Device Access Control
By Donald Bacha
Date: Mar 11, 2022
This sample chapter from CCNP and CCIE Enterprise Core ENCOR 350-401 Exam Cram reviews the configuration and verification of network device access control with usernames and passwords.It also covers authentication, authorization, and accounting (AAA), and looks at the configuration and verification of network device access control on Cisco IOS devices using TACACS+ and RADIUS.
This chapter is divided into two sections. The first section looks at the configuration and verification of network device access control with usernames and passwords. It also covers the configuration and verification of role-based access control (RBAC) using privilege levels. The second section covers authentication, authorization, and accounting (AAA). It looks at the configuration and verification of network device access control on Cisco IOS devices using TACACS+ and RADIUS.
Cisco IOS CLI Session Overview
Cisco IOS software provides several features that you can use to implement basic security for network devices’ command-line sessions. These features include:
Using different levels of authorization for CLI sessions to control access to commands that can modify the status of the networking device and for commands that are used to monitor the device
Assigning passwords to CLI sessions
Requiring users to log in to a networking device with a username
Changing the privilege levels of commands to create new authorization levels for CLI sessions
You can establish IOS CLI sessions on Cisco IOS devices in two ways:
Local CLI sessions: Local CLI sessions require direct access to the console port of the networking device. Local CLI sessions start in user EXEC mode. All of the tasks needed to configure and manage a networking device can be done using a local CLI session. The most common method for establishing a local CLI session is to connect a laptop to the console port of the networking device and then launch a terminal emulation application, like Putty, on the computer. The type of cable and connectors required and the settings for the terminal emulation application depend on the type of networking device that you are configuring. Some devices have an auxiliary (aux) port for remote administration through a dial-up modem. In most cases, this should be disabled with the no exec command under line aux 0.
Terminal lines and remote CLI sessions: A remote CLI session is created between a host and a networking device by using a remote terminal access application, such as Telnet or SSH. Most of the tasks required to configure and manage a networking device can be done using a remote CLI session. The exceptions are tasks that interact directly with the console port (such as recovering from a corrupted operating system by uploading a new OS image over the console port) and interacting with the networking device when it is in ROMMON mode. SSH is a more secure alternative to Telnet. SSH provides encryption for the session traffic between the local management device and the networking device you are managing. Encrypting the session traffic with SSH prevents anyone who may have intercepted the traffic from decoding it.
With Cisco IOS networking devices, the word “lines” is used to refer to the software components that manage local and remote CLI sessions. You use the line console 0 global configuration command to enter line configuration mode to configure options such as a password for the console port. Remote CLI sessions use lines that are referred to as vty lines. You use the line vty line-number [ending-line-number] global configuration command to enter line configuration mode to configure options such as a password for remote CLI sessions. Once you are in the line configuration mode, you can set the protocol you will be connecting over (for example, SSH).
Example 6.1 shows the console, auxiliary, and vty lines in the running configuration that are available on R1.
EXAMPLE 6.1 Console, Auxiliary, and vty Lines in the Running Configuration
R1# R1# show running-config | section line line con 0 line aux 0 line vty 0 4 R1#
Before we look at how to protect access to Cisco IOS EXEC modes, let’s take a look at the five different types of passwords available in Cisco IOS:
Type 0 passwords: Type 0 passwords are not encrypted and are stored in plaintext in the device configuration. The enable password command uses type 0 passwords. Type 0 passwords should not be used in a production environment.
Type 5 passwords: Type 5 passwords use an MD5 hashing algorithm. These passwords are easily reversible with tools available on the Internet. The enable secret and username username secret commands use type 5 passwords.
Type 7 passwords: Type 7 passwords uses the Vigenère cipher encryption algorithm, which is known to be weak. These passwords are easily reversible (in under 1 second) with tools available on the Internet. Type 7 password encryption is enabled with the service password encryption command.
Type 8 passwords: Type 8 passwords use a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret. Type 8 password security is considered good.
