<<

. 3
( 19)



>>

password to be created.
Step 11. Enter global configuration and type the enable command to change the enable
secret
secret password. For example:
R1(config)# enable secret cisco
Step 12. Issue the no shutdown command on every interface to be used. Then issue the show ip
interface brief command in privileged EXEC mode to confirm that the interface configuration
is correct. Every interface to be used should display “up up.”
Step 13. From global configuration mode type config-register
configuration_register_setting. The configuration register setting is either the value recorded
in step 2 or 0x2102 . For example:
R1(config)# config-register 0x2102
Step 14. Save the configuration changes using the copy com-
running-config startup-config
mand.
Password recovery is now complete. Enter the show version command to confirm that the router
is using the configured configuration register setting on the next reboot.
If someone gained physical access to a router, they could potentially gain control of that device
through the password recovery procedure. This procedure, if performed correctly, leaves the router
configuration intact. If the attacker makes no major changes, this type of attack is difficult to de-
tect. An attacker can use this attack method to discover the router configuration and other pertinent
information about the network, such as traffic flows and access control restrictions.
An administrator can mitigate this potential security breach by using the no service password-
recovery global configuration command. The no service password-recovery command is a
hidden Cisco IOS command and has no arguments or keywords. If a router is configured with the
no service password-recovery command, all access to ROMmon mode is disabled.

When the no service password-recovery command is entered, a warning message is displayed
and must be acknowledged before the feature is enabled.
The show running configuration command displays a no service password-recovery state-
ment. Additionally, when the router is booted, the initial boot sequence displays a message stating
“PASSWORD RECOVERY FUNCTIONALITY IS DISABLED.”.
46 CCNA Security Course Booklet, Version 1.0




To recover a device after the no service password-recovery command is entered, issue the
break sequence within five seconds after the image decompresses during the boot. You are
prompted to confirm the break action. After the action is confirmed, the startup configuration is
completely erased, the password recovery procedure is enabled, and the router boots with the fac-
tory default configuration. If you do not confirm the break action, the router boots normally with
the no service password-recovery command enabled.
One note of caution, if the router flash memory does not contain a valid Cisco IOS image because
of corruption or deletion, the ROMmon xmodem command cannot be used to load a new flash
image. To repair the router, an administrator must obtain a new Cisco IOS image on a flash SIMM
or on a PCMCIA card. Refer to Cisco.com for more information regarding backup flash images.


2.3.2 Secure Management and Reporting
Network administrators need to securely manage all devices and hosts in the network. In a small
network, managing and monitoring network devices is a straightforward operation. However, in a
large enterprise with hundreds of devices, monitoring, managing, and processing log messages can
prove to be challenging.
Several factors should be considered when implementing secure management. This includes con-
figuration change management. When a network is under attack, it is important to know the state
of critical network devices and when the last known modifications occurred. Configuration change
management also includes issues such as ensuring that the right people have access when new
management methodologies are adopted, and how to handle tools and devices that are no longer
used. Creating a plan for change management should be part of a comprehensive security policy;
however, at a minimum, record changes using authentication systems on devices and archive con-
figurations using FTP or TFTP.
Is there a change management policy or plan in place? These issues should be established and
dealt with in a change management policy.
Automated logging and reporting of information from identified devices to management hosts are
also important considerations. These logs and reports can include content flow, configuration
changes, and new software installs, to name a few. To identify the priorities of reporting and moni-
toring, it is important to get input from management and from the network and security teams. The
security policy should also play a large role in answering the questions of what information to log
and report.
From a reporting standpoint, most networking devices can send syslog data that can be invaluable
when troubleshooting network problems or security threats. Data from any device can be sent to a
syslog analysis host for viewing. This data can be viewed in real time, on demand, and in sched-
uled reports. There are various logging levels to ensure that the correct amount of data is sent,
based on the device sending the data. It is also possible to flag device log data within the analysis
software to permit granular viewing and reporting. For example, during an attack, the log data that
is provided by Layer 2 switches might not be as interesting as the data that is provided by the in-
trusion prevention system (IPS).
Many applications and protocols are also available, such as SNMP, which is used in network man-
agement systems to monitor and make configuration changes to devices remotely.
Chapter 2: Securing Network Devices 47




When logging and managing information, the information flow between management hosts and
the managed devices can take two paths:

Out-of-band (OOB) - Information flows on a dedicated management network on which no


production traffic resides.
In-band - Information flows across an enterprise production network, the Internet, or both


using regular data channels.
For example, a network has two network segments that are separated by a Cisco IOS router that
acts as a firewall and a virtual private network (VPN) termination device. One side of the firewall
connects to all management hosts and to Cisco IOS routers that act as terminal servers. The termi-
nal servers offer OOB direct connections to any device requiring management on the production
network. Most devices should be connected to this management segment and be configured using
OOB management.
The other side of the firewall connects to the production network itself. The connection to the pro-
duction network is only provided for selective Internet access by the management hosts, limited
in-band management traffic, and encrypted management traffic from predetermined hosts. In-band
management occurs only when a management application does not use OOB, or when the Cisco
device being managed does not physically have enough interfaces to support the normal connec-
tion to the management network. If a device must contact a management host by sending data
across the production network, that traffic should be sent securely using a private encrypted tunnel
or VPN tunnel. The tunnel should be preconfigured to permit only the traffic that is required for
management and reporting of these devices. The tunnel should also be locked down so that only
appropriate hosts can initiate and terminate tunnels. The Cisco IOS firewall is configured to allow
syslog information into the management segment. In addition, Telnet, SSH, and SNMP are al-
lowed on the condition that these services are first initiated by the management network.
Because the management network has administrative access to nearly every area of the network, it
can be a very attractive target to hackers. The management module on the firewall has been built
with several technologies designed to mitigate such risks. The primary threat is a hacker attempt-
ing to gain access to the management network itself. This can possibly be accomplished through a
compromised managed host that an management device must access. To mitigate the threat of a
compromised device, strong access control should be implemented at the firewall and at every
other device. Additionally, management devices should be set up in a fashion that prevents direct
communication with other hosts on the same management subnet, using separate LAN segments
or VLANs.
As a general rule, for security purposes, OOB management is appropriate for large enterprise net-
works. However, it is not always desirable. Often the decision depends on the type of management
applications that are running and the protocols that are being monitored, for example, a manage-
ment tool with the goal of determining the reachability of all devices on a network. Consider a sit-
uation in which two core switches are being managed and monitored using an OOB network. If a
critical link between these two core switches fails on the production network, the application mon-
itoring those devices may never determine that the link has failed and alert the administrator. This
is because the OOB network makes all devices appear to be attached to a single OOB management
network. The OOB management network remains unaffected by the downed link. With manage-
ment applications such as these, it is preferable to run the management application in-band in a se-
cure fashion.
In-band management is also recommended in smaller networks as a means of achieving a more
cost-effective security deployment. In such architectures, management traffic flows in-band in all
cases and is made as secure as possible using secure variants to insecure management protocols,
such as using SSH instead of Telnet. Another option is to create secure tunnels, using protocols
48 CCNA Security Course Booklet, Version 1.0




