RouterNotes.com » Radius http://routernotes.com Networking and Mac OS X lessons learned in a Campus LAN environment Mon, 15 Sep 2008 18:01:29 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Authentication in Cisco IOS http://routernotes.com/2008/02/11/authentication-in-cisco-ios/ http://routernotes.com/2008/02/11/authentication-in-cisco-ios/#comments Mon, 11 Feb 2008 14:13:57 +0000 siteadmin http://routernotes.com/2008/02/11/authentication-in-cisco-ios/
  • Configuring SSH on Cisco routers/switches (How-to) With all of the security problems out there today, it...
  • Showing the configuration at the interface level One of the pains about Cisco is that once you...
  • Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...
    • Related posts brought to you by Yet Another Related Posts Plugin.]]>     Adding username and password authentication to Cisco routers and switches doesn’t take more than a few minutes, does not require a software upgrade in most cases, and will increase router and switch security.
    Authentication can be passed to a central server so that users and passwords can be created and modified in one spot without having to change the configuring on every router and switch in the company. Additionally, this type of authentication is needed to configure Secure Shell access to routers and switches, which encrypts administration traffic. Cisco supports username and password authentication on almost every device so a software upgrade is probably not needed before configuration. But Secure Shell requires a software upgrade in many cases.
    A nice example for configuring RADIUS authentication on routers and switches or passing authentication back to the company’s Active Directory can be found at TechRepublic..
    In many cases, administrators just configure a telnet password for their network devices, which is the least secure way to permit access. Here is an example of the way those routers are configured.

    RouterA#configure terminal
    RouterA(config)# line vty 0 4
    A router’s telnet interface is called a vty, short for Virtual Teletype Terminal.
    RouterA(config)# password letmein
    RouterA(config)# end
    This will allow access to router via telnet by just the password letmein. Below is an example of configuring a router for username and password authentication from a local database stored on the router itself. If you have more than one router or switch, each router will need to be configured. Either way is more secure than just a password by itself. A more complex password increases security, so use passwords that are difficult to guess and create usernames that are not as simple to guess like admin or cisco..

    RouterA#configure terminal
    RouterA(config)# username Jane password Doe
    RouterA(config)# username Bob password Smith
    RouterA(config)# aaa new-model
    RouterA(config)# aaa authentication login default local
    RouterA(config)# end

    The configuration creates the usernames Jane and Bob with the passwords Doe and Smith respectively. AAA stands for authentication, authorization and accounting. The line ‘aaa authentication login default local’ specifies that local authentication should be used for login by default. The passwords will show up in the configuration just as you typed them and be readable by everyone that has access to the router configuration file unless the service password-encryption command is used. For example:

    RouterA#configure terminal
    RouterA(config)# service password-encryption
    RouterA(config)# end

    Now your passwords will be encrypted in the configuration. There are tools available that can decrypt these passwords, so configurations should still be stored in a secure place.

    Here is a look at configuring TACACS+ authentication, a centralized authentication protocol that passes authentication of to a server. In this example, the switch or router will first look to TACACS+ for authentication and then if that fails, it will look in the local user database. This will give you access if your network device loses network connectivity to the TACACS+ server. This example assumes there is a working TACACS+ server already running on your network. If not, notes on configuring a TACACS+ server on linux can be found here.

    RouterA#configure terminal
    RouterA(config)# aaa new-model
    RouterA(config)# aaa authentication login default group tacacs+ local
    RouterA(config)# tacacs-server host 10.1.1.1
    RouterA(config)# tacacs-server host 10.1.1.2
    RouterA(config)# tacacs-server key SecretPassword
    RouterA(config)# end

    If the switch or router has access to the authentication server, then the next time that you log in, the device should prompt you for a username rather than just a password. Complete details on configuring aaa access can be found on Cisco’s website.

    Related posts:

    1. Configuring SSH on Cisco routers/switches (How-to) With all of the security problems out there today, it...
    2. Showing the configuration at the interface level One of the pains about Cisco is that once you...
    3. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...

    Related posts brought to you by Yet Another Related Posts Plugin.

    ]]>     http://routernotes.com/2008/02/11/authentication-in-cisco-ios/feed/ 0