Type 9 passwords: Type 9 passwords use the SCRYPT hashing algorithm. Type 9 passwords are considered the best passwords and should be used when supported.
Type 4 passwords were deprecated in IOS 15.3(3). The type 4 password hash was weaker than the type 5 (MD5) hash. Therefore, type 4 passwords should never be used. IOS 15.3(3) introduced support for type 8 and type 9 passwords, and these password types should always be used when supported.
Protection of Access to Cisco IOS EXEC Modes
This section looks at the steps you can take to secure both user and privileged EXEC modes.
The first step in creating secure network device access is to protect the user EXEC mode by configuring passwords for local and remote CLI sessions. You start by entering line configuration mode by selecting the line number for the console port (for example, line console 0). Once you are in that mode, you use the password command to assign a password to line console 0. You use the login command at line console 0 to enable password checking at login.
Next, let’s look at configuring a password for remote CLI sessions. After a password is configured for remote CLI sessions, the IOS device prompts for a password the next time you establish a remote CLI session with that device. Cisco IOS networking devices require that a password be configured for remote CLI sessions. If you attempt to start a remote CLI session with a device that does not have a password configured for remote CLI sessions, you get a message indicating that a password is required and that the password is not set. The remote CLI session will be terminated by the remote host.
To configure a password for remote CLI sessions, you start by entering the line configuration mode and selecting the vty line (for example, line vty 0 4). When you are in that mode, you use the password command as you do for the console line. You use the login command at the vty line to enable password checking at login.
Example 6.2 shows how to assign a password to the console, auxiliary, and vty lines and verify it in the running configuration.
EXAMPLE 6.2 Configuring and Verifying Line Passwords
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# line con 0 R1(config-line)# password Cisco123 R1(config-line)# login R1(config-line)# line aux 0 R1(config-line)# password Cisco123 R1(config-line)# login R1(config-line)# line vty 0 4 R1(config-line)# password Cisco123 R1(config-line)# login R1(config-line)# end R1# R1# show running-config | section line line con 0 password Cisco123 login line aux 0 password Cisco123 login line vty 0 4 password Cisco123 login R1#
The previous section covers protection of access to both local and remote CLI sessions in user EXEC mode using line passwords. Now let’s look at how to protect access to privileged EXEC mode. To add an additional layer of security, particularly for passwords that cross a network or that are stored with the configuration on a TFTP server, you can use the enable secret global configuration command.
Cisco recommends the use of the enable secret command over the enable password command because it uses an improved encryption algorithm. When you configure the enable secret command, it takes precedence over the enable password command. The two commands cannot be in effect simultaneously.
Let’s look at the use of the enable password command to configure a password for privileged EXEC mode. The password you enter with the enable password command is stored as plaintext in the device’s running configuration. You can encrypt the password for the enable password command in the configuration file of the networking device by using the service password-encryption command. However, the type 7 encryption level used by the service password-encryption command can be decrypted using tools available on the Internet, so it is not recommended for production deployments. The recommendation is to use the enable secret command because it provides strong encryption by hashing the password using type 5 passwords by default. However, on modern platforms, you can use type 8 or 9 passwords as well. You configure a password in privileged EXEC mode by using the command enable secret [level level] unencrypted-password | encryption-type encrypted-password. You can use the show privilege command to display the current level of privilege.
Example 6.3 shows the configuration and verification of protection of privileged EXEC mode using the enable password command. Note in the verification that the password is stored in the running configuration in plaintext. This is because the default password, of type 0, was used. You can also set a type 7 password or set the EXEC level here. The command service password-encryption would make the password unreadable in the running configuration.
EXAMPLE 6.3 Protecting Privileged EXEC with enable password
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# enable password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) 'enable' password level Set exec level password
R1(config)# enable password ExamCram123 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type R1(config)# *Oct 28 23:00:00.922: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config)# do show run | include password enable password ExamCram123 R1(config)# R1(config)# service password-encryption R1(config)# do show run | include password enable password 7 106B11180834000A01557878 R1(config)# end R1#
Example 6.4 shows the configuration and verification of protection of privileged EXEC mode using the enable secret command. This provides stronger encryption and is the recommended method to use. This example uses type 9 encryption. When using type 9, you need to type in the encrypted password or use the algorithm-type command to hash a plaintext enable secret. Note that the verification output shows the encrypted type 9 password.
