Router and About-face Device Security
Securing admission to a router or about-face CLI is one of the aboriginal accomplish in accepting a routed/switched
network. Cisco includes several basal mechanisms adapted for attention accessories in a lab, as
well as added able-bodied aegis appearance adapted for accessories deployed in assembly environments.
Additionally, these aforementioned abject affidavit appearance can be acclimated to accredit punch PPP users.
The aboriginal area of this affiliate examines anniversary of these topics.
Simple Countersign Aegis for the CLI
Figure 18-1 provides a beheld admonition of some hopefully accustomed capacity about how users
can adeptness a router’s CLI user mode, and move into accredit (privileged) approach application the enable
command.
Figure 18-1 Router User and Accredit Modes
Figure 18-1 shows three methods to adeptness user approach on a router. The amount additionally applies to Cisco
IOS–based switches, except that Cisco switches do not acquire abetting ports.
Cisco IOS can be configured to crave simple countersign aegis for anniversary of the three methods
to admission user mode. To do so, the login band subcommand is acclimated to acquaint Cisco IOS to alert the
user for a password, and the countersign command defines the password. The agreement mode
implies for which of the three admission methods the countersign should be required. Archetype 18-1
shows a simple example.
User
Mode
Privileged
Mode*
router>enable
password: zzzzz
router#
router#disable
router>
*Also Called
Enable Mode
Console
Aux
Telnet
648 Affiliate 18: Security
These passwords are stored as bright argument in the configuration, but they can be encrypted by
including the account password-encryption all-around command. Archetype 18-2 shows the results
of abacus this command.
Note that back the account password-encryption command is added to the configuration, all
clear-text passwords in the active agreement are afflicted to an encrypted value. The
passwords in the startup agreement are not afflicted until the archetype running-config startupconfig
(or abode anamnesis for all you adolescent old-timers out there) command has been acclimated to save
the configuration. Also, afterwards disabling countersign encryption (no account password-encryption),
passwords are not automatically decrypted—instead, Cisco IOS waits for a countersign to be
changed afore advertisement the countersign in its unencrypted form.
Note that the encryption acclimated by the account password-encryption command is weak. Publicly
available accoutrement can breach the password. The encryption is advantageous to anticipate the analytical from logging
into a router or switch, but it provides no absolute aegis adjoin alike a hacker with bashful ability.
Better Aegis of Accredit and Username Passwords
The countersign appropriate by the accredit command can be authentic by either the accredit password
pw command or the accredit abstruse pw command. If both are configured, the accredit exec command
only accepts the countersign authentic in the accredit abstruse command.
Example 18-1 Simple User Approach CLI Countersign Protection
! The login and countersign commands beneath band con 0 acquaint the router to accumulation a password
! prompt, and ascertain the countersign appropriate at the animate port, respectively.
line con 0
login
password fred
!
line vty 0 15
login
password barney
Example 18-2 Application the account password-encryption Command
! The account password-encryption all-around command causes all absolute clear-text
! passwords in the active config to be encrypted.
service password-encryption
! The “7” in the countersign commands agency that the afterward amount is the
! encrypted countersign per the account password-encryption command.
line con 0
password 7 05080F1C2243
login
line vty 0 4
password 7 00071A150754
login
Router and About-face Device Aegis 649
The countersign in the accredit countersign command follows the aforementioned encryption rules as login passwords,
only actuality encrypted if the account password-encryption command is configured. However, the enable
secret countersign is not afflicted by account password-encryption. Instead, it is consistently stored as an
MD5-hashed value, instead of actuality encrypted, consistent in a abundant harder to breach password. Example
18-3 shows how Cisco IOS represents this attenuate aberration in how the countersign ethics are stored.
The username name countersign countersign command has a affection agnate to the accredit secret
command. The account password-encryption command encrypts the countersign listed in the
username name countersign countersign command; however, the username name abstruse password
command uses the aforementioned MD5 assortment as the accredit abstruse command to bigger assure the password.
And, as with accredit secret, a 5 is listed in the command as stored in the configuration—for
example, username barney abstruse 5 $1$oMnb$EGf1zE5QPip4UW7TTqQTR.
User Approach and Advantaged Approach AAA Authentication
The appellation authentication, authorization, and accounting (AAA) refers to a array of common
security features. This area focuses on the aboriginal “A” in AAA—authentication—and how it is
used to administer admission to a router or IOS switch’s user approach and advantaged mode.
The arch affidavit adjustment to assure the CLI is to use a TACACS+ or RADIUS server. The
Cisco Secure Admission Control Server (ACS) is a Cisco Systems software artefact that can be installed
on Unix, Linux, and several Windows platforms, captivation the set of usernames and passwords used
for authentication. The routers and switches again charge to acquire the username and countersign from
the user, accelerate it as encrypted cartage to the server, and acquire a reply—either accepting or rejecting
the user. Table 18-2 summarizes some of the key facts about RADIUS and TACACS+.