such as IPsec, for management traffic. If management access is not necessary at all times, perhaps
temporary holes can be placed in a firewall while management functions are performed. This tech-
nique should be used cautiously, and all holes should be closed immediately when management
functions are completed.
Finally, if using remote management tools with in-band management, be wary of the underlying
security vulnerabilities of the management tool itself. For example, SNMP managers are often
used to ease troubleshooting and configuration tasks on a network. However, SNMP should be
treated with the utmost care because the underlying protocol has its own set of security vulnerabil-
ities.


2.3.3 Using Syslog for Network Security
Implementing a router logging facility is an important part of any network security policy. Cisco
routers can log information regarding configuration changes, ACL violations, interface status, and
many other types of events. Cisco routers can send log messages to several different facilities. You
should configure the router to send log messages to one or more of the following items.

Console - Console logging is on by default. Messages log to the console and can be viewed


when modifying or testing the router using terminal emulation software while connected to
the console port of the router.
Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any


terminal lines. Similar to console logging, this type of logging is not stored by the router and,
therefore, is only valuable to the user on that line.
Buffered logging - Buffered logging is a little more useful as a security tool because log


messages are stored in router memory for a time. However, events are cleared whenever the
router is rebooted.
SNMP traps - Certain thresholds can be preconfigured on routers and other devices. Router


events, such as exceeding a threshold, can be processed by the router and forwarded as SNMP
traps to an external SNMP server. SNMP traps are a viable security logging facility but
require the configuration and maintenance of an SNMP system.
Syslog - Cisco routers can be configured to forward log messages to an external syslog


service. This service can reside on any number of servers or workstations, including Microsoft
Windows and UNIX-based systems, or the Cisco Security MARS appliance. Syslog is the
most popular message logging facility, because it provides long-term log storage capabilities
and a central location for all router messages.
Cisco router log messages fall into one of eight levels. The lower the level number, the higher the
severity level.
Cisco router log messages contain three main parts:

Timestamp



Log message name and severity level



Message text



Syslog is the standard for logging system events. Syslog implementations contain two types of
systems.

Syslog servers - Also known as log hosts, these systems accept and process log messages


from syslog clients.
Chapter 2: Securing Network Devices 49




Syslog clients - Routers or other types of equipment that generate and forward log messages


to syslog servers.

The syslog protocol allows login messages to be sent from a syslog client to the syslog server.
While the ability to send logs to a central syslog server is part of a good security solution, it can
also potentially be part of security problem. The biggest issue is the enormity of the task of sifting
through the resulting information, correlating the events from several different network devices
and application servers, and taking different types of actions based on a vulnerability assessment
of the incident.
The Cisco Security Monitoring, Analysis, and Response System (MARS) is a Cisco security appli-
ance that can receive and analyze syslog messages from various networking devices and hosts
from Cisco and other vendors. Cisco Security MARS extends the portfolio of security manage-
ment products for the Cisco Self-Defending Network initiative. Cisco Security MARS is the first
purpose-built appliance for real-time security threat mitigation.
Cisco Security MARS monitors many types of logging and reporting traffic that is available from
the security and network products in the enterprise network. Cisco Security MARS combines all
of this log data into a series of sessions which it then compares to a database of rules. If the rules
indicate that there might be a problem, an incident is triggered. By using this method, a network
administrator can have the Cisco Security MARS appliance process most of the logging data from
network devices and focus human efforts on the potential problems.
Use the following steps to configure system logging.
Step 1. Set the destination logging host using the logging command.
host

Step 2. (Optional) Set the log severity (trap) level using the logging command.
trap level

Step 3. Set the source interface using the logging source-interface command. This specifies
that syslog packets contain the IPv4 or IPv6 address of a particular interface, regardless of which
interface the packet uses to exit the router.
Step 4. Enable logging with the logging on command. You can turn logging on and off for these
destinations individually using the logging buffered, logging monitor, and logging global
configuration commands. However, if the logging on command is disabled, no messages are sent
to these destinations. Only the console receives messages.
To enable syslog logging on your router using Cisco Router and Security Device Manager (SDM),
follow these steps.
Step 1. Choose Configure > Additional Tasks > Router Properties > Logging.
Step 2. From the Logging pane, click Edit.
Step 3. In the Logging window, select Enable Logging Level and choose the logging level from
the Logging Level list box. Messages will be logged for the level selected and below.
Step 4. Click Add, and enter an IP address of a logging host in the IP Address/Hostname field.
Step 5. Click OK to return to the Logging dialog box.
Step 6. Click OK to accept the changes and return to the Logging pane.
Cisco SDM can be used to monitor logging by choosing Monitor > Logging.
From the Syslog tab, you can perform the following functions:

See the logging hosts to which the router logs messages.

50 CCNA Security Course Booklet, Version 1.0




Choose the minimum severity level to view.



Monitor the router syslog messages, update the screen to show the most current log entries,


and erase all syslog messages from the router log buffer.

2.3.4 Using SNMP for Network Security
Another common monitoring tool is SNMP. SNMP was developed to manage nodes, such as
servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is
an Application Layer protocol that facilitates the exchange of management information between
network devices. SNMP is part of the TCP/IP protocol suite. SNMP enables network administra-
tors to manage network performance, find and solve network problems, and plan for network
growth. There are different versions of SNMP.
SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2) are based on managers (network
management systems [NMSs]), agents (managed nodes), and Management Information Bases
(MIBs). In any configuration, at least one manager node runs SNMP management software. Net-
work devices that need to be managed, such as switches, routers, servers, and workstations, are
equipped with an SMNP agent software module. The agent is responsible for providing access to a
local MIB of objects that reflects the resources and activity at its node. MIBs store data about the
device operation and are meant to be available to authenticated remote users.
The SNMP manager can get information from the agent, and change, or set, information in the
agent. Sets can change configuration variables in the agent device. Sets can also initiate actions in
devices. A reply to a set indicates the new setting in the device. For example, a set can cause a
router to reboot, send a configuration file, or receive a configuration file. SNMP traps enable an
agent to notify the management station of significant events by sending an unsolicited SNMP mes-
sage. The action of gets and sets are the vulnerabilities that open SNMP to attack.
SNMP agents accept commands and requests from SNMP management systems only if those sys-
tems have a correct community string. An SNMP community string is a text string that can authen-
ticate messages between a management station and an SNMP agent and allow access to the
information in MIBs. Community strings are essentially used for password-only authentication of
messages between the NMS and the agent.
There are two types of community strings.