EXAMPLE 6.4 Protecting Privileged EXEC with enable secret
R1#
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# enable ?
algorithm-type Algorithm to use for hashing the plaintext 'enable'
secret
password Assign the privileged level password (MAX of 25
characters)
secret Assign the privileged level secret (MAX of 25
characters)
R1(config)# enable algorithm-type scrypt secret ?
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
R1(config)# enable algorithm-type scrypt secret ExamCram123
R1(config)# do sho run | include secret
enable secret 9 $9$QlfhhreZrBM56f$VX4YG.yR/jHO/3gLFfTPqAw.
cdraNRDSKJoEOtCrC3Q
R1(config)# end
R1#
After you have protected access to user EXEC mode and privileged EXEC mode by configuring passwords for them, you can further increase the level of security on the device by creating usernames. You configure usernames to limit access to CLI sessions to a networking device to specific users. This is especially important if you are configuring a device to allow first-line technical support user access. These users typically would not need to run all commands available in privileged EXEC mode. For example, suppose you want technical support staff to be able to view the configuration on a device that will help them to troubleshoot network problems without being able to modify the configuration. In this case, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username, the running configuration will be displayed automatically.
There are three ways you can configure a username on a Cisco IOS device:
Using the command username username password password configures a plaintext password (type 0).
Using the command username username secret password provides type 5 encryption.
Using the command username username algorithm-type [md5 | sha256 | scrypt] secret password provides type 5, type 8, or type 9 encryption, respectively.
The last option provides the highest level of security since it allows for the highest level of password encryption (type 8 or type 9). If the final option is not supported on a network device, then the second option should be used since it provides MD5 encryption. The first option should be avoided because it configures a plaintext password.
When you enable password authentication on a line by using the password command, you need to enable password checking. You do so by using the login command. This is what allows password use on the line. Once you have an alternate connection to the device, you can test the login. It is a good idea to have an alternate connection to a device if there is a problem logging in again using the line you made the changes on. The login local command allows for username/password pairs stored locally on the router to be used for the lines. By using the command login local, you can disable any password configured on lines.
To enable username and password authentication on a line, you need to do the following configuration:
Create the user with the username command in global configuration mode, using one of the three options listed earlier in this section.
Use the login local command in line configuration mode.
For remote CLI sessions, you can further protect the lines by using the transport input command. This command controls what protocols are allowed to access the vty lines. This can be configured with the command transport input {all | none |telnet | ssh}. The all option allows both Telnet and SSH access; none blocks Telnet and SSH; telnet allows only Telnet; and ssh allows only SSH access. Using telnet ssh allows both Telnet and SSH access. For the most secure access, the vty lines should be limited to SSH.
Example 6.5 shows the configuration and verification of usernames. The user user1 is configured with a type 0 password, admin1 is configured with a type 9 password, tier1admin is configured with a type 9 password (scrypt in this case), and tier2admin is configured with a type 8 password (sha256 in this case). The login local command is configured under the vty lines to tell it to use the router local user account database for authentication.
In this example, take note of the configured user accounts and the password types. user1 with the type 0 password is shown in running configuration in plaintext. Privilege level 15 gives access to all commands, such as the reload command, and allows a user to make configuration changes on the device.
