Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1354
Views
8
Helpful
8
Replies

Authentication commands

Go to solution
benhanson
Level 1
Level 1

‎05-08-2008 12:29 PM - edited ‎03-05-2019 10:51 PM

Does anyone know of a document that outlines the different authentication options in IOS. Specifically I'm trying to understand the interplay between using radius, local, none(what is this option for?) and how the presence of an enable secret affects these. What is the difference between an enable secret and enable password anyway? Just the encryption type?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to benhanson

‎05-08-2008 08:23 PM

Ben

Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).

Let me give you my quick overview of the alternatives:

radius or tacacs will use a remote server (ACS or something similar) to authenticate.

local will authenticate with locally configured userID and password

line will authenticate with the configured passwords on line vty or line console

enable will authenticate with the enable passord (password or secret - depending on which is configured).

The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.

You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
williamsdo
Level 3
Level 3

‎05-08-2008 12:47 PM

Hello, radius authentication can be done locally using the local UN and PW or it can be done by a remote server using the user profile on the remote server. The radius authentication service only authenticates the user you can configuer restriction on authorization for that user. The enable pw will be shown in clear text when you do a show run, the enable secret will be encrypted. You can have all your PW encrypted by using the password-encryption service then even the enable will be encrypted. Have a look at the document below for radius help. HTH

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schrad.html

0 Helpful

Go to solution
jeff.hardee
Level 1
Level 1

‎05-08-2008 12:48 PM

Try wading through this guide:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/secpriv.html

It's the security configuration guide for the latest IOS. You'll find information on all of the different forms of authentication.

This link will explain "enable secret" (and scroll just before for "enable password"):

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_e1.html#wp1011838

Basically, you're right. The "enable secret" command simply uses a better encryption for the password to get to enable mode (or privilege exec mode). Enabling "enable secret" will override a configuration for "enable password". The following link is a shortened explanation of their differences, but still good:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00801d7efa.shtml

--Jeff

Go to solution
michael.leblanc
Level 4
Level 4

‎05-08-2008 01:03 PM

You are referring to "method lists".

e.g.: aaa authentication login default group radius local-case none

Interpretation:

- When a user tries to "login", first check the RADIUS server in an effort to authenticate the user.

- If the RADIUS server is unreachable, use the "local aaa database" configured on the router.

- If the user is not found in the local aaa database, perform no authentication.

The next method is NOT tried if an authentication "failure" is returned (e.g.: wrong password).

Maybe take a look at the Security Configuration Guide for info on AAA.

Go to solution
benhanson
Level 1
Level 1

‎05-08-2008 02:06 PM

So what is the purpose of None in the aaa authentication methods? Does it just let anyone in if the other authentication methods are unavailable? What do you guys do for authentication, and do you even worry about what happens if the primary method fails?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to benhanson

‎05-08-2008 08:23 PM

Ben

Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).

Let me give you my quick overview of the alternatives:

radius or tacacs will use a remote server (ACS or something similar) to authenticate.

local will authenticate with locally configured userID and password

line will authenticate with the configured passwords on line vty or line console

enable will authenticate with the enable passord (password or secret - depending on which is configured).

The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.

You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
benhanson
Level 1
Level 1
In response to Richard Burts

‎05-09-2008 09:03 AM

Thanks for the input, this is how I think I'm going to go, using radius with local fallback for default, and specifying local user only for console access:

username privilege 15 password 7 xxxxxxxxx

aaa new-model

aaa group server radius RadiusServerGroup

server 1.2.3.4

radius-server host 1.2.3.4 key xxxxxxxx

ip radius source-interface fa0/0

aaa authentication login default group RadiusServerGroup local

aaa authentication login ConsoleOnlyAuthentication local

line con 0

login authentication ConsoleOnlyAuthentication

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to benhanson

‎05-09-2008 10:17 AM

Ben

This looks ok and should do what you describe that you want it to do.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎05-09-2008 10:59 AM

Ben

I am glad that our advice was helpful and that your question is resolved. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read responses which did resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card