Introduction
In this article, we examine a configuration template for deploying AAA TACACS+ for administrator access and general password and remote access settings on Cisco switches and routers.
The following configuration has been tested:
- Cisco Catalyst C9200L-24P-4X running IOS-XE 16.12.4.
- Cisco Catalyst WS-C3560CX-8PC-S running IOS 15.2(7)E5.
I had trouble running “password encryption aes” on earlier versions of 15.2, but everything seems to have worked out fine on the version above.
While I will not explain every command individually, I will provide a general result of using each section’s commands before presenting the commands used to achieve this result.
At the bottom of this page, there are links to two whitepapers published by the US National Security Agency (NSA) on best practices for network administrator access, password management, and general security practices for hardening Cisco switches and routers. I highly recommend checking them out.
Some highlighted parameters need configuring to your needs (like IP addresses and passwords), and some parameters can also be tweaked.
General Password Settings
This first configuration section covers some general good practices for managing local passwords.
Most network administrators today use the secret parameter when configuring the Enable password or a local user account’s password on Cisco switches and routers.
While the secret parameter makes the password hashed and/or encrypted to some degree, this protection is rather weak by modern standards, by default, and can be broken with tools commonly found on the internet.
To make these passwords more secure, you should use a Type 8 password using the algorithm-type command, found below. There is also a Type 9 password available using the algorithm-type script command, which is also considered very strong. However, as of today’s date (March 2022), this feature has yet to go through the National Institute of Standards and Technology’s (“NIST”) evaluation process.
These two commands ensure that all passwords entered as plaintext (like user passwords, TACACS keys, and RADIUS keys) are encrypted as Type 6 passwords. These are way better than the Type 7 passwords offered by “service password encryption,” which are easily decrypted. You should still use “algorithm-type sha256” for local usernames, but these two commands will give you some protection in case a user password is entered incorrectly by using the “password” instead of the “secret” command.
The “key config-key password encrypt <master_key>” command is hidden in running/startup-config; you must write down this MASTER KEY somewhere in case your switch/router needs to be replaced when you must paste the configuration back into a new unit!
enable algorithm-type sha256 secret DISCO123!
key config-key password-encrypt MY_MASTER_KEY
password encryption aes
service password-encryption
aaa new-model
aaa common-criteria policy PW_POLICY
char-changes 6
max-length 36
min-length 12
numeric-count 4
special-case 3
exit
username netadmin privilege 15 common-criteria-policy PW_POLICY algorithm-type sha256 secret C15CODISCO123!
LINE CON and LINE VTY Configuration
Check your switch/router to see if it has 0-4 or 0-15 or 0-97 VTY Lines.
The newer the hardware, the more VTY Lines are usually available for use. For example, Cisco Catalyst 9K switches have a whopping 0-97 VTY Lines.
You should assign an ACL to limit the source IP networks that can access your switch/router, even if the management interface belongs to a management-only network behind a firewall or similar, since you don’t want a potential attacker to be able to jump from one device to another.
FOR LAYER 2 SWITCH OR ROUTER (USING GLOBAL ROUTING TABLE)
line con 0
exec-timeout 5 0
logging synchronous
line vty 0 97
exec-timeout 5 0
transport input ssh
transport output none
transport preferred none
access-class ACL-ID/NAME in
FOR LAYER 3 SWITCH OR ROUTER WITH MULTIPLE VRF RUNNING
line con 0
exec-timeout 5 0
logging synchronous
line vty 0 97
exec-timeout 5 0
transport input ssh
transport output none
transport preferred none
access-class ACL-ID/NAME in vrf-also
AAA TACACS Configuration
CONFIGURE AAA TACACS+ SERVERS
If you haven’t already activated AAA configuration in the General Password Settings above, use the “aaa new-model” command and then define the TACACS+ servers to send authentication requests to, and then put them in a Server Group.
The “single-connection” parameter enables TACACS+ communication between the switch/router and the TACACS server to occur within a single TCP session instead of setting up new TCP sessions for every user connecting to the same switch/router. This contributes to better response times and less overhead. However, I have seen this feature cause issues on some ISE versions, where the network administrator is not sometimes put into Privileged Mode (Enable mode) after logging in. Usually, just opening another SSH/Telnet session fixes the issue for the moment, but feel free to skip “single-connection” if you keep running into this issue way too often.