Read-only community strings - Provides read-only access to all objects in the MIB, except the


community strings.
Read-write community strings - Provides read-write access to all objects in the MIB, except


the community strings.
If the manager sends one of the correct read-only community strings, it can get information but not
set information in an agent. If the manager uses one of the correct read-write community strings, it
can get or set information in the agent. In effect, having set access to a router is equivalent to hav-
ing the enable password of the router.
By default, most SNMP systems use “public” as a community string. If you configure your router
SNMP agent to use this commonly known community string, anyone with an SNMP system is
able to read the router MIB. Because router MIB variables can point to things such as routing ta-
bles and other security-critical parts of the router configuration, it is extremely important that you
create your own custom SNMP community strings. However, even if the community string is
changed, the strings are sent in plaintext. This is a huge vulnerability of the SNMPv1 and
SNMPv2 architecture.
Chapter 2: Securing Network Devices 51




If using in-band management, to reduce security risks, SNMP management should be configured
to only pull information from devices rather than being allowed to push “set” changes to the de-
vices. To ensure management information is pulled, each device should be configured with a read-
only SNMP community string.
Keeping SNMP traffic on a management segment allows the traffic to traverse an isolated segment
when management information is pulled from devices and when configuration changes are pushed
to a device. Therefore, if using an OOB network, it is acceptable to configure an SNMP read-write
community string; however, be aware of the increased security risk of a plaintext string that allows
modification of device configurations.
The current version of SNMPv3 addresses the vulnerabilities of earlier versions by including three
important services: authentication, privacy, and access control.
SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 uses a
combination of authenticating and encrypting packets over the network to provide secure access to
devices. SNMPv3 provides three security features.

Message integrity - Ensures that a packet has not been tampered with in transit.



Authentication - Determines that the message is from a valid source.



Encryption - Scrambles the contents of a packet to prevent it from being seen by an


unauthorized source.

While it is recommended that SNMPv3 be used where possible because of the added security fea-
tures, configuring SNMPv3 is beyond the scope of this course.
When enabling SNMP, it is important to consider the security model and the security level. The se-
curity model is an authentication strategy that is set up for a user and the group in which the user
resides. Currently, Cisco IOS software supports three security models: SNMPv1, SNMPv2c, and
SNMPv3. A security level is the permitted level of security within a security model. The security
level is a type of security algorithm that is performed on each SNMP packet.
There are three security levels.

noAuth - Authenticates a packet by a string match of the username or community string.



auth - Authenticates a packet by using either the Hashed Message Authentication Code


(HMAC) with MD5 method or Secure Hash Algorithms (SHA) method. The HMAC method
is described in RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
priv - Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and


encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES), or
Advanced Encryption Standard (AES) algorithms.

The combination of the model and level determines which security mechanism is employed when
handling an SNMP packet. Only SNMPv3 supports the auth and priv security levels. However,
Cisco SDM does not support configuration of SNMPv3.
To enable SNMPv1 and SNMPv2 using Cisco SDM follow these steps:
Step 1. Choose Configure > Additional Tasks > Router Properties > SNMP. Click the Edit button.
Step 2. From the SNMP Properties window, select Enable SNMP to enable SNMP support.
Set community strings and enter trap manager information from the same SNMP Properties win-
dow used to enable support.
52 CCNA Security Course Booklet, Version 1.0




Step 3. In the SNMP Properties window, click Add to create new community strings, click Edit to
edit an existing community string, or click Delete to delete a community string.
An example CLI command that SDM would generate based on a read only community string of
cisco123 is snmp-server community cisco123 ro.

ro - Assigns a read-only community string.



rw - Assigns a read-write community string.



The administrator can also configure devices to which a router sends traps. These devices are re-
ferred to as trap receivers. Cisco SDM can be used to add, edit, or delete a trap receiver.
Step 1. From the SNMP pane in Cisco SDM, click Edit. The SNMP Properties window displays.
Step 2. To add a new trap receiver, click Add in the Trap Receiver section of the SNMP Properties
window. The Add a Trap Receiver window displays.
Step 3. Enter the IP address or host name of the trap receiver and the password that is used to con-
nect to the trap receiver. Typically, this is the IP address of the SNMP management station that
monitors your domain. Check with the site administrator to determine the address if unsure.
Step 4. Click OK to finish adding the trap receiver.
Step 5. To edit an existing trap receiver, choose a trap receiver from the trap receiver list and click
Edit. To delete an existing trap receiver, choose a trap receiver from the trap receiver list and click
Delete.
Step 6. When the trap receiver list is complete, click OK to return to the SNMP pane.
The SNMP Properties window also contains the SNMP Server Device Location field and the
SNMP Server Administrator Contact field. Both of these fields are text fields that can be used to
enter descriptive information about the SNMP server location and the contact information for a
person managing the SNMP server. These fields are not required and do not affect the operation of
the router.