EXAMPLE 6.5 Configuring Usernames and Passwords
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# username user1 password weakpassword WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type R1(config)# username admin1 privilege 15 secret admin1secret R1(config)# username tier1admin algorithm-type scrypt secret tier1adminsecret R1(config)# username tier2admin algorithm-type sha256 secret tier2adminsecret R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# end R1# R1# show running-config | include username username user1 password 0 weakpassword username admin1 privilege 15 secret 9 $9$iVS2wE3FxvTvDv$6k. NoCSCi2af4T8HpWeO1lBaTUnJzelT8S6xEETp7AI username tier1admin secret 9 $9$bIFEJkC8eW9Xyf$vXBZD.8ZSiHTcjpNVfuMWwX vveegKfHCfNXgLZUYA9w username tier2admin secret 8 $8$PLF4/9DTLkfoTf$820AEmeaZA2mNh1oNJjAYk6 bYKSlLhUn9pULnifodyo R1#
Example 6.6 shows how to establish a Telnet session from R2 to R1 by using username-based authentication with the tier1admin username and type 9 password created earlier. You can see here that you can successfully connect and authenticate by using the tier1admin account.
EXAMPLE 6.6 Verifying Username-Based Authentication for vty Lines
R2# R2# telnet 100.1.1.1 Trying 100.1.1.1 ... Open
User Access Verification
Username: tier1admin Password:
! Password entered is not displayed by the router R1>
R1# R1# show line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int * 0 CTY - - - - - 0 0 0/0 - 1 AUX 9600/9600 - - - - - 0 0 0/0 - * 578 VTY - - - - - 2 0 0/0 - 579 VTY - - - - - 0 0 0/0 - 580 VTY - - - - - 0 0 0/0 - 581 VTY - - - - - 0 0 0/0 - 582 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support: 2-577 ! the * in the output of the showline command indicates that the first vty (0) is in use ! vty 0 is mapped to vty 578 automatically
R1#
Secured Access with SSH
SSH is a far more secure option than Telnet. Although Telnet is the most popular protocol used to access Cisco IOS devices, it is an insecure protocol. Its session packets are carried in plaintext, making it easy for someone to sniff and capture session information as it traverses the network. SSH provides encryption for session traffic between a device and a terminal access application. This prevents others from being able to intercept and decode the traffic.
SSH is available in two versions:
SSH Version 1 (SSHv1): SSHv1 should be avoided because there are some flaws in its implementation, including its weak CRC-32 integrity check.
SSH Version 2 (SSHv2): SSHv2 should be used when it is supported. The SSHv2 enhancement for RSA supports RSA-based public key authentication for a client and a network device. SSHv2 is not compatible with SSHv1.
Let us now take a look at the steps that are needed to set up a Cisco IOS device to run SSH:
Configure a hostname for the device, using the hostname hostname command.
Configure a domain name for the device, using the ip domain-name domain-name command.
Generate an RSA crypto key. Generating a key pair on the IOS device automatically enables SSH. When you generate an RSA key, you are prompted to enter a modulus length. A longer modulus length takes longer to generate, but it is more secure. You generate an RSA key with the crypto key generate rsa command.
Those three steps are mandatory. After you have taken those steps, you may need to set SSH to Version 2 because it is at SSHv1 by default on some platforms. You do this with the ip ssh version 2 command. The other settings you can configure for the SSH service running on a device are the SSH timeout value and the authentication retries number. You do so with the command ip ssh timeout seconds authentication-retries number. Next, you set the transport input at the vty lines by using the transport input ssh command. Finally, also at the vty lines, you use the login local command to cause the local username and password on the router to be used for authentication.
For verification, you can use the show ip ssh command to view the version and configuration information for the SSH server. We can also use the show ssh command to show the status of the SSH server.
Example 6.7 demonstrates how to configure SSH, secure the vty lines to allow only SSH access, and verify connectivity from R2 to R1.
EXAMPLE 6.7 Configuring and Verifying vty Access with SSH
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# username admin2 secret Cisco123 R1(config)# ip domain-name cisco.com R1(config)# crypto key generate rsa The name for the keys will be: R1.cisco.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 2 seconds)
R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# end R1#
R2# ssh ? -c Select encryption algorithm -l Log in using this user name -m Select HMAC algorithm -o Specify options -p Connect to this port -v Specify SSH Protocol Version -vrf Specify vrf name WORD IP address or hostname of a remote system
R2# ssh -l admin2 -v 2 100.1.1.1
Password: ! Password entered is not displayed by the router
R1>
Finally, you can set a timeout for EXEC sessions that are left idle, which may pose a security risk. Under the line confirmation mode, you can use the exec-timeout minutes seconds command to set the timeout. The default setting is 10 minutes. Using exec-timeout 0 0 and no exec-timeout disables the EXEC timeout. You should not use these commands this way in a production environment.
