cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4937
Views
15
Helpful
12
Replies

1841 and 3560: Console/Enable/VTY passwords

sammycbmi
Level 1
Level 1

                   Something I don't understand. I've read plenty on enable and console passwords and VTY passwords.

We have a 1841 router and a 3560 switch that used to be managed by our Voip provider via a dedicated T-1 to their site. We now have an unmanaged T-1 to our T-1 and therefore manage our switch and router. Our VOIP provider used AAA to manage usernames I believe. We do not.  Therefore we log on via Telnet/SSH or the console to manage both devices at our site.

1. Logging onto the router via the router via console or Telnet (putty) I dont have to use a username.  The password is the same using either method. Additionally when I type "enable" to go to enable mode it goes to enable mode without reprompting for a password. If I change the enable secret password is seems to "sync" the console password automatically. I do not understand that. Here's the snippets of my config related. I've changed the enables secret and other passwords I've put here.

enable secret 5 dflsdkjflsdjflsdjf77ZWgo/sdsB3EO/

aaa new-model

line con 0

exec-timeout 0 0

password 7 1325154A2A5853010227

transport preferred none

line aux 0

line vty 0 4

access-class 5 in

password 7 132D585D5E5564620D19130C

transport preferred none

transport input all

2. Logging onto the switch via the console I don't have to use a username but via SSH I do have to use a username. The only username to use is "cisco". I don't see this anywhere in the switch config. Is this a default?  If I change the enable secret password is seems to "sync" the console password automatically. I do not understand that. Here's the snippets of my config related. I've changed the enables secret and other passwords I've put here.

enable secret 5 sdffsdfsdfsdfsdfsDjAsdsazApT00

aaa new-model

line con 0

line vty 5 15

1 Accepted Solution

Accepted Solutions

Hi,

aaa authentication login default group tacacs+ enable

What this means is use tacacs+ first and if the tacacs server is unavailable then use the enable password

As you have no more the IP address of the tacacs server it can't contact it and it uses the fallback method, if you want it to use local user/password  then you can do following:

no aaa authentication login default group tacacs+ enable

aaa authentication login default local enable

or

no aaa new-model

line vty

login local

or

aaa authentication VTY_LINE local enable

line vty 0 15

login authentication VTY_LINE

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

12 Replies 12

sammycbmi
Level 1
Level 1

I found the following in the documentation related to routers at least. Is the line I have bolded mean that the router or switch will automatically use the enable password when you SSH? This would explain at least me using the enable password when I SSH to the switch.

First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username "cisco" and password "cisco."

Also does the aaa-new-model explain some of this even though I have a bunch of aaa statements in both router and switch configs.

Hi Sam,

Originally Authentication was built in per feature, for example, VTY passwords could be explicilty configured or you could use the LOCAL AAA DB for authentication.  Then Cisco released the aaa new-model which aligned with the AAA methodology built into the ASA's and other security devices. 

When aaa new-model is enabled you also have to accompany it with how you will use the aaa features.

I.E.

aaa authentication ssh LOCAL (Using Local database, or explicitly configured usernames on that devices)

aaa authenticaiton ssh TACACS LOCAL (This will use a TACACS (ACS Servers) first, and then fail to the LOCAL database)

Without seeing your configuration my assumption would be the there are no configurations for

aaa authentication telnet

aaa authentication console

Typically I will configure centralized Authentication and Accounting using Windows NPS '08 with RADIUS or Cisco ACS with TACACS (with Authorization, *Authorization is not supported with RADIUS).

The initial conifgurations may be missing the step to remove telnet connectivity and unautorized console access without credentials.  My normal configurations will only allow VTY input of SSH and all Console sessions must use RADIUS/TACACS with a failback of the LOCAL DB.

If you want to learn more about how to secure the Cisco IOS I highly recommend the CBT Nuggest CCNA Security videos.

Thanks.

Our VOIP provider had set up AAA using TACAS+.  However we do not use TACAS or RADIAS.  The lines still exist. I've been doing some reading and it appears I can install IAS from MIcrosoft which is a RADIUS server that will authenticate with Active Directory.  Here are the lines in the config for our 3560 and 1841. No other lines related to AAA or TACACS exist. There used to be a line that listed the TACACS server ip address but I removed that when we started to manage our own equipment. The router also specific the radius server source ports but I'm guessing radius wasnt even used by looking below. Looks like TACACS was correct?

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default none

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

!

!

aaa session-id common

Hey Sam.

The VOIP company was using TACACS and when you removed the IP to the server you would have forced the configuration to null any TACACS configurations. 

You could modify the following

aaa auth login default local

optionally

aaa auth login default local enable [enable keyword will use the enable password for all authentication]

other options would be to completely remove aaa new-model which would put authentication back to the legacy model.

Lastly, Windows IAS was the old feature within Windows Server 2003.  The new configuration is a Role within Windows 2008/2012 called Network Policy Server (NPS), which does allow for RADIUS Auth/Acct.  The link below is a good tutorial of how to set it up.

http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

Just be careful when modifying the authenitcation attributes, make sure if you dont have console access to leave the one session open and always try to authenticate with a new session after each change.  Learned that one the hard way a few times

Hope this helps.

Is the line "aaa authentication enable default none" the one that causes the enable password to be used for all login passwords?

I ask this going back to my question that whenever I login to the switch or router I use the enable password for everything. There is no line or console passwords set up on the switch at least that I see in the config.  However on the router I see a password set up for the console and line. But I don't know what these are and never have to use them. I only use the enable password. Is this because of the above line?

So if I add the enable in the option you mention secondly that means I'll be exactly like I am now or does it mean the enable password will be prompted for after the user enters a login password and then they type enable?     

Yes, thats exactly what causes the Enable or Secret to be bypassed. 

So therefore this line, which I'm guessing causes use of logins authenticated by TACACS, (not sure what enable on the end does in this case), is completely negated and therefore login of any kind?

aaa authentication login default group tacacs+ enable

In affect the AAA lines I listed above the only lines that are looked at are the below lines which are the only ones without the tacacs+ keyword?

aaa new-model

!

!

aaa authentication enable default none

aaa accounting send stop-record authentication failure

!

!

!

aaa session-id common

Hi,

aaa authentication login default group tacacs+ enable

What this means is use tacacs+ first and if the tacacs server is unavailable then use the enable password

As you have no more the IP address of the tacacs server it can't contact it and it uses the fallback method, if you want it to use local user/password  then you can do following:

no aaa authentication login default group tacacs+ enable

aaa authentication login default local enable

or

no aaa new-model

line vty

login local

or

aaa authentication VTY_LINE local enable

line vty 0 15

login authentication VTY_LINE

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Nick,

So usually in a Windows environment you're using RADIUS? I could put up a RADIUS server since it's part of Windows (just add the feature) or use a free TACACS server.  I don't personally think I see a need for another piece of software to manage for something like this since only 1-2 admins logging into the Cisco devices. However I'm guessing going the RADIUS route (no pun intended) is more secure then storing a login password (since it's at level 7) in the config file.

Hi,

username bob secret cisco, here the password(cisco) will be hashed using MD5, of course it is always safer to use an external device for authentication but if your password is strong enough it should take a lot of times to crack it provided someone could obtain the hashed password.For authentication/accounting RADIUS is a good solution but for exec authorization a TACACS server is the choice.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Is RADIUS or TACACS usually used when you have potentially lots of users logging onto a router or switch? Or even in situations where you have 1-2 users are these beneficial?

Hi,

With only a few users I wouldn't use an external authentication server but that's a personnal point of view.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card