2.3.5 Using NTP
Many things involved in the security of a network, such as security logs, depend on an accurate
date and time stamp. When dealing with an attack, seconds matter, because it is important to iden-
tify the order in which a specified attack occurred. To ensure that log messages are synchronized
with one another, clocks on hosts and network devices must be maintained and synchronized.
Typically, the date and time settings of the router can be set using one of two methods:

Manually editing the date and time



Configuring the Network Time Protocol (NTP)



Although the manual method works in a small network environment, as a network grows, it be-
comes difficult to ensure that all infrastructure devices are operating with synchronized time. Even
in a smaller network environment, the manual method is not ideal. If a router reboots, where
would it get an accurate date and timestamp?
A better solution is to configure NTP on the network. NTP allows routers on the network to syn-
chronize their time settings with an NTP server. A group of NTP clients that obtain time and date
information from a single source have more consistent time settings. When NTP is implemented in
the network, it can be set up to synchronize to a private master clock, or it can synchronize to a
publicly available NTP server on the Internet.
Chapter 2: Securing Network Devices 53




NTP uses UDP port 123 and is documented in RFC 1305.
When determining whether to use a private clock synchronization versus a public clock, it is nec-
essary to weigh the risks and benefits of both.
If a private master clock is implemented, it could be synchronized to Coordinated Universal Time
(UTC) via satellite or radio. The administrator does need to ensure that the time source is valid and
from a secure site; otherwise, it can introduce vulnerabilities. For example, an attacker can launch
a DoS attack by sending bogus NTP data across the Internet to the network in an attempt to change
the clocks on network devices, possibly causing digital certificates to become invalid. An attacker
could attempt to confuse a network administrator during an attack by disrupting the clocks on net-
work devices. This scenario would make it difficult for the network administrator to determine the
order of syslog events on multiple devices.
Pulling the clock time from the Internet means that unsecured packets are allowed through the fire-
wall. Many NTP servers on the Internet do not require any authentication of peers; therefore, the
network administrator must trust that the clock itself is reliable, valid, and secure.
The communications (known as associations) between machines that run NTP are usually stati-
cally configured. Each device is given the IP address of NTP masters. Accurate timekeeping is
possible by exchanging NTP messages between each pair of machines with an association. In an
NTP configured network, one or more routers are designated as the master clock keeper (known as
an NTP master) using the ntp master global configuration command.
NTP clients either contact the master or listen for messages from the master to synchronize their
clocks. To contact the master, use the ntp server ntp-server-address command.
In a LAN environment, NTP can be configured to use IP broadcast messages instead by using the
ntp broadcast client command. This alternative reduces configuration complexity because
each machine can be configured to send or receive broadcast messages. The accuracy of timekeep-
ing is marginally reduced because the information flow is one-way only.
The time that a machine keeps is a critical resource, therefore the security features of NTP should
be used to avoid the accidental or malicious setting of incorrect times. There are two security
mechanisms available:

ACL-based restriction scheme



Encrypted authentication mechanism offered by NTP version 3 or later



NTP version 3 (NTPv3) and later support a cryptographic authentication mechanism between NTP
peers. This authentication mechanism, in addition to ACLs that specify which network devices are
allowed to synchronize with other network devices, can be used to help mitigate such an attack.
To secure NTP traffic, it is strongly recommended that NTP version 3 or later is implemented. Use
the following commands on both the NTP master and the NTP client.
ntp authenticate
ntp authentication-key key-number md5 key-value
ntp trusted-key key-number
The authentication is for the benefit of a client to ensure that it is getting the time from an authen-
ticated server. Clients configured without authentication still get the time from the server. The dif-
ference is that these clients do not authenticate the server as a secure source.
Use the show command to confirm that the server is an authenticated
ntp associations detail
source.
Note: The key value can also be set as an argument in the ntp server ntp-server-address command.
54 CCNA Security Course Booklet, Version 1.0




Cisco SDM allows a network administrator to view the configured NTP server information, add
new information, and edit or delete existing information.
There are seven steps to add an NTP server using Cisco SDM.
Step 1. Choose Configure > Additional Tasks > Router Properties > NTP/SNTP. The NTP
pane appears, displaying the information for all configured NTP servers.
Step 2. To add a new NTP server, click Add. The Add NTP Server Details window appears.
Step 3. Add an NTP server by name if the router is configured to use a Domain Name System
(DNS) server or by IP address. To add an NTP server by IP address, enter the IP address in the
field next to the NTP Server IP Address option. If the organization does not have an NTP server,
the administrator might want to use a publicly available server, such as one from the server list that
can be found at http://support.ntp.org/bin/view/Servers/WebHome.
Step 4. (Optional) From the NTP Source Interface drop-down list, choose the interface that the
router uses to communicate with the NTP server. The NTP Source Interface is an optional field. If
this field is left blank, NTP messages are sent from the interface closest to the NTP server per the
routing table.
Step 5. Select Prefer if this NTP server has been designated as a preferred NTP server. Preferred
NTP servers are contacted before nonpreferred NTP servers. There can be more than one preferred
NTP server.
Step 6. If the NTP server uses authentication, select Authentication Key and enter the key num-
ber and key value.
Step 7. Click OK to finish adding the server.



2.4 Using Automated Security Features
2.4.1 Performing a Security Audit
Cisco routers are initially deployed with many services that are enabled by default. This is done
for convenience and to simplify the configuration process required to get the device operational.
However, some of these services can make the device vulnerable to attack if security is not en-
abled. Administrators can also enable services on Cisco routers that can expose the device to sig-
nificant risk. Both of these scenarios must be taken into account when securing the network.
For example, Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default
in Cisco routers. It is used primarily to obtain protocol addresses of neighboring Cisco devices and
to discover the platforms of those devices. Unfortunately, an attacker on the network can use CDP
to discover devices on the local network. In addition, attackers do not need to have CDP-enabled
devices. Readily available software, such as Cisco CDP Monitor, can be downloaded to gain the
information. The intent of CDP is to make it easier for administrators to discover and troubleshoot
other Cisco devices on the network. However, because of the security implications, the use of CDP
should be deterministic. While it is an extremely helpful tool, it should not be everywhere in the
network. Edge devices are an example of a device that should have this feature disabled.
Attackers choose services and protocols that make the network more vulnerable to malicious ex-
ploitation.
Depending on the security needs of an organization, many of these services should be disabled or,
at a minimum, restricted in their capabilities. These features range from Cisco proprietary proto-
cols, such as Cisco Discovery Protocol (CDP), to globally available protocols such as ICMP and
other scanning tools.
Chapter 2: Securing Network Devices 55




Some of the default settings in Cisco IOS software are there for historical reasons; they made
sense when they were chosen but would probably be different if new defaults were chosen today.
Other defaults make sense for most systems but can create security exposures if they are used in
devices that form part of a network perimeter defense. Still other defaults are actually required by
standards but are not always desirable from a security point of view.
Many practices help ensure a device is secure.

Disable unnecessary services and interfaces.



Disable and restrict commonly configured management services, such as SNMP.



Disable probes and scans, such as ICMP.



Ensure terminal access security.



Disable gratuitous and proxy Address Resolution Protocol (ARP).



Disable IP-directed broadcasts.