The absolute-timeout minutes command in the line configuration mode sets the interval for closing the EXEC session after a specified time has elapsed. This session is closed even if it is being used at the time of termination. You can use the logout-warning seconds command with the absolute-timeout command to notify users of an impending logout. By default, the user is given 20 seconds’ notice before the session is terminated.
Example 6.8 shows how to configure EXEC and absolute timeouts and logout warning. For line con 0, a timeout value of 4 minutes is configured. For the vty lines, a value of 3 minutes and 30 seconds is configured. For the vty lines, an absolute timeout of 10 minutes is configured, with a 120-second logout warning.
EXAMPLE 6.8 Configuring EXEC and Absolute Timeouts
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# line con 0 R1(config-line)# exec-timeout 4 0 R1(config-line)# line vty 0 4 R1(config-line)# exec-timeout 3 30 !next we configure absolute timeout and logout warning R1(config-line)# absolute-timeout 10 !logout warning is configured in seconds R1(config-line)# logout-warning 120 R1(config-line)# end R1#
Privilege Levels and Role-Based Access Control (RBAC)
Now that we have examined the various ways of securing user and privileged EXEC modes, let’s take a look at the use of privilege levels and RBAC. By default, Cisco IOS devices have three privilege levels:
Privilege level 0: Privilege level 0 allows for the use of five commands: enable, disable, help, logout, and exit.
Privilege level 1: Privilege level 1 is the user EXEC mode that you saw configured earlier in this chapter, in the section “Protection of Access to Cisco IOS EXEC Modes.” In this mode, it is not possible to make configuration changes.
Privilege level 15: Privilege level 15 is the privileged EXEC mode you saw configured earlier in this chapter, in Example 6.5. (It is also configured in the next example.) In this mode, all of the IOS CLI commands are available.
The commands that you can run in user EXEC mode at privilege level 1 are a subset of the commands that you can run in privileged EXEC mode at privilege 15. You can configure additional privilege levels from 2 through 14 to provide customized access control. For example, you might want to allow a group of technical support staff to configure only a specific set of interface-level commands on interfaces while preventing device-wide configuration privileges. You could configure this in global configuration mode by using the command privilege mode level level [command string]. After you create that technical support user and assign this privilege, the user will be allowed to enter the interface and execute the commands specified in the command string. You can verify the configuration with the show privilege command.
Example 6.9 shows how to set up privileges to allow a network operation staff member to do basic manipulation of an interface. This example shows how to create the user user1noc with a type 9 password and privilege level 5 configured. In this particular case, a user with the user1noc username will be allowed to shut, unshut, and assign an IP address on the interface because these are the only commands this configuration allows in privilege level 5 in interface configuration mode. A user who tries to type a command that is not allowed (such as the description command) gets the message “Invalid input detected.”
EXAMPLE 6.9 Configuring and Verifying a Username and a Privilege Level
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# username user1noc privilege 5 algorithm-type scrypt secret Cisco123 R1(config)# privilege exec level 5 configure terminal R1(config)# privilege configure level 5 interface R1(config)# privilege interface level 5 shutdown R1(config)# privilege interface level 5 no shutdown R1(config)# privilege interface level 5 ip address R1(config)# end R1#
R2# telnet 100.1.1.1 Trying 100.1.1.1 ... Open
User Access Verification
Username: user1noc Password:
R1# show privilege Current privilege level is 5 R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# interface GigabitEthernet 0/0
!The options to configure on the interface are limited R1(config-if)# ? Interface configuration commands: default Set a command to its defaults exit Exit from interface configuration mode help Description of the interactive help system ip Interface Internet Protocol config commands no Negate a command or set its defaults shutdown Shutdown the selected interface
R1(config-if)# description test ^ % Invalid input detected at '^' marker. R1(config-if)# end R1#
Authentication, Authorization, and Accounting (AAA) Overview
Using line and local authentication as well as privilege levels works fine for controlling access on a small number of devices. However, this solution does not scale well as the number of devices grows. It becomes cumbersome and introduces the risk of inconsistent access control configurations across devices. To help simplify configuration and maintain consistency as the number of Cisco IOS devices grows, you can use an authentication, authorization, and accounting (AAA) solution.