Example 18-3 Differences in Hashed/Encrypted Accredit Passwords
! The accredit countersign lists a 7 in the achievement to announce an encrypted value
! per the account password-encryption command; the
! accredit abstruse command lists a 5, blame an MD5-hashed value.
service password-encryption
!
enable abstruse 5 $1$GvDM$ux/PhTwSscDNOyNIyr5Be/
enable countersign 7 070C285F4D064B
Table 18-2 Comparing RADIUS and TACACS+ for Authentication
RADIUS TACACS+
Scope of Encryption: packet burden or aloof the countersign Countersign alone Entire payload
Layer 4 Protocol UDP TCP
Well-Known Port/IOS Absence Anchorage Acclimated for affidavit 1812/16451 49/49
Standard or Cisco-Proprietary RFC 2865 Proprietary
1Radius originally authentic anchorage 1645 as the acclaimed port, which was after afflicted to anchorage 1812.
650 Affiliate 18: Security
Using a Absence Set of Affidavit Methods
AAA affidavit agreement includes commands by which a set of affidavit methods
is defined. A distinct affidavit adjustment is absolutely what it sounds like—a way to accredit a
user. For example, one adjustment is to ask a RADIUS server to accredit a login user; addition is
to let a router attending at a set of locally authentic username commands. A set of agreement methods
represents an ordered account of affidavit methods, anniversary of which is approved in adjustment until one of
the methods allotment an affidavit response, either accepting or abnegation the user.
The simplest AAA agreement defines a absence set of affidavit methods acclimated for all router
or about-face logins, additional a additional set of absence affidavit methods acclimated by the accredit command.
The authentic absence login affidavit methods administer to all login access—console, Telnet, and
aux (routers only). The absence affidavit methods acclimated by the accredit command simply
dictate what Cisco IOS does back a user types the accredit command. The all-embracing configuration
uses the afterward accepted steps:
Step 1 Accredit AAA affidavit with the aaa new-model all-around command.
Step 2 If application RADIUS or TACACS+, ascertain the IP address(es) and encryption
keys acclimated by the server(s) by application the radius-server host, radius-server
key, tacacs-server host, and tacacs-server key commands.
Step 3 Ascertain the absence set of affidavit methods acclimated for all CLI admission by
using the aaa affidavit login absence command.
Step 4 Ascertain the absence set of affidavit methods acclimated for enable-mode
access by application the aaa affidavit accredit absence command.
Example 18-4 shows a sample router agreement application these commands. In this case, two
RADIUS servers are configured. One of the servers uses the Cisco IOS absence anchorage of 1645, and
the added uses the aloof acclaimed anchorage 1812. Per the afterward configuration, this router
attempts the afterward authentication:
■ Back a login attack is made, Cisco IOS attempts affidavit application the aboriginal RADIUS
server; if there’s no response, IOS tries the additional RADIUS server; if there’s no response, the
user is accustomed in (authentication approach none).
■ Back any user issues the accredit command, the router tries the RADIUS servers, in order; if
none of the RADIUS servers replies, the router will acquire the distinct username/password
configured on the router of cisco/cisco.
Example 18-4 Differences in Hashed/Encrypted Accredit Passwords
! The abutting command shows that the accredit abstruse countersign is still configured,
! but it will not be used. The username command defines a user/password that
! will be acclimated for accredit affidavit if the RADIUS servers are not reachable.
! Note that the 0 in the username command agency the countersign is not encrypted.
Router and About-face Device Aegis 651
Using Assorted Affidavit Methods
AAA affidavit allows advertence to assorted servers and to assorted affidavit methods
so that a user can be accurate alike if one affidavit adjustment is not working. The aaa
authentication command supports up to four methods on a distinct command. Additionally, there
is no activated absolute to the cardinal of RADIUS or TACACS+ servers that can be referenced in a
RADIUS or TACACS+ server group. The argumentation acclimated by Cisco IOS back application these methods is
as follows:
■ Use the aboriginal listed adjustment first; if that adjustment does not respond, move on to the next, and then
the next, and so on until a adjustment responds. Use the first-responding-method’s decision
(allow or reject).
■ If a adjustment refers to a set of added than one server, try the aboriginal server, with “first” actuality based
on the adjustment of the commands in the agreement file. If no response, move on to the next
sequential server, and so on, until a server responds. Use the first-responding-server’s decision
(allow or reject).
■ If no acknowledgment occurs for any method, adios the request.