To secure network devices, administrators must first determine the vulnerabilities that exist with
the current configuration. The best way to accomplish this is through the use of a security audit
tool. A security audit tool performs checks on the security level of a configuration by comparing
that configuration to recommended settings and tracking discrepancies. After vulnerabilities are
identified, network administrators must modify the configuration to reduce or eliminate those vul-
nerabilities to secure the device and the network.
Three security audit tools available include:

Security Audit Wizard - a security audit feature provided through Cisco SDM. The Security


Audit Wizard provides a list of vulnerabilities and then allows the administrator to choose
which potential security-related configuration changes to implement on a router.
Cisco AutoSecure - a security audit feature available through the Cisco IOS CLI. The


autosecure command initiates a security audit and then allows for configuration changes.
Based on the mode selected, configuration changes can be automatic or require network
administrator input.
One-Step Lockdown - a security audit feature provided through Cisco SDM. The One-Step


Lockdown feature provides a list of vulnerabilities and then automatically makes all
recommended security-related configuration changes.
Both Security Audit Wizard and One-Step Lockdown are based on the Cisco IOS Autosecure fea-
ture.
Security Audit Wizard
The Security Audit wizard tests the router configuration to determine if any potential security
problems exist in the configuration, and then presents a screen that lets the administrator determine
which of those security problems to fix. At this point, Security Audit wizard makes the necessary
changes to the router configuration to fix those problems.
The Security Audit wizard compares a router configuration against recommended settings and per-
forms the following:

Shuts down unneeded servers.



Disables unneeded services.



Applies the firewall to the outside interfaces.

56 CCNA Security Course Booklet, Version 1.0




Disables or hardens SNMP.



Shuts down unused interfaces.



Checks password strength.



Enforces the use of ACLs.



When a security audit is initiated, the Security Audit wizard must know which router interfaces
connect to the inside network and which connect to the outside of the network. The Security Audit
wizard then tests the router configuration to determine possible security problems that may exist.
A window shows all configuration options tested and whether the current router configuration
passes those tests.
When the audit is complete, Security Audit identifies possible vulnerabilities in the configuration
and provides a way to correct those problems. It also gives the administrator the option to fix prob-
lems automatically, in which case it determines the necessary configuration commands. A descrip-
tion of specific problems and a list of the Cisco IOS commands used to correct those problems is
provided.
Before any configuration changes are made, a summary page displays a list of all the configuration
changes that Security Audit will make. The administrator must click Finish to send those configu-
rations to the router.


2.4.2 Locking Down a Router Using AutoSecure
Cisco AutoSecure
Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI and exe-
cutes a script. AutoSecure first makes recommendations for fixing security vulnerabilities and then
modifies the security configuration of the router.
AutoSecure can lock down the management plane functions and the forwarding plane services and
functions of a router.
The management plane is the logical path of all traffic related to the management of a routing plat-
form. It is used to control all other functions of routing and to manage a device through its connec-
tion to the network. There are several management plane services and functions:

Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP, ICMP (redirects,


mask-replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous
ARP, proxy ARP, and directed broadcast
Legal notification using a banner



Secure password and login functions



Secure NTP



Secure SSH access



TCP intercept services



The forwarding plane is responsible for packet forwarding (or packet switching), which is the act
of receiving packets on the router interfaces and sending them out on other interfaces.
There are three forwarding plane services and functions:

Enables Cisco Express Forwarding (CEF)

Chapter 2: Securing Network Devices 57




Enables traffic filtering with ACLs



Implements Cisco IOS firewall inspection for common protocols



AutoSecure is often used in the field to provide a baseline security policy on a new router. Features
can then be altered to support the security policy of the organization.
Use the auto secure command to enable the Cisco AutoSecure feature setup. This setup can be
interactive or non-interactive.
auto secure [no-interact]
In interactive mode, the router prompts with options to enable and disable services and other secu-
rity features. This is the default mode, but it can also be configured using the auto secure full
command.
The non-interactive mode is similar to the SDM Security Audit one-step lockdown feature because
it automatically executes the Cisco AutoSecure command with the recommended Cisco default
settings. This mode is enabled using the auto secure no-interact privileged EXEC command.
The auto secure command can also be entered with keywords to configure specific components,
such as the management plane and forwarding plane.
When the auto secure command is initiated, a wizard is displayed to step the administrator
through the configuration of the device. User input is required. When the wizard is complete, a
running configuration displays all configuration settings and changes.


2.4.3 Locking Down a Router Using SDM
Cisco One-Step Lockdown
One-step lockdown tests a router configuration for any potential security problems and automati-
cally makes the necessary configuration changes to correct any problems.
Cisco One-Step Lockdown Disables:

Finger service



PAD service



TCP small servers service



UDP small servers service



IP BOOTP server service



IP identification service



Cisco Discovery Protocol



IP source route



IP GARPs



SNMP



IP redirects



IP proxy ARP



IP directed broadcast



MOP service

58 CCNA Security Course Booklet, Version 1.0




IP unreachables



IP mask reply



IP unreachables on null interface



Cisco One-Step Lockdown Enables:

Password encryption service



TCP keepalives for inbound and outbound Telnet sessions



Sequence numbers and timestamps on debugs



IP Cisco Express Forwarding Enable NetFlow switching



Unicast Reverse Path Forwarding (RPF) on outside interfaces



Firewall on all outside interfaces



SSH for access to the router



AAA



Cisco One-Step Lockdown Sets:

Minimum password length to six characters



Authentication failure rate to less than three retries



TCP synwait time



Notification banner



Logging parameters



Enable secret password



Scheduler interval



Scheduler allocate



Users



Telnet settings



Access class on HTTP server service



Access class on vty lines



Deciding which automated lockdown feature to use, AutoSecure or SDM Security Audit one-step
lockdown, is basically a matter of preference. There are differences in how they implement good
security practices.
Cisco SDM does not implement all the features of Cisco AutoSecure. Since Cisco SDM version
2.4, the following Cisco AutoSecure features are not part of the Cisco SDM one-step lockdown:

Disabling NTP - Based on input, Cisco AutoSecure disables NTP if it is not necessary.


Otherwise, NTP is configured with MD5 authentication. Cisco SDM does not support
disabling NTP.
Configuring AAA - If the AAA service is not configured, Cisco AutoSecure configures local


AAA and prompts for the configuration of a local username and password database on the
router. Cisco SDM does not support AAA configuration.
Chapter 2: Securing Network Devices 59




Setting Selective Packet Discard (SPD) values - Cisco SDM does not set SPD values.



Enabling TCP intercepts - Cisco SDM does not enable TCP intercepts.



