Adding username and password authentication to Cisco routers and switches doesn’t take more than a few minutes, does not require a software upgrade in most cases, and will increase router and switch security.
Authentication can be passed to a central server so that users and passwords can be created and modified in one spot without having to change the configuring on every router and switch in the company. Additionally, this type of authentication is needed to configure Secure Shell access to routers and switches, which encrypts administration traffic. Cisco supports username and password authentication on almost every device so a software upgrade is probably not needed before configuration. But Secure Shell requires a software upgrade in many cases.
A nice example for configuring RADIUS authentication on routers and switches or passing authentication back to the company’s Active Directory can be found at TechRepublic..
In many cases, administrators just configure a telnet password for their network devices, which is the least secure way to permit access. Here is an example of the way those routers are configured.

RouterA#configure terminal
RouterA(config)# line vty 0 4
A router’s telnet interface is called a vty, short for Virtual Teletype Terminal.
RouterA(config)# password letmein
RouterA(config)# end
This will allow access to router via telnet by just the password letmein. Below is an example of configuring a router for username and password authentication from a local database stored on the router itself. If you have more than one router or switch, each router will need to be configured. Either way is more secure than just a password by itself. A more complex password increases security, so use passwords that are difficult to guess and create usernames that are not as simple to guess like admin or cisco..

RouterA#configure terminal
RouterA(config)# username Jane password Doe
RouterA(config)# username Bob password Smith
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default local
RouterA(config)# end

The configuration creates the usernames Jane and Bob with the passwords Doe and Smith respectively. AAA stands for authentication, authorization and accounting. The line ‘aaa authentication login default local’ specifies that local authentication should be used for login by default. The passwords will show up in the configuration just as you typed them and be readable by everyone that has access to the router configuration file unless the service password-encryption command is used. For example:

RouterA#configure terminal
RouterA(config)# service password-encryption
RouterA(config)# end

Now your passwords will be encrypted in the configuration. There are tools available that can decrypt these passwords, so configurations should still be stored in a secure place.

Here is a look at configuring TACACS+ authentication, a centralized authentication protocol that passes authentication of to a server. In this example, the switch or router will first look to TACACS+ for authentication and then if that fails, it will look in the local user database. This will give you access if your network device loses network connectivity to the TACACS+ server. This example assumes there is a working TACACS+ server already running on your network. If not, notes on configuring a TACACS+ server on linux can be found here.

RouterA#configure terminal
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default group tacacs+ local
RouterA(config)# tacacs-server host 10.1.1.1
RouterA(config)# tacacs-server host 10.1.1.2
RouterA(config)# tacacs-server key SecretPassword
RouterA(config)# end

If the switch or router has access to the authentication server, then the next time that you log in, the device should prompt you for a username rather than just a password. Complete details on configuring aaa access can be found on Cisco’s website.

Related posts:

  1. Configuring SSH on Cisco routers/switches (How-to)With all of the security problems out there today, it...
  2. Showing the configuration at the interface levelOne of the pains about Cisco is that once you...
  3. Working with VLANS on Cisco SwitchesHistorically, creating multiple networks required multiple switches, but VLANs (Virtual...
  4. Configure Port Mirrors on Cisco SwitchesSwitches make network troubleshooting a bit more difficult because not...
  5. Configure Port Channels in IOSPort Channels are a quick way to get more bandwidth...

Related posts brought to you by Yet Another Related Posts Plugin.