index_145
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
145
§ aaa authentication banner delimiter string delimiter
replaces any before system login banners with the value of string.
§ aaa authentication fail-message delimiter string delimiter
will replace the default message for a login value with the value of string.
This section will concentrate on the four authentication commands for controlling
access to the router. For setting a banner on all terminals use the banner motd
command as suggested earlier in Section 4.1.4.
In a simple situation only one authentication list is required. This list should be the
default list, to guarantee all lines are protected, and should include a local method.
Including a local method will guarantee that if the security server(s) is not available
that an administrator will still have access to the router. Remember to add at least
one administrator to the local database.
Central(config)# username joeadmin password 0 G0oD9pa$8
Central(config)# aaa authentication login default radius local
One note about method lists for aaa authentication, what ever method is first, controls
whether the authentication procedure will prompt for a username or not. So if the
first method in the list is line or enable, then any additional method which requires a
username will automatically fail. So when generating method lists decide whether to
use usernames and passwords or just use a password. For accounting purposes you
should use the methods which allow for usernames and assign each administrator a
distinct username.
In a more complex scenario where a more limited set of administrators have access to
the console line first create the default list again. The default list should be for the
limited set of administrators and should use the local database. Additionally the
default list should be developed to protect the console line. Accounting records can
still be sent to the security server but the security server's authorization capabilities
can not be used since no authentication records will be sent to the security server.
The second list should be a named method list and should be applied to the
appropriate lines to allow additional administrators onto the router. For the named
method list which will primarily use the security server, authorization can be used to
control the larger set of administrators. The following is a recommended
configuration for using a TACACS+ security server and the local database.
Central(config)# username annadmin password 0 G%oD9pa$8
Central(config)# username joeadmin password 0 badpasswd
Central(config)# aaa authentication login default local
Central(config)# aaa authentication login remotelist radius local
Central(config)# line vty 0 4
Central(config-line)# login authentication remotelist
Central(config)# line aux 0
Central(config-line)# login authentication remotelist
In general the default list should be the most restrictive authorization list. When
multiple lists are used it would be a good idea if the default list only used the local
method and then named lists can be used to override the default list as appropriate.