There are many AAA protocol implementations, but this chapter focuses on the two most popular of them: RADIUS and TACACS+.
With AAA, network devices use a centralized RADIUS or TACACS+ server to authenticate users, authorize the commands users can run on a device, and provide accounting information. As a fallback mechanism, it is recommended that you still use local authentication in case the AAA server becomes unavailable at some point.
Let’s briefly examine the AAA framework and how each part of it provides security functions:
Authentication: Authentication provides identity verification before access to a network device is granted. It is the process of verifying the identity of the person or device accessing a network device, and it is based on the username and password combination provided by the entity trying to gain access.
Authorization: Authorization provides access control. It is the process of assembling a set of attributes that describes what the user is authorized to perform. RADIUS and TACACS+ authorize users for specific rights by associating attribute/value (AV) pairs, which define the rights and the appropriate users.
Accounting: Accounting provides a method for collecting information, logging the information locally on a network device, and sending the information to an AAA server for billing, auditing, and reporting. The accounting feature tracks and maintains a log of every management session used for access. You can use this information to generate reports for troubleshooting and auditing purposes.
Some of the high-level benefits of using a remote AAA server over local AAA services on each network device individually are highlighted next:
Increased flexibility and control of access configuration
Scalability
Standardized authentication methods using RADIUS and TACACS+
Ease of setup, since RADIUS and TACACS+ may have already been deployed across the enterprise
More efficiency, since you can create user attributes once centrally and use them across multiple devices
Next, let’s touch on the high points of TACACS+ and RADIUS before looking at their configuration.
TACACS+ Overview
TACACS+ implementation provides for separate and modular authentication, authorization, and accounting facilities. It allows for a single access control server (referred to as the TACACS+ daemon) to provide authentication, authorization, and accounting to the network access server (NAS) independently. Typically, a client of a TACACS+ server is referred to as a NAS. A NAS may be a router, a switch, or an access point.
The TACACS+ protocol uses TCP port 49 for communication between the TACACS+ client (network device) and the TACACS+ server. A network administrator typically uses a workstation using Telnet, SSH, or the console to connect to a Cisco IOS device that needs to be managed. In this process, the TACACS+ client communicates with the TACACS+ server using the TACACS+ protocol. The TACACS+ protocol ensures confidentiality because all protocol exchanges between a TACACS+ client and a TACACS+ server are encrypted.
RADIUS Overview
The Cisco implementation of RADIUS provides for a RADIUS client that runs on a Cisco IOS device to send an authentication request to a central RADIUS server that contains all user authentication and network service access information. RADIUS can be used with other AAA security protocols, such as local username lookup and TACACS+.
There are two implementations of RADIUS: Cisco’s implementation and the industry-standard implementation. Cisco’s implementation uses UDP port 1645 for authentication and authorization and UDP port 1646 for accounting. The industry-standard implementation uses UDP port 1812 for authentication and authorization and UDP port 1813 for accounting. The industry-standard implementation of the RADIUS protocol provides the distinction of working in a multi-vendor environment. Network devices from different vendors can connect to the same RADIUS server for AAA services. RADIUS can also be more convenient for AAA than TACACS+ since some organizations may already have it deployed.
As it relates to the privilege levels examined earlier in the chapter, TACACS+ and RADIUS can also be implemented when using AAA. For example, TACACS+ provides two ways to control the authorization of the network device commands on a per-user or per-group basis. One way is to assign privilege levels to commands and have the router verify with the TACACS+ server whether the user is authorized at the specified privilege level. Another way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the allowed commands.
