CCNP ROUTE 2.0: Telnet, VTY, AAA

Telnet to VTY Line

As default the VTY lines are configured with the command “login”

line vty 0 4
login

If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.

line vty 0 4
password XXXXXX
login

If you then telnet to the device you can login using the password specified, you are placed in User EXEC mode. In order to login to Global Config mode you must then enter the enable secret/password.

enable secret” – the enable secret is ENCRYPTED (in the running config) and takes precedence over the enable password
enable password” – unencrypted password (in cleartext in the running config)

Not a good idea to share a VTY and enable password amongst a team, no accountability and a security hole. Better to use an AAA database.

Local AAA database (self contained deployment)

Configure the VTY Line to use the local database

line vty 0 4
login local

Specify a local database by creating local user accounts

Create a username with either a cleartext/unencrypted (password) or encrypted password (secret). When you login to telnet you will be logged into User EXEC mode.

username ADMIN password PASSWORD”
username ADMIN secret SECRETPASSWORD

To log straight into Global Config mode when you telnet to a device, specify the privilege level of 15 when creating the account.

username ADMIN privilege 15 password PASSWORD

Hashes the local and enable cleartext passwords in the running configuration

service password-encryption

Central Authentication using RADIUS/TACACS+

AAA allows the ability to grant access and tracks the actions of an administrator when managing a device; you can use either RADIUS or TACACS+. Each device (switch/router/firewall etc) is configured with a pre-shared key to establish communication between the device and the AAA server.

Authentication – identifies the users (username/password)
Authorization – determine what rights the user has or what they can do once logged into the device
Accounting – logging the connection information, what user, what time, what device, what client IP, if TACACS+ what commands they used.

A central AAA server has the following advantages over a local AAA database:

  • Central database of contain users, no need to update username/passwords when an administrator starts/leaves
  • Accounting functionality allows you to report on what the user did

TACACS+

  • Cisco proprietary
  • TCP port 49
  • Encrypts the entire packet

RADIUS

  • Open standard
  • UDP 1812/1813
  • Encrypts only the password

Configure AAA Server

Enable AAA (for either RADIUS/TACACS+) globally on a device using the command

aaa new-model

Define the TACACS+ or RADIUS server (depending on which one you are using) with a shared secret password

tacacs-server host <IP ADDRESS OF SERVER> key <SHARED SECRET>
radius-server host <IP ADDRESS OF SERVER> key <SHARED SECRET>

Define an Exec Mode login authentication method

aaa authentication login default group radius local

aaa authentication login default group tacacs+ local

line vty 0 15
login authentication default

Instead of using a default method list you can define a named list using the same parameters

aaa authentication login VTY group radius group tacacs+ local

line vty 0 15
login authentication VTY

If no method list is specified then the default method list will be used. A defined named method list overrides the default method list.

NOTE – The command “local” applied after radius/tacacs+ is a secondary authentication method and is useful in the event of the AAA server failing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s