastardly ne’er-do-wells who wouldst cause mine hurt.
  • There are 2 major “modes” on an IOS device: user mode (the “>” prompt with limited privileges, you can do some looking, but can’t set anything) and privileged mode ( the “#” prompt with full privileges, can you bring down the network if you’re feeling frisky).
  • User mode is accessible via telnet/ssh, the aux port (on a router that has one), or the console port (9600, 8, N, 1 with a rollover cable).
  • To enable password protection for user-mode, use the “login” command in the line paragraph.
  • Set the password with the “password” command in the line paragraph.
  • Use “service password-encryption” to perform a Cisco-7 type weak-encryption password hashing on the passwords you’ve set.
  • To set the password for privileged mode, use the “enable” or “enable secret” commands in global config mode. If you use “enable” with “service password-encryption”, you get a Cisco-7 weak-encryption password. If you use “enable secret”, this will trump “enable”, and it will be stored as an MD5-hashed strong encryption password that doesn’t care about the “service password-encryption”.

Authentication, Authorization and Accounting (AAA)

  • This refers to the use of an independent server that can be queried by either RADIUS (UDP/1812 or older UDP/1645, RFC 2865) or TACACS+ (TCP/49, Cisco proprietary). The router will ask the AAA server these sorts of questions:
    • Authentication – is the username and password valid?
    • Authorization – is the authenticated user allowed to do what they are trying to do?
    • Accounting – let’s keep a record of what has been happening.
  • To enable AAA (assuming you have a server like Cisco ACS already up), follow these steps:
    • “aaa new-model” enables AAA authentication.
    • Use “radius-server host” + “radius-server key” to establish the IP and key of the RADIUS server. Use “tacacs-server host” + “tacacs-server key” to establish (you’ll never guess) the IP and ket of the TACACS+ server.
    • Use “aaa authentication login default” to define a set of authentication methods to be used for all CLI access by default.
    • Use “aaa authentication enable default” to define a set of authentication methods to be used for enable-mode access by default.
  • Examples
    • “aaa authentication login default group radius none” = a user will login and an authentication attempt made against one or more radius servers. If no radius servers respond, then the user is allowed in.
    • “aaa authentication enable default group radius local” = a user keys in the almighty “enable” command. An authentication attempt will be made against one or more radius servers. If no radius servers respond, then the user will be authenticated against the local user database on the device.
  • Methods – there are several methods that can be defined to perform authentication, in addition to the “radius” and “none” we saw above. You can define up to 4 of the following in a single line:
    • group radius – use the radius servers
    • group tacacs+ – use the tacacs+ servers
    • group – use a group of defined radius or tacacs+ servers
    • enable – use the the enable password (either enable secret or enable password)
    • line – use the password defined in the “password” command of the line paragraph
    • local – use the username command. Username case-insensitive, password case-sensitive.
    • local-case – use the username command. Username & password case-sensitive.
    • none – No authentication required – user authenticates automatically.
  • You can group servers into “aaa group server radius “, and then reference that group name in aaa commands, allowing you to use different groups for different purposes. Say, one for authentication and authorization, but another for accounting.
  • For console, vty and console (ergo, the ones you can configure with a “line” paragraph) can be configured to authenticate in a different manner than the default.
    • In the line paragraph, include a line such as “login authentication my-special-login”.
    • Then in your aaa config, include a line such as “aaa authentication login my-special-login group radius local”.
  • PPP can use AAA for security. “aaa authentication ppp default” will get you there by way of a terse example. Very handy in a dial-up environment where maintaining a local username database on the router is a little bit silly.
By Ethan Banks
Ethan Banks On productivity.

You probably know Ethan Banks because he writes & podcasts about IT. For example, he co-authored "Computer Networks Problems & Solutions" with Russ White.

This site is Ethan on productivity--not tech so much.

Find out more on his about page.