Cisco’s TACACS+ and RADIUS implementations used to occur through the implementation of Cisco Secure Access Control Server (ACS), where RADIUS was used for network access control and TACACS+ was used for network devices access control. However, Cisco Identity Services Engine (ISE) is now the preferred implementation for AAA servers to support both TACACS+ and RADIUS protocols.
AAA Configuration for Network Devices
In this section, you will see how both TACACS+ and RADIUS are configured from a Cisco IOS device. This section does not cover the configuration of a TACACS+ or RADIUS server because that is beyond the scope of this chapter.
There are two parts to configuring TACACS+ support: a TACACS+ server (for example, Cisco ISE) and a Cisco IOS device. At a high level, to configure a Cisco IOS device to support TACACS+, the following steps are involved:
Create a local user that will serve as the fallback if the TACACS+ server is not available or if you accidentally lock yourself out after enabling the AAA command. As highlighted previously, this is done with the command username username privilege 15 algorithm-type {md5 | sha256 | scrypt} secret password.
Enable the AAA function with the aaa new-model global configuration command.
Add a TACACS+ server.
Define the method lists for TACACS+ authentication by using the aaa authentication global configuration command.
Use the line and interface commands to apply the defined method lists to various interfaces.
If needed, use the aaa authorization global command to configure authorization for the device. Unlike with authentication, which can be configured per line or per interface, authorization is configured globally for an entire device.
If needed, use the aaa accounting command to enable accounting for TACACS+ connections.
Example 6.10 shows how to configure an IOS device with TACACS+ for device access control based on these steps. This example demonstrates basic authentication, authorization, and accounting configuration. Once the command aaa-new model is configured, there is no line authentication anymore on the vty lines as the default login method becomes AAA. The console port defaults to no authentication. If you were to disable this with the no aaa new-model command afterward, the login method would switch back to line authentication. However, you would not see login local under vty line; you would see just login (meaning just the line password will be checked, and not the local user database that is configured locally on the router).
EXAMPLE 6.10 Configuring TACACS+
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. !Authentication setup !First we create a fallback user account R1(config)# username fallback privilege 15 algorithm-type scrypt secret Cisco123 R1(config)# aaa new-model R1(config)# tacacs server TACACSSERVER1 R1(config-server-tacacs)# address ipv4 100.1.1.2 R1(config-server-tacacs)# key Cisco123 R1(config-server-tacacs)# exit R1(config)# aaa group server tacacs+ TACACSGROUP1 R1(config-sg-tacacs+)# server name TACACSSERVER1 R1(config)# aaa authentication login default group TACACSGROUP1 local !the default method list automatically applies to all lines, except the ones that have a named method list explicitly define or in other words, it gets applied unless a more specific named method list is defined. !we can also specify on the vty lines the login authentication METH- ODLIST1 command then tacacs+ TACACSGROUP1 will be used as the primary authentication method and the local user database is set as the backup R1(config)# line vty 0 4 R1(config-line)# login authentication methodlist1 !Authorization setup !Next, for authorization we create a method list TACACSAUTH1 !if-authentication option allows a user who is authenticated to be placed in EXEC mode R1(config)# aaa authorization exec TACACSAUTH1 group TACACSGROUP1 local if-authenticated R1(config)# aaa authorization commands 15 TACACSAUTH1 group TACACS GROUP1 local !The config-commands command indicates that the server must return permission to use any router configuration command R1(config)# aaa authorization config-commands R1(config)# aaa authorization console !The TACACSAUTH1 method list is applied to the vty lines for both EXEC and level 15 command access R1(config)# line vty 0 4 R1(config-line)# authorization exec TACACSAUTH1 R1(config-line)# authorization commands 15 TACACSAUTH1 R1(config-line)# exit R1(config)# !Accounting setup !Next, for accounting we create a method list TACACSACC1 !User EXEC sessions will be recorded as they start and stop, along with user information R1(config)# aaa accounting exec TACACSACC1 start-stop group TACACSGROUP1 !commands that are entered while a user is in privilege level 15 (enable mode) will be recorded R1(config)# aaa accounting commands 15 TACACSACC1 start-stop group TACSRVGROUP1 !The TACACSACC1 method list is applied to the vty lines for EXEC and level 15 commands R1(config)# line vty 0 4 R1(config-line)# accounting exec TACACSACC1 R1(config-line)# accounting commands 15 TACACSACC1 R1(config-line)# end R1#
The AAA server also needs to be configured with the AAA client information (that is, the hostname, IP address, and key), the login credentials for the users, and the commands the users are authorized to execute on the device.