The “timeout” command states how long to wait for the TACACS server to respond to a request. The default value is 5 seconds (which can be changed) for 3 attempts (1 initial + 2 retries; this cannot be changed, to my knowledge). If your TACACS server becomes unreachable and your switch falls back to local login credentials, this timeout period times the number of TACACS servers configured will be the amount of total timeout time you will have to wait between entering a command and the command being executed. This applies when you have per-command authorization configured. If you do not use per-command authorization (meaning you are only using Privilege Levels for authorization), then there will be no delay in your commands’ execution.
aaa new-model
tacacs server TAC-SERVER-1
address ipv4 10.10.10.101
key DISCO123!
timeout 1
! single-connection
tacacs server TAC-SERVER-2
address ipv4 10.10.10.102
key DISCO123!
timeout 1
! single-connection
aaa group server tacacs+ TAC-SERVERS
server name TAC-SERVER-1
server name TAC-SERVER-2
! If your switch/router has multiple L3 interfaces and/or VRFs, you may need to use the additional commands below inside “aaa group server tacacs TAC-SERVERS”:
aaa group server tacacs+ TAC-SERVERS
ip vrf forwarding MGMT
ip tacacs source-interface Loopback0
CONFIGURE AUTHENTICATION/AUTHORIZATION/ACCOUNTING
What the following configuration will do:
- Administrators will primarily authenticate against TACACS-servers. Logging in will put the Administrator straight into privileged EXEC mode (“enable mode”).
- While you could flip the “group TAC-SERVERS” and “local/enable” parameters for the “aaa authentiation…” and “aaa authorization…” commands to always allow the local user account to work even when the TACACS servers are up and running, this means some network administrators might resort to always using the local user account (because it will always work) instead of their own personal user accounts connected to the TACACS-servers backend, which kind of defeats the purpose of having granular role-based access control with an audit log to show for. However, one upside of flipping these parameters is that in the event that the TACACS servers go offline, you wouldn’t have to wait for the TACACS server “timeout” period to expire for each of the commands you type in, since TACACS wouldn’t have priority over local user accounts in this case.
- If TACACS servers are unreachable, authenticate using a Local username and password, followed by the Enable password to get into privilege EXEC mode.
- Already authenticated administrators can still do commands (due to the if-authenticated parameter) if TACACS-servers go down in the middle of their active session. Since proper Authorization cannot be performed while TACACS servers are down, there could be situations in which a “limited” administrator has access to commands they normally cannot use. Be aware of this! While the TACACS servers are unavailable, there will be a short delay when running commands due to the switch/router trying to re-establish contact with the TACACS server for verify the command, before falling back to allowing the command thanks to the “if-authenticated” parameters.
- By using the “default” keyword in all these commands, AAA is applied globally and does not need specific configuration on LINE CON/LINE VTY.
- aaa authorization console is an optional command that enables Authorization on the Console port (LINE CON). This feature is disabled by default because activating it could lock you out of the router/switch in some scenarios. One of the upsides of using this command is that when your TACACS server is up and running. When you authenticate using it when connecting to the Console port, you will be put directly into privilege EXEC mode (that is the Switch# prompt) without entering the Enable password. All commands will logged thanks to all of them having to be authorized by the TACACS server. Suppose you do not use this command and try to authenticate using TACACS when connecting to the Console port. In that case, you will have to type the “enable” command and enter your TACACS password to get into privileged EXEC mode, not the actual Enable password configured on the switch. Also, if you do not use this command, connecting to the Console port will always put you at Privilege Level 1 (that’s the Switch> prompt), where there are very few commands you can use. To then get access to the privilege EXEC mode you must type the “enable” command and enter the actual Enable password configured on the switch. While you could add the command “privilege level 15” under “line con 0” to always put the user into Privilege Level 15 (which makes it possible to use any command after logging in), this should be considered a security risk. The only annoying side effect of using the “aaa authorization console” command is that if your switch cannot reach the TACACS server. You then authenticate using the local username/password to get access to the Console port; the switch will try to reach the TACACS server every time you type in a command, making every command take a few seconds to get through since the switch’s attempt to reach the TACACS server has to time out first before falling back to the “local” authorization. Annoying as this delay is, I believe this command should always be part of your standard configuration templates for security and audit reasons.
- In the first command below, you can change “login” to “enable” at the end of the command if you want to only log in using the Enable password if TACACS servers are unreachable and you do not use any local usernames and passwords.
Messing with AAA commands on live switches can often be tricky, but the order of the commands below should allow you to paste them into a live switch without running into authorization issues mid-configuration, as the commands change the behavior of the switch as they are entered. Do note, the commands below will be in a different order in the running-config once they have all been entered into the switch.