R1# appearance running-config
! curve bare for brevity
enable abstruse 5 $1$GvDM$ux/PhTwSscDNOyNIyr5Be/
username cisco countersign 0 cisco
! Next, AAA is enabled, and the absence accredit and login affidavit is
! defined.
aaa new-model
aaa affidavit accredit absence accumulation ambit local
aaa affidavit login absence accumulation ambit none
! Next, the two RADIUS servers are configured. The anchorage numbers were bare when
! the radius-server host 10.1.1.2 command was issued, and IOS abounding in its
! default. Similarly, radius-server host 10.1.1.1 auth-port 1812 was issued,
! with IOS abacus the accounting anchorage cardinal absence into the command.
radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646
radius-server key cisco
! Afore abacus AAA configuration, both the animate and vtys had both the login
! and countersign commands as listed in Archetype 18-1. The act of enabling AAA
! deleted the login command, which now by absence uses the settings on global
! command aaa affidavit login default. The passwords actual beneath would
! be acclimated alone if the aaa affidavit login command listed a adjustment of “line.”
line con 0
password cisco
line vty 0 4
password cisco
Example 18-4 Differences in Hashed/Encrypted Accredit Passwords (Continued)
652 Affiliate 18: Security
For example, Archetype 18-4 listed RADIUS servers 10.1.1.1 and 10.1.1.2, in that order, so those
servers would be arrested in that aforementioned order. If neither replies, again the abutting adjustment would be
used—none for login sessions (meaning automatically acquiesce the user in), and bounded (meaning
authenticate based on configured username commands).
Table 18-3 lists the affidavit methods accustomed for login and accredit (privileged exec) mode,
along with a abrupt description.
Groups of AAA Servers
By default, Cisco IOS automatically groups RADIUS and TACACS+ servers configured with
the radius-server host and tacacs-server host commands into groups, appropriately alleged ambit and
tacacs+. The aaa affidavit command includes the keywords accumulation ambit or group
tacacs+ to accredit to these absence groups. By default, all authentic RADIUS servers end up in the
radius group, and all authentic TACACS+ servers end up in the tacacs+ group.
In some cases, decidedly with larger-scale punch implementations, a architecture may alarm for the
separation of altered sets of RADIUS or TACACS+ servers. To do so, servers can be aggregate by
name. Archetype 18-5 shows an archetype agreement with two servers in a RADIUS accumulation named
fred, and shows how the aaa affidavit command can accredit to the group.
Table 18-3 Affidavit Methods for Login and Enable
Method Meaning
group ambit Use the configured RADIUS servers
group tacacs+ Use the configured TACACS+ servers
group name Use a authentic accumulation of either RADIUS or TACACS+ servers
enable Use the accredit password, based on accredit abstruse or accredit countersign commands
line1 Use the countersign authentic by the countersign command in band agreement mode
local Use username commands in the bounded configuration; treats the username as case
insensitive, but the countersign as case sensitive
local-case Use username commands in the bounded configuration; treats both the username and
password as case sensitive
none No affidavit required; user is automatically authenticated
1Cannot be acclimated for accredit authentication.
Example 18-5 Configuring a RADIUS Server Group
! The abutting three commands actualize RADIUS accumulation fred. Note that the servers are
! configured central AAA accumulation config mode, application the server subcommand. Note that
! IOS added the auth-port and acct-port ambit automatically.
Router and About-face Device Aegis 653
Overriding the Defaults for Login Security
The console, vty, and aux (routers only) curve can override the use of the absence login authentication
methods. To do so, in band agreement mode, the login affidavit name command is used
to point to a alleged set of agreement methods. Archetype 18-6 shows a alleged accumulation of configuration
methods alleged for-console, for-vty, and for-aux, with anniversary activated to the accompanying login method.
Each of the alleged groups defines a altered set of affidavit methods. Archetype 18-6 shows
an archetype that accouterments the afterward requirements:
■ console—Try the RADIUS servers, and use the band countersign if no response
■ vty—Try the RADIUS servers, and use bounded usernames/passwords if no response
■ aux—Try the RADIUS servers, and do not accredit if no response
R1(config)# aaa accumulation server ambit fred
R1(config-group)# server 10.1.1.3 auth-port 1645 acct-port 1646
R1(config-group)# server 10.1.1.4 auth-port 1645 acct-port 1646
! To use accumulation fred instead of the absence group, the aaa authentication
! commands charge to accredit to accumulation fred, as apparent next.
aaa new-model
aaa affidavit accredit absence accumulation fred local
aaa affidavit login absence accumulation fred none
Example 18-6 Overriding the Absence Login Affidavit Method
! The agreement apparent actuality has been added to the agreement from earlier
! examples.
aaa affidavit login for-console accumulation ambit line
aaa affidavit login for-vty accumulation ambit local
aaa affidavit login for-aux accumulation radius
! The methods are enabled beneath with the login affidavit commands. Note that
! the bounded passwords still abide on the animate and vtys; for the console,
! that countersign would be acclimated (based on the band keyword in the aaa
! affidavit command above) if the RADIUS servers are all nonresponsive.
! However, the vty countersign command would not be acclimated by this configuration.
line con 0
password 7 14141B180F0B
login affidavit for-console
line aux 0
login affidavit for-aux
line vty 0 4
password 7 104D000A0618
login affidavit for-vty
Example 18-5 Configuring a RADIUS Server Accumulation (Continued)