At a high level, to configure a Cisco IOS device to support RADIUS, the following steps are involved:
Enable AAA with the aaa new-model global configuration command.
Define the RADIUS server and specify the IP address and key.
Add the RADIUS server to a server group.
Define method lists for RADIUS authentication by using the aaa authentication login method-list global configuration command.
Create a named method list and add a RADIUS server group as the primary and local database as backup by using the aaa authentication login command.
Use the line and interface commands to enable the defined method lists to be used. For example, Example 6.11 specifies the login authentication method-list command on the vty lines, and then the RADIUS server group will be used as the primary authentication method, and the local user database is set as the backup.
Example 6.11 shows the configuration of an IOS device with RADIUS for device access control based on these steps (which are nearly identical to the steps for TACACS+ configuration). This example demonstrates basic authentication configuration.
EXAMPLE 6.11 Configuring RADIUS
R1# R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# aaa new-model R1(config)# radius server RADIUSSERVER1 R1(config-radius-server)# address ipv4 100.1.1.2 R1(config-radius-server)# key Cisco123 R1(config-radius-server)# exit R1(config)# aaa group server radius RADIUSGROUP1 R1(config-sg-radius)# server name RADIUSSERVER1 R1(config-sg-radius)# exit R1(config)# aaa authentication login METHODLIST2 group RADIUSGROUP1 local !the default method list automatically applies to all lines, except the ones that have a named method list explicitly define or in other words, it gets applied unless a more specific named method list is defined. !we can also specify on the vty lines the login authentication METHOD- LIST2 command then RADIUSGROUP1 will be used as the primary authenti- cation method and the local user database is set as the backup R1(config-line)# line vty 0 4 R1(config-line)# login authentication METHODLIST2 R1(config-line)# end R1#
Review Questions
1. In implementing the TACACS+ protocol, which port is used for communication between a network device and a TACACS+ server?
A. UDP port 1645
B. TCP port 49
C. TCP port 389
D. UDP port 1813
2. In TACACS+ implementation, which of the following can serve as network access servers?
A. Routers
B. Switches
C. Access points
D. All of the above
3. Which of the following commands is used for configuring a vty line to use the method list name list1?
A. aaa authentication
B. aaa authorization
C. login authentication list1
D. aaa new-model
4. To add a TACACS+ server in IOS 15.x, what command follows tacacs server name if the IP address is 10.10.10.10?
A. aaa tacacs 10.10.10.10
B. server 10.10.10.10
C. address ipv4 10.10.10.10
D. aaa server 10.10.10.10
Answers to Review Questions
1. B is correct. The TACACS+ protocol uses TCP port 49 for communication between a TACACS+ client (network device) and a TACACS+ server.
2. D is correct. The clients of a TACACS+ server is referred to as a network access server (NAS). A NAS may be a router, a switch, or an access point.
3. C is correct. A method list enables logic authentication. To apply a custom list to a line, you use login authentication custom-list name in line configuration mode.
4. C is correct. To add a TACACS+ server in IOS 15.x, you need to specify the TACACS+ server name, specify the server IP address with the address ipv4 ip address command (address ipv4 10.10.10.10 in this case), and then specify the key string.
Further Reading
What’s Next?
If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the CramQuiz questions on the book’s web page. The next chapter covers infrastructure security.