Configuring antispoofing ACLs on outside interfaces - Cisco AutoSecure creates three


named access lists to prevent antispoofing source addresses. Cisco SDM does not configure
these ACLs.
The following Cisco AutoSecure features are implemented differently in Cisco SDM:

Enable SSH for access to the router - Cisco SDM enables and configures SSH on Cisco IOS


images that have the IPsec feature set; however, unlike Cisco AutoSecure, Cisco SDM does
not enable Secure Copy Protocol (SCP) or disable other access and file transfer services, such
as FTP.
Disable SNMP - Cisco SDM disables SNMP; however, unlike Cisco AutoSecure, Cisco


SDM does not provide an option for configuring SNMPv3. The SNMPv3 option is not
available on all routers.
Regardless of which automated feature is preferred, it should be used as a baseline and then al-
tered to meet the needs of the organization.
60 CCNA Security Course Booklet, Version 1.0




Chapter Summary
Refer to Packet Refer to
Tracer Activity Lab Activity
for this chapter for this chapter




Your Chapter Notes
Chapter 2: Securing Network Devices 61
62 CCNA Security Course Booklet, Version 1.0
CHAPTER 3

Authentication, Authorization, and Accounting




Chapter Introduction
A network must be designed to control who is allowed to connect to it and what they are allowed
to do when they are connected. These design specifications are identified in the network security
policy. The policy specifies how network administrators, corporate users, remote users, business
partners, and clients access network resources. The network security policy can also mandate the
implementation of an accounting system that tracks who logged in and when and what they did
while logged in.
Managing network access using only the user mode or privilege mode password commands is lim-
ited and does not scale well. Instead, using the Authentication, Authorization, and Accounting
(AAA) protocol provides the necessary framework to enable scalable access security.
Cisco IOS routers can be configured to use AAA to access a local username and password data-
base. Using a local username and password database provides greater security than a simple pass-
word and is a cost effective and easily implemented security solution. Cisco IOS routers can also
be configured to use AAA to access a Cisco Secure Access Control Server (ACS). Using Cisco
ACS is very scalable because all infrastructure devices access a central server. The Cisco Secure
ACS solution is also fault tolerant because multiple servers can be configured. The Cisco Secure
ACS solution is often implemented by large organizations.
A hands-on lab for the chapter, Securing Administrative Access Using AAA and RADIUS, allows
learners to use CLI and SDM to configure and test local authentication with and without AAA.
Centralized authentication using AAA and RADIUS is also explored. The lab is found in the lab
manual on Academy Connection at cisco.netacad.net.
A Packet Tracer activity, Configure AAA Authentication on Cisco Routers, provides learners addi-
tional practice implementing the technologies introduced in this chapter. Learners configure local
authentication with and without AAA. Server-based AAA authentication is configured with
TACACS+ and RADIUS. Packet Tracer activities for CCNA Security are found on Academy Con-
nection at cisco.netacad.net.




3.1 Purpose of AAA
3.1.1 AAA Overview
Network intruders can potentially gain access to sensitive network equipment and services. To
help prevent unwanted access, access control is necessary. Access control limits who or what can
use specific resources as well as the services or options available once access is granted. Many
types of authentication methods can be performed on a Cisco device, and each method offers vary-
ing levels of security.
The simplest form of authentication is passwords. This method is configured using a login and
password combination on console, and vty lines and aux ports. This method is the easiest to imple-
ment, but it is also the weakest and least secure. Password-only logins are very vulnerable to brute-
64 CCNA Security Course Booklet, Version 1.0




force attacks. Additionally, this method provides no accountability. Anyone with the password can
gain entry to the device and alter the configuration.
To help provide accountability, local database authentication can be implemented using one of the
following commands:
username username password password
username username secret password
This method creates individual user accounts on each device with a specific password assigned to
each user. The local database method provides additional security, because an attacker is required
to know a username and a password. It also provides more accountability, because the username is
recorded when a user logs in. Keep in mind that the username password command combination
displays the password in plaintext in the configuration file if the service password-encryption
command is not configured. The username secret combination is highly recommended because it
provides MD5-style encryption.
The local database method has some limitations. The user accounts must be configured locally on
each device. In a large enterprise environment that has multiple routers and switches to manage, it
can take time to implement and change local databases on each device. Additionally, the local
database configuration provides no fallback authentication method. For example, what if the ad-
ministrator forgets the username and password for that device? With no backup method available
for authentication, password recovery becomes the only option.
A better solution is to have all devices refer to the same database of usernames and passwords
from a central server. This chapter explores the various methods of securing network access using
Authentication, Authorization, and Accounting (AAA) to secure Cisco routers.
AAA network security services provide the primary framework to set up access control on a net-
work device. AAA is a way to control who is permitted to access a network (authenticate), what
they can do while they are there (authorize), and to audit what actions they performed while ac-
cessing the network (accounting). It provides a higher degree of scalability than the con, aux, vty
and privileged EXEC authentication commands alone.
Network and administrative AAA security in the Cisco environment has several functional compo-
nents:

Authentication - Users and administrators must prove that they are who they say they are.


Authentication can be established using username and password combinations, challenge and
response questions, token cards, and other methods. For example: “I am user ˜student™. I know
the password to prove that I am user student.”
Authorization - After the user is authenticated, authorization services determine which


resources the user can access and which operations the user is allowed to perform. An
example is “User ˜student™ can access host serverXYZ using Telnet only.”
Accounting and auditing - Accounting records what the user does, including what is


accessed, the amount of time the resource is accessed, and any changes that were made.
Accounting keeps track of how network resources are used. An example is “User ˜student™
accessed host serverXYZ using Telnet for 15 minutes.”

This concept is similar to the use of a credit card. The credit card identifies who can use it, how
much that user can spend, and keeps account of what items the user spent money on.
Chapter 3: Authentication, Authorization, and Accounting 65




3.1.2 AAA Characteristics
AAA Authentication
AAA can be used to authenticate users for administrative access or it can be used to authenticate
users for remote network access. These two access methods use different modes to request AAA
services:

Character mode - A user sends a request to establish an EXEC mode process with the router


for administrative purposes.
Packet mode - A user sends a request to establish a connection through the router with a


device on the network.

