Untitled design (9)

Cisco AAA TACACS and Password Best Practices


In this article, we examine a configuration template for deploying AAA TACACS+ for administrator access and general password and remote access settings on Cisco switches and routers.

The following configuration has been tested:

  • Cisco Catalyst C9200L-24P-4X running IOS-XE 16.12.4.
  • Cisco Catalyst WS-C3560CX-8PC-S running IOS 15.2(7)E5.

I had trouble running “password encryption aes” on earlier versions of 15.2, but everything seems to have worked out fine on the version above.

While I will not explain every command individually, I will provide a general result of using each section’s commands before presenting the commands used to achieve this result.

At the bottom of this page, there are links to two whitepapers published by the US National Security Agency (NSA) on best practices for network administrator access, password management, and general security practices for hardening Cisco switches and routers. I highly recommend checking them out.

Some highlighted parameters need configuring to your needs (like IP addresses and passwords), and some parameters can also be tweaked.

General Password Settings

This first configuration section covers some general good practices for managing local passwords.

Most network administrators today use the secret parameter when configuring the Enable password or a local user account’s password on Cisco switches and routers.

To make these passwords more secure, you should use a Type 8 password using the algorithm-type command, found below. There is also a Type 9 password available using the algorithm-type script command, which is also considered very strong. However, as of today’s date (March 2022), this feature has yet to go through the National Institute of Standards and Technology’s (“NIST”) evaluation process.

These two commands ensure that all passwords entered as plaintext (like user passwords, TACACS keys, and RADIUS keys) are encrypted as Type 6 passwords. These are way better than the Type 7 passwords offered by “service password encryption,” which are easily decrypted. You should still use “algorithm-type sha256” for local usernames, but these two commands will give you some protection in case a user password is entered incorrectly by using the “password” instead of the “secret” command.

The “key config-key password encrypt <master_key>” command is hidden in running/startup-config; you must write down this MASTER KEY somewhere in case your switch/router needs to be replaced when you must paste the configuration back into a new unit!

LINE CON and LINE VTY Configuration

Check your switch/router to see if it has 0-4 or 0-15 or 0-97 VTY Lines.

The newer the hardware, the more VTY Lines are usually available for use. For example, Cisco Catalyst 9K switches have a whopping 0-97 VTY Lines.

You should assign an ACL to limit the source IP networks that can access your switch/router, even if the management interface belongs to a management-only network behind a firewall or similar, since you don’t want a potential attacker to be able to jump from one device to another.



AAA TACACS Configuration


If you haven’t already activated AAA configuration in the General Password Settings above, use the “aaa new-model” command and then define the TACACS+ servers to send authentication requests to, and then put them in a Server Group.

The “single-connection” parameter enables TACACS+ communication between the switch/router and the TACACS server to occur within a single TCP session instead of setting up new TCP sessions for every user connecting to the same switch/router. This contributes to better response times and less overhead. However, I have seen this feature cause issues on some ISE versions, where the network administrator is not sometimes put into Privileged Mode (Enable mode) after logging in. Usually, just opening another SSH/Telnet session fixes the issue for the moment, but feel free to skip “single-connection” if you keep running into this issue way too often.

The “timeout” command states how long to wait for the TACACS server to respond to a request. The default value is 5 seconds (which can be changed) for 3 attempts (1 initial + 2 retries; this cannot be changed, to my knowledge). If your TACACS server becomes unreachable and your switch falls back to local login credentials, this timeout period times the number of TACACS servers configured will be the amount of total timeout time you will have to wait between entering a command and the command being executed. This applies when you have per-command authorization configured. If you do not use per-command authorization (meaning you are only using Privilege Levels for authorization), then there will be no delay in your commands’ execution.

! If your switch/router has multiple L3 interfaces and/or VRFs, you may need to use the additional commands below inside “aaa group server tacacs TAC-SERVERS”:


What the following configuration will do:

  • Administrators will primarily authenticate against TACACS-servers. Logging in will put the Administrator straight into privileged EXEC mode (“enable mode”).
  • While you could flip the “group TAC-SERVERS” and “local/enable” parameters for the “aaa authentiation…” and “aaa authorization…” commands to always allow the local user account to work even when the TACACS servers are up and running, this means some network administrators might resort to always using the local user account (because it will always work) instead of their own personal user accounts connected to the TACACS-servers backend, which kind of defeats the purpose of having granular role-based access control with an audit log to show for. However, one upside of flipping these parameters is that in the event that the TACACS servers go offline, you wouldn’t have to wait for the TACACS server “timeout” period to expire for each of the commands you type in, since TACACS wouldn’t have priority over local user accounts in this case.
  • If TACACS servers are unreachable, authenticate using a Local username and password, followed by the Enable password to get into privilege EXEC mode.
  • Already authenticated administrators can still do commands (due to the if-authenticated parameter) if TACACS-servers go down in the middle of their active session. Since proper Authorization cannot be performed while TACACS servers are down, there could be situations in which a “limited” administrator has access to commands they normally cannot use. Be aware of this! While the TACACS servers are unavailable, there will be a short delay when running commands due to the switch/router trying to re-establish contact with the TACACS server for verify the command, before falling back to allowing the command thanks to the “if-authenticated” parameters.
  • By using the “default” keyword in all these commands, AAA is applied globally and does not need specific configuration on LINE CON/LINE VTY.
  • aaa authorization console is an optional command that enables Authorization on the Console port (LINE CON). This feature is disabled by default because activating it could lock you out of the router/switch in some scenarios. One of the upsides of using this command is that when your TACACS server is up and running. When you authenticate using it when connecting to the Console port, you will be put directly into privilege EXEC mode (that is the Switch# prompt) without entering the Enable password. All commands will logged thanks to all of them having to be authorized by the TACACS server. Suppose you do not use this command and try to authenticate using TACACS when connecting to the Console port. In that case, you will have to type the “enable” command and enter your TACACS password to get into privileged EXEC mode, not the actual Enable password configured on the switch. Also, if you do not use this command, connecting to the Console port will always put you at Privilege Level 1 (that’s the Switch> prompt), where there are very few commands you can use. To then get access to the privilege EXEC mode you must type the “enable” command and enter the actual Enable password configured on the switch. While you could add the command “privilege level 15” under “line con 0” to always put the user into Privilege Level 15 (which makes it possible to use any command after logging in), this should be considered a security risk. The only annoying side effect of using the “aaa authorization console” command is that if your switch cannot reach the TACACS server. You then authenticate using the local username/password to get access to the Console port; the switch will try to reach the TACACS server every time you type in a command, making every command take a few seconds to get through since the switch’s attempt to reach the TACACS server has to time out first before falling back to the “local” authorization. Annoying as this delay is, I believe this command should always be part of your standard configuration templates for security and audit reasons.
  • In the first command below, you can change “login” to “enable” at the end of the command if you want to only log in using the Enable password if TACACS servers are unreachable and you do not use any local usernames and passwords.

Messing with AAA commands on live switches can often be tricky, but the order of the commands below should allow you to paste them into a live switch without running into authorization issues mid-configuration, as the commands change the behavior of the switch as they are entered. Do note, the commands below will be in a different order in the running-config once they have all been entered into the switch.

After you have entered these commands either via SSH/Telnet or the Console port, you will need to quit your current session and establish a new session, which will then use the TACACS servers for authentication.

Suppose you have not yet set up “exec-timeout 5 0” or similar on your Console Line and plan to use it to enter the command below. In that case, I recommend doing that first to avoid your Console session getting “stuck” with Authorization errors. The “exec-timeout 5 0” command should disconnect the Console session after 5 minutes of inactivity. See more on this configuration in the earlier section. Because of this, I recommend configuring your switches using SSH/Telnet instead, as you only need to close the connection to terminate the session.

! The following command below is optional but highly recommended; see the explanation above!

! If you decided to use “aaa authorization console” and are configuring your switch offline via the Console port, log out before typing in the following commands. This is because you can run into “% Authorization failed.” errors after the “aaa authorization…” commands are entered since it will enable authorization while you are still in a kind of “unauthenticated” state because you did not have to log into the switch the first time you booted it, you simply got in because there were no authentication/authorization methods activated.

! Log out of the switch:

! Press enter and log in again to get properly authenticated, then enter the commands below:

! If you are assigning both a Privilege Level and want to perform Authorization for specific commands on your TACACS-server (which is generally the recommended setup), use the commands below:

! If you are assigning a Privilege Level but do NOT want to perform Authorization for specific commands (not recommended), use the commands below:

SSH Configuration

The following settings are general configuration steps for setting up SSH access to your switch/router and tweaking some timeout/retries parameters to protect your network device from DoS attacks.

The “ip ssh server…” and “crypto key…” commands at the bottom of this section will activate stronger encryption algorithms for protecting your SSH sessions.

Depending on your switch/router model and IOS/IOS-XE version, you might need to change some of these values on your own, but know that the values below provide really strong encryption, so try to mimic them.

The “aaa authentication attempts 3” and “ip ssh authentication-retries 2” may sound very similar to each, but the first one is for console port access and the other one is for SSH access. Do note that the SSH command says “retries”, so setting this parameter to 2 means 3 login attempts in total.

The “logging buffered 16777216 informational” command increases local logging storage to 16 MB, which should be plenty enough.

Access to the administrative web interface on switches and routers is rarely needed, but if you do want it, make sure to use the commands below to only allow HTTPS connection, force to use a greater TLS version (might only work on more high-end/newer switches like the Catalyst 9K series), and protect the access using an ACL and AAA authentication.

Leave a Comment

Your email address will not be published. Required fields are marked *