After you have entered these commands either via SSH/Telnet or the Console port, you will need to quit your current session and establish a new session, which will then use the TACACS servers for authentication.
Suppose you have not yet set up “exec-timeout 5 0” or similar on your Console Line and plan to use it to enter the command below. In that case, I recommend doing that first to avoid your Console session getting “stuck” with Authorization errors. The “exec-timeout 5 0” command should disconnect the Console session after 5 minutes of inactivity. See more on this configuration in the earlier section. Because of this, I recommend configuring your switches using SSH/Telnet instead, as you only need to close the connection to terminate the session.
aaa accounting exec default start-stop group TAC-SERVERS
aaa accounting commands 0 default start-stop group TAC-SERVERS
aaa accounting commands 1 default start-stop group TAC-SERVERS
aaa accounting commands 15 default start-stop group TAC-SERVERS
aaa authentication login default group TAC-SERVERS local
aaa authentication enable default group TAC-SERVERS enable
aaa authorization config-commands
! The following command below is optional but highly recommended; see the explanation above!
aaa authorization console
! If you decided to use “aaa authorization console” and are configuring your switch offline via the Console port, log out before typing in the following commands. This is because you can run into “% Authorization failed.” errors after the “aaa authorization…” commands are entered since it will enable authorization while you are still in a kind of “unauthenticated” state because you did not have to log into the switch the first time you booted it, you simply got in because there were no authentication/authorization methods activated.
! Log out of the switch:
end
exit
! Press enter and log in again to get properly authenticated, then enter the commands below:
! If you are assigning both a Privilege Level and want to perform Authorization for specific commands on your TACACS-server (which is generally the recommended setup), use the commands below:
aaa authorization exec default group TAC-SERVERS local if-authenticated
aaa authorization commands 0 default group TAC-SERVERS local if-authenticated
aaa authorization commands 1 default group TAC-SERVERS local if-authenticated
aaa authorization commands 15 default group TAC-SERVERS local if-authenticated
! If you are assigning a Privilege Level but do NOT want to perform Authorization for specific commands (not recommended), use the commands below:
aaa authorization exec default group TAC-SERVERS local if-authenticated
aaa authorization commands 0 default if-authenticated
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default if-authenticated
SSH Configuration
The following settings are general configuration steps for setting up SSH access to your switch/router and tweaking some timeout/retries parameters to protect your network device from DoS attacks.
The “ip ssh server…” and “crypto key…” commands at the bottom of this section will activate stronger encryption algorithms for protecting your SSH sessions.
Depending on your switch/router model and IOS/IOS-XE version, you might need to change some of these values on your own, but know that the values below provide really strong encryption, so try to mimic them.
The “aaa authentication attempts 3” and “ip ssh authentication-retries 2” may sound very similar to each, but the first one is for console port access and the other one is for SSH access. Do note that the SSH command says “retries”, so setting this parameter to 2 means 3 login attempts in total.
The “logging buffered 16777216 informational” command increases local logging storage to 16 MB, which should be plenty enough.
login on-failure log
login on-success log
login delay 1
logging buffered 16777216 informational
aaa authentication attempts login 3
ip domain name yourCompany.com
ip ssh source-interface Loopback0
ip ssh version 2
ip ssh logging events
ip ssh authentication-retries 2
ip ssh dh min size 4096
! SSH algorithms used below may vary depending on your IOS/IOS-XE version
ip ssh server algorithm publickey rsa-sha2-512 ecdsa-sha2-nistp384
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-gcm aes256-cbc aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp384 ecdh-sha2-nistp521
! Generate a strong key for use with SSH, either using the RSA or ECC command below
crypto key generate rsa modulus 4096
crypto key generate ec keysize 384
HTTP and HTTPS CONFIGURATION
Access to the administrative web interface on switches and routers is rarely needed, but if you do want it, make sure to use the commands below to only allow HTTPS connection, force to use a greater TLS version (might only work on more high-end/newer switches like the Catalyst 9K series), and protect the access using an ACL and AAA authentication.
no ip http server
ip http authentication aaa
ip http secure-server
ip http tls-version TLSv1.2
ip http access-class ipv4 ACL-ID/NAME
ip http max-connections 3
Tech Enthusiast & Knowledge Sharer
I am a passionate technologist dedicated to demystifying the world of networking, cloud computing, and automation. Focusing on simplicity and practicality.
I believe in breaking down complex concepts into understandable and actionable insights.