With the exception of accounting commands, all AAA commands apply to both character mode
and packet mode. This topic focuses on securing character mode access. For a truly secure net-
work, it is important to also configure the router for secure administrative access and remote LAN
network access using AAA services as well.
Cisco provides two common methods of implementing AAA services.
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords
locally in the Cisco router, and users authenticate against the local database. This database is the
same one required for establishing role-based CLI. Local AAA is ideal for small networks.
Server-Based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or
TACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows
Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple
routers, server-based AAA is more appropriate.
AAA Authorization
After users are successfully authenticated against the selected AAA data source (local or server-
based), they are then authorized for specific network resources. Authorization is basically what a
user can and cannot do on the network after that user is authenticated, similar to how privilege lev-
els and role-based CLI give users specific rights and privileges to certain commands on the router.
Authorization is typically implemented using an AAA server-based solution. Authorization uses a
created set of attributes that describes the user™s access to the network. These attributes are com-
pared to the information contained within the AAA database, and a determination of restrictions
for that user is made and delivered to the local router where the user is connected.
Authorization is automatic and does not require users to perform additional steps after authentica-
tion. Authorization is implemented immediately after the user is authenticated.
AAA Accounting
Accounting collects and reports usage data so that it can be employed for purposes such as audit-
ing or billing. The collected data might include the start and stop connection times, executed com-
mands, number of packets, and number of bytes.
Accounting is implemented using an AAA server-based solution. This service reports usage statis-
tics back to the ACS server. These statistics can be extracted to create detailed reports about the
configuration of the network.
66 CCNA Security Course Booklet, Version 1.0




One widely deployed use of accounting is combining it with AAA authentication for managing ac-
cess to internetworking devices by network administrative staff. Accounting provides extra ac-
countability above and beyond authentication. The AAA servers keep a detailed log of exactly
what the authenticated user does on the device. This includes all EXEC and configuration com-
mands issued by the user. The log contains numerous data fields, including the username, the date
and time, and the actual command that was entered by the user. This information is useful when
troubleshooting devices. It also provides leverage against individuals who perform malicious ac-
tions.



3.2 Local AAA Authentication
3.2.1 Configuring Local AAA Authentication with CLI
Local AAA Authentication, also referred to as self-contained authentication, should be configured
for smaller networks, such as those with one or two routers providing access to a limited number
of users. This method uses the local usernames and passwords stored on a router. The system ad-
ministrator must populate the local security database by specifying username and password pro-
files for each user that might log in.
The Local AAA Authentication method is similar to using the login local command with one
exception. AAA also provides a way to configure backup methods of authentication.
Configuring local AAA services to authenticate administrator access (character mode access) re-
quires a few basic steps.
Step 1. Add usernames and passwords to the local router database for users that need administra-
tive access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
To enable AAA, use the aaa global configuration command. To disable AAA, use the
new-model
no form of this command.

After AAA is enabled, to configure authentication on vty ports, asynchronous lines (tty), the auxil-
iary port, or the console port, define a named list of authentication methods and then apply that list
to the various interfaces.
To define a named list of authentication methods, use the aaa authentication login command.
This command requires a list name and the authentication methods. The list name identifies the list
of authentication methods activated when a user logs in. The method list is a sequential list de-
scribing the authentication methods to be queried for authenticating a user. Method lists enable an
administrator to designate one or more security protocols for authentication. Using more than one
protocol provides a backup system for authentication in case the initial method fails.
Several keywords can be used to indicate the method. To enable local authentication using a pre-
configured local database, use the keyword local or local-case. The difference between the two
options is that local accepts a username regardless of case, and local-case is case-sensitive. To
specify that a user can authenticate using the enable password, use the enable keyword. To ensure
that the authentication succeeds even if all methods return an error, specify none as the final
method. For security purposes, use the none keyword only when testing the AAA configuration. It
should never be applied on a live network.
Chapter 3: Authentication, Authorization, and Accounting 67




For example, the enable method could be configured as a fallback mechanism in case the user-
name and password is forgotten.
aaa authentication login TELNET-ACCESS local enable

In this example, an AAA authentication list named TELNET-ACCESS is created that requires
users to attempt to authenticate to the router™s local user database first. If that attempt returns an
error, such as a local user database is not configured, the user can attempt to authenticate by know-
ing the enable password.
A minimum of one method and a maximum of four methods can be specified for a single method
list. When a user attempts to log in, the first method listed is used. Cisco IOS software attempts
authentication with the next listed authentication method only when there is no response or an
error from the previous method occurs. If the authentication method denies the user access, the au-
thentication process stops and no other authentication methods are allowed.
The defined list of authentication methods must be applied to specific interfaces or lines. For flexi-
bility, different method lists can be applied to different interfaces and lines. For example, an ad-
ministrator could apply a special login for Telnet and then have a different login method for the
line console. To enable a specific list name, use the aaa login authentication list-name com-
mand in line configuration mode.
The option also exists to configure a default list name. When AAA is first enabled, the default
method list named “default” is automatically applied to all interfaces and lines, but it has no au-
thentication methods defined. To assign multiple authentication methods to the default list, use the
command aaa authentication login default method1... [method4].
The authentication methods in the default list are used by default on all lines, unless a custom au-
thentication method list is created. If an interface or line has a nondefault method list applied to it,
that method overrides the default method list for that interface. If the default list is not set and
there is no other list, only the local user database is checked. This has the same effect as the com-
mand aaa authentication login default local. On the console, login succeeds without any
authentication checks if default is not set.
Once a custom authentication method-list is applied to an interface, it is possible to return to the
default method list by using the no aaa authentication login list-name command. If the de-
fault list has not been defined, then AAA authentication does not occur.
Additional security can be implemented on the line using the aaa local authentication at-
tempts max-fail number-of-unsuccessful-attempts command in global configuration mode.
This command secures AAA user accounts by locking out accounts that have excessive failed at-
tempts. To remove the number of unsuccessful attempts that was set, use the no form of this com-
mand.
To display a list of all locked-out users, use the show aaa local user lockout command in priv-
ileged EXEC mode. Use the clear aaa local user lockout {username username | all} com-
mand in privileged EXEC mode to unlock a specific user or to unlock all locked users.
The aaa local authentication attempts max-fail command differs from the login delay
command in how it handles failed attempts. The aaa local authentication attempts max-
fail command locks the user account if the authentication fails. This account stays locked until it
is cleared by an administrator. The login delay command introduces a delay between failed login
attempts without locking the account.
When a user logs into a Cisco router and uses AAA, a unique ID is assigned to the session.
Throughout the life of the session, various attributes that are related to the session are collected
and stored internally within the AAA database. These attributes can include the IP address of the
68 CCNA Security Course Booklet, Version 1.0




user, the protocol that is used to access the router, such as PPP or Serial Line Internet Protocol
(SLIP), the speed of the connection, and the number of packets or bytes that are received or trans-
mitted.
To display the attributes that are collected for an AAA session, use the show aaa user {all |
unique id} command in privileged EXEC mode. This command does not provide information for
all users who are logged into a device, but only for those who have been authenticated or author-
ized using AAA or whose sessions are being accounted for by the AAA module.
The show command can be used to show the unique ID of a session.
aaa sessions



