Hi Sam,

Originally Authentication was built in per feature, for example, VTY passwords could be explicilty configured or you could use the LOCAL AAA DB for authentication.  Then Cisco released the aaa new-model which aligned with the AAA methodology built into the ASA's and other security devices. 

When aaa new-model is enabled you also have to accompany it with how you will use the aaa features.

I.E.

aaa authentication ssh LOCAL (Using Local database, or explicitly configured usernames on that devices)

aaa authenticaiton ssh TACACS LOCAL (This will use a TACACS (ACS Servers) first, and then fail to the LOCAL database)

Without seeing your configuration my assumption would be the there are no configurations for

aaa authentication telnet

aaa authentication console

Typically I will configure centralized Authentication and Accounting using Windows NPS '08 with RADIUS or Cisco ACS with TACACS (with Authorization, *Authorization is not supported with RADIUS).

The initial conifgurations may be missing the step to remove telnet connectivity and unautorized console access without credentials.  My normal configurations will only allow VTY input of SSH and all Console sessions must use RADIUS/TACACS with a failback of the LOCAL DB.

If you want to learn more about how to secure the Cisco IOS I highly recommend the CBT Nuggest CCNA Security videos.

Thanks.

Our VOIP provider had set up AAA using TACAS+.  However we do not use TACAS or RADIAS.  The lines still exist. I've been doing some reading and it appears I can install IAS from MIcrosoft which is a RADIUS server that will authenticate with Active Directory.  Here are the lines in the config for our 3560 and 1841. No other lines related to AAA or TACACS exist. There used to be a line that listed the TACACS server ip address but I removed that when we started to manage our own equipment. The router also specific the radius server source ports but I'm guessing radius wasnt even used by looking below. Looks like TACACS was correct?

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default none

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

!

!

aaa session-id common

Hey Sam.

The VOIP company was using TACACS and when you removed the IP to the server you would have forced the configuration to null any TACACS configurations. 

You could modify the following

aaa auth login default local

optionally

aaa auth login default local enable [enable keyword will use the enable password for all authentication]

other options would be to completely remove aaa new-model which would put authentication back to the legacy model.

Lastly, Windows IAS was the old feature within Windows Server 2003.  The new configuration is a Role within Windows 2008/2012 called Network Policy Server (NPS), which does allow for RADIUS Auth/Acct.  The link below is a good tutorial of how to set it up.

http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

Just be careful when modifying the authenitcation attributes, make sure if you dont have console access to leave the one session open and always try to authenticate with a new session after each change.  Learned that one the hard way a few times

Hope this helps.

Is the line "aaa authentication enable default none" the one that causes the enable password to be used for all login passwords?

I ask this going back to my question that whenever I login to the switch or router I use the enable password for everything. There is no line or console passwords set up on the switch at least that I see in the config.  However on the router I see a password set up for the console and line. But I don't know what these are and never have to use them. I only use the enable password. Is this because of the above line?

So if I add the enable in the option you mention secondly that means I'll be exactly like I am now or does it mean the enable password will be prompted for after the user enters a login password and then they type enable?     

Yes, thats exactly what causes the Enable or Secret to be bypassed. 

So therefore this line, which I'm guessing causes use of logins authenticated by TACACS, (not sure what enable on the end does in this case), is completely negated and therefore login of any kind?

aaa authentication login default group tacacs+ enable

In affect the AAA lines I listed above the only lines that are looked at are the below lines which are the only ones without the tacacs+ keyword?

aaa new-model

!

!

aaa authentication enable default none

aaa accounting send stop-record authentication failure

!

!

!

aaa session-id common

Nick,

So usually in a Windows environment you're using RADIUS? I could put up a RADIUS server since it's part of Windows (just add the feature) or use a free TACACS server.  I don't personally think I see a need for another piece of software to manage for something like this since only 1-2 admins logging into the Cisco devices. However I'm guessing going the RADIUS route (no pun intended) is more secure then storing a login password (since it's at level 7) in the config file.

Hi,

username bob secret cisco, here the password(cisco) will be hashed using MD5, of course it is always safer to use an external device for authentication but if your password is strong enough it should take a lot of times to crack it provided someone could obtain the hashed password.For authentication/accounting RADIUS is a good solution but for exec authorization a TACACS server is the choice.

Regards

Alain

Don't forget to rate helpful posts.

Is RADIUS or TACACS usually used when you have potentially lots of users logging onto a router or switch? Or even in situations where you have 1-2 users are these beneficial?

Hi,

With only a few users I wouldn't use an external authentication server but that's a personnal point of view.

Regards

Alain

Don't forget to rate helpful posts.