Network Security topics

C I S C O N E T W O R K I N G. SUDEB

get help on your ccna, ccnp, ccie with our blog

AAA RADIUS TACACS

Router Security by Sudeb

Securing administrative access using Local database AAA & RADIUS – 
Basic form of router access security is to create a password for Console, VTY & aux lines. Maximum two password is required for accessing the router – One for user exec mode & one privilege executive mode. 

User exec mode allows to access only a basic level of monitoring command. E.g. – ping, trace, ip route, copy run start etc.
Privilege exec mode allows to access & configure the whole router.

Setting Console password -
R1(config)#line con 0                                          Logging in console through console cable from physical location.
R1(config-line)#password sudeb                  Setting password for user exec console access. 
R1(config-line)#login                                          without this command the login prompt won’t show R1(config-line)#exit

Setting telnet or vty password -
R1(config)#line vty 0 4                                        Logging through vty or telnet access, 0 4 means – 5 session can connect.
R1(config-line)#password sudeb                       Setting password for user exec console access via telent.
R1(config-line)#login

Enable password for accessing privilege mode #
R1(config)#enable password cisco                    Setting privilege mode password. This is a clear text password 
R1(config)#enable secret sudeb@cisco            Setting privilege mode encrypted password this will override enable password.  
R1(config)#service password-encryption        This will encrypted all the clear text password & showing them as encrypted. 

R1(config)#login on-success log                         These will generate a log syslog message.
R1(config)#login on-failure log

Additional control over the login process can be achieved using authentication, authorization, and accounting (AAA). For basic authentication, AAA can be configured to access the local database for user logins. However, this approach is not very scalable because it must be configured on every router. To take full advantage of AAA and achieve maximum scalability, AAA is used in conjunction with an external TACACS+ or RADIUS server database. When a user attempts to log in, the router references the external server database to verify that the user is logging in with a valid username and password.

AAA configure as local database in router -  

R1(config)# aaa new-model                                                                      Enable AAA by executing the aaa new-model
R1(config)# aaa authentication login LOCAL-AUTH local                AAA login authentication list name & login type local only
R1(config)#line vty 0 4                                                                             Apply the aaa authentication list on the vty interface
R1(config-line)#login authentication LOCAL-AUTH
R1(config)# username sudeb privilege 15 password cisco                  Creating username & pass
R1(config)# username sam privilege 1 password sam

Now accessing the vty will require a username & password followed by an enable password. 

Enable SSH on Cisco devices –

ip domain name SUDEB
 crypto key generate rsa
768
ip ssh version 2 
line vty 0 4
transport input ssh                                                                                          transport input ssh telnet will allow both.  

Now access – ssh –l username ip address

Configure AAA using a radius server – 

R1(config)# aaa new-model
R1(config)#aaa authentication login default group radius local                    1st method radius 2nd method local database

Default method of login is radius server. In case radius server is unreachable the console will be unavailable. So look for the 2nd method & login with locally created uid & pass. It’s very important to create a local database otherwise console can’t be access. 

R1(config)# username sudeb password cisco                     ** local database
R1(config)#radius-server host 172.16.18.250 auth-port 1812 acct-port 1813 key sudebradius
                                                                                                     
** Authentication port by default – 1645 & accept port 1646
Now configure the radius server software on a windows system. Download the latest version of Radius server from -- 

http://www.suggestsoft.com/soft/itconsult2000/winradius
http://winradius.soft32.com
http://www.brothersoft.com/winradius-20914.html


Configure AAA using tacacs server ACS – 

aaa new-model
username sudeb privilege 15 secret 4

aaa authentication login SUDEB group tacacs+ local                        Sudeb = Auth list name

aaa authorization exec sudeb group tacacs+ local none                    different level of authorization
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.10.10.1
tacacs-server key 7 15070803557878

line vty 0 4
login authentication SUDEB                                                                       Auth list created earlier.
 transport input telnet ssh

ip tacacs source-interface Loopback0

CISCO ACS 



1 comments:

Your opinion matters. So start reviewing.

Subscribe to: Posts (Atom)