Configuring Authentication for Cisco Routers and Switches
Boosting authentication increases security by forcing hackers to guess both the username and password rather than just a password. And authentication can be passed to a central server so that users and passwords can be created and modified in one spot without having to change the configuring on every router and switch in the company. Additionally, this type of authentication is needed to configure Secure Shell access to routers and switches, which encrypts administration traffic. Cisco supports username and password authentication on almost every device so a software upgrade is probably not needed before configuration. But Secure Shell requires a software upgrade in many cases.
This article will include configuration examples for local and TACACS+ server authentication. A nice example for configuring RADIUS authentication on routers and switches or passing authentication back to the company's Active Directory can be found at TechRepublic..
In many cases, administrators just configure a telnet password for their network devices, which is the least secure way to permit access. Here is an example of the way those routers are configured.
RouterA#configure terminal
RouterA(config)# line vty 0 4
A router's telnet interface is called a vty, short for Virtual Teletype Terminal.
RouterA(config)# password letmein
RouterA(config)# end
This will allow access to router via telnet by just the password letmein. Below is an example of configuring a router for username and password authentication from a local database stored on the router itself. If you have more than one router or switch, each router will need to be configured. Either way is more secure than just a password by itself. A more complex password increases security, so use passwords that are difficult to guess and create usernames that are not as simple to guess like admin or cisco..
RouterA#configure terminal
RouterA(config)# username Jane password Doe
RouterA(config)# username Bob password Smith
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default local
RouterA(config)# end
The configuration creates the usernames Jane and Bob with the passwords Doe and Smith respectively. AAA stands for authentication, authorization and accounting. The line 'aaa authentication login default local' specifies that local authentication should be used for login by default. The passwords will show up in the configuration just as you typed them and be readable by everyone that has access to the router configuration file unless the service password-encryption command is used. For example:
RouterA#configure terminal
RouterA(config)# service password-encryption
RouterA(config)# end
Now your passwords will be encrypted in the configuration. There are hacker tools available that can decrypt these passwords, so configurations should still be stored in a secure place.
Here is a look at configuring TACACS+ authentication. In this example, the switch or router will first look to TACACS+ for authentication and then if that fails, it will look in the local user database. This will give you access if your network device loses network connectivity to the TACACS+ server. This example assumes there is a working TACACS+ server already running on your network. If not, notes on configuring a TACACS+ server on Linux can be found here.
RouterA#configure terminal
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default group tacacs+ local
RouterA(config)# tacacs-server host 10.1.1.1
RouterA(config)# tacacs-server host 10.1.1.2
RouterA(config)# tacacs-server key SecretPassword
RouterA(config)# end
If the switch or router has access to the authentication server, then the next time that you log in, the device should prompt you for a username rather than just a password. Complete details on configuring aaa access can be found on Cisco's website.
Published by Jinx
IT guy by day View profile
- Manual Switches Are a Necessity for Hurricane SeasonManual Switches route power from a generator easily and safely during a power outage after a hurricane/
- AAA of Southern New England: Discounts, Services and MoreAAA of Southern New England provides the usual benefits to drivers: roadside service and help with maps and tourbooks. But it also provides discounts to stores and attractions in and outside of New England
- CISCO B2B E-Commerce - Business to BusinessThe recommendations that I make are not the same as what Cisco had done from 1997 to the present. My focus is the service expansion in business-to-business while Cisco focuses on upward integration and expansion in r...
- Cisco Systems Code of ConductCisco has created the "Code of Business Conduct", which is an outline of the ethical standards held by the organization.
Easy Low Fat and Sugar / High Protein and Nutrient Food SwitchesFive simple food switches that will reduce your fat and sugar intake while also increasing your protein and nutrient intake. Easy to find foods that are inexpensive. You'll be...
- Configure SSH Access to Cisco Switch and Routers
- Configure Secondary IP Addresses on Cisco Routers
- Routers and Switches
- Home Networking: Routers, Switches and Hubs - What's the Difference?
- Create Port Channels and Boost Bandwidth on Cisco Switches
- Configure Port Mirrors on Cisco Switches for Network Analysis
- Introduction to Wireless Networking