Authentication Configuration

Authentication is configured differently on Cisco routers and switches; however, the general parameters
are similar. In broad terms, the administrator must first instruct the device to use an authentication
protocol and then provide the IP address for communications to the security server.
Router Configuration
The following is extracted from the full configuration file of the router to highlight the commands
used for AAA configuration:
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+

tacacs-server host 10.1.98.36
tacacs-server host 10.1.5.36
tacacs-server key tjelkprp
The preceding output is an example of a typical router configuration. This output starts the
AAA service, establishes authentication services for both the login and enable processes, and
audits the start and end times of each access. The two TACACS+ servers noted here are defined,
and the preshared key is assigned.
In this example (which uses TACACS+), the aaa authentication command is used to
define the type of authentication protocol. The enable keyword at the end of the two authentication
commands allows the local enable secret password (use of the enable password would
be used if the secret is not defined, but this is not recommended from a security perspective)
to be used if network connectivity is lost between the security server and router; however, this
also can be considered a security risk. This risk is minor, considering that the attacker would
have to physically access the router or compromise the internal network sufficiently to change
routes or block packets. Here, the tacacs-server command is being used to define the IP
address of each TACACS+ server. In this example, the server key is being used to provide basic
security over the communications link to the security server. Note that this configuration
includes an aaa accounting command, which instructs the router to log the start and stop
times of an exec session to the TACACS+ server.