3.2.2 Configuring Local AAA Authentication with SDM
AAA is enabled by default in Cisco SDM, but it is a good idea to confirm that is currently enabled.
To verify the AAA configuration and to enable or disable AAA, choose Configure > Additional
Tasks > AAA.
If the Disable AAA button is clicked, Cisco SDM displays an informational message stating that it
will make configuration changes to ensure that the router can be accessed after AAA is disabled.
The first task when using SDM to configure AAA services for local authentication is to create
users:
Step 1. Choose Configure > Additional Tasks > Router Access > User Accounts/View.
Step 2. Click Add to add a new user.
Step 3. In the Add an Account window, enter the username and password in the appropriate fields
to define the user account.
Step 4. From the Privilege Level drop-down list, choose 15, unless there are lesser privilege levels
defined.
Step 5. If views have been defined, check the Associate a View with the User check box and
choose a view from the View Name list that is associated with a user.
Step 6. Click OK.
The CLI command that Cisco SDM generates is username AAAadmin privilege 15 secret 5
$1$f16u$uKOO6J/UnojZ0bCEzgnQi1 view root.

To configure AAA authentication, an administrator must first either define a list of authentication
methods for the default method or configure a named method list and apply it. Different method
lists can be created and applied to different interfaces or lines.
Configure the default method list for login authentication using the local database:
Step 1. Choose Configure > Additional Tasks > AAA > Authentication Policies > Login and
click Add.
Step 2. In the Add a Method List for Authentication Login window, verify that Default is selected
in the Name drop-down list.
Step 3. Click Add.
Step 4. From the Select Method List(s) for Authentication Login window, choose local from the
method list.
Step 5. Click OK.
The CLI command that Cisco SDM generates is aaa authentication login default local.
Chapter 3: Authentication, Authorization, and Accounting 69




3.2.3 Troubleshooting Local AAA Authentication
The Cisco router has debug commands that are useful for troubleshooting authentication issues.
The debug aaa command contains several keywords that can be used for this purpose. Of special
interest is the debug aaa authentication command.
The best time to understand debug output is when everything is working properly. Knowing how
debug output displays when all is well helps identify problems when things are not working prop-
erly. Exercise caution when using the debug command in a production environment because these
commands place a significant load on router resources and can affect network performance.
The debug aaa authentication command is instrumental when troubleshooting AAA problems.
To disable this command, use the no form of the command or the all-encompassing undebug all
statement.
Look specifically for GETUSER and GETPASS status messages. The Method message is also
helpful when identifying which method list is being referenced.




3.3 Server-Based AAA
3.3.1 Server-Based AAA Characteristics
Local implementations of AAA do not scale well. Most corporate environments have multiple
Cisco routers with multiple router administrators and hundreds or thousands of users needing ac-
cess to the corporate LAN. Maintaining local databases for each Cisco router for this size of net-
work is not feasible.
To solve this challenge, one or more AAA servers, such as Cisco Secure ACS, can be used to man-
age the user and administrative access needs for an entire corporate network. Cisco Secure ACS
can create a central user and administrative access database that all devices in the network can ac-
cess. It can also work with many external databases, including Active Directory and Lightweight
Directory Access Protocol (LDAP). These databases store user account information and pass-
words, allowing for central administration of user accounts.
The Cisco Secure ACS family of products supports both Terminal Access Control Access Control
Server Plus (TACACS+) and Remote Dial-in User Services (RADIUS) protocols, which are the
two predominant protocols used by Cisco security appliances, routers, and switches for imple-
menting AAA.
While both protocols can be used to communicate between client and AAA servers, TACACS+ is
considered the more secure protocol. This is because all TACACS + protocol exchanges are en-
crypted; Radius only encrypts the user password. It does not encrypt user names, accounting infor-
mation, or any other information carried in the radius message.


3.3.2 Server-Based AAA Communication Protocols
TACACS+ and RADIUS are both authentication protocols. Each supports different capabilities
and functionality. Whether TACACS+ or RADIUS is selected depends on the needs of the organi-
zation. For example, a large ISP might select RADIUS because it supports detailed accounting re-
quired for billing users. An organization with various user groups might select TACACS+ because
it requires select authorization policies to be applied on a per-user or per-group basis.
It is important to understand the many differences between the TACACS+ and RADIUS protocols.
70 CCNA Security Course Booklet, Version 1.0




Critical factors for TACACS+ include:

Is incompatible with TACACS and XTACACS



Separates authentication and authorization



Encrypts all communication



Utilizes TCP port 49



Critical factors for Radius include:

Uses RADIUS proxy servers for scalability



Combines RADIUS authentication and authorization as one process.



Encrypts only the password



Utilizes UDP



Supports remote-access technologies, 802.1X, and SIP



TACACS+ is a Cisco enhancement to the original TACACS protocol. Despite its name, TACACS+
is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+
is supported by the Cisco family of routers and access servers as part of maintenance Cisco IOS
Release 10.3. Cisco is currently presenting TACACS+ to the IETF working groups and is con-
tributing to and adopting the emerging protocol standards.
TACACS+ provides separate AAA services. Separating the AAA services provides flexibility in
implementation, because it is possible to use TACACS+ for authorization and accounting while
using another method of authentication.
The extensions to the TACACS+ protocol provide more types of authentication requests and re-
sponse codes than were in the original TACACS specification. TACACS+ offers multiprotocol
support, such as IP and AppleTalk. Normal TACACS+ operation encrypts the entire body of the
packet for more secure communications and utilizes TCP port 49.
RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for appli-
cations such as network access or IP mobility. RADIUS works in both local and roaming situa-
tions and is commonly used for accounting purposes. RADIUS is currently defined by RFCs 2865,
2866, 2867, and 2868.
The RADIUS protocol hides passwords during transmission, even with the Password Authentica-
tion Protocol (PAP), using a rather complex operation that involves Message Digest 5 (MD5)
hashing and a shared secret. However, the rest of the packet is sent in plaintext.
RADIUS combines authentication and authorization as one process. When a user is authenticated,

<<

. 3
( 19)



>>