HostedDB - Dedicated UNIX Servers
index_145
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 145   § aaa authentication banner delimiter string delimiter replaces any before system login banners with the value of string. § aaa authentication fail-message delimiter string delimiter will replace the default message for a login value with the value of string. This section will concentrate on the four authentication commands for controlling access to the router.  For setting a banner on all terminals use the banner motd command as suggested earlier in Section 4.1.4. In a simple situation only one authentication list is required.  This list should be the default list, to guarantee all lines are protected, and should include a local method.   Including a local method will guarantee that if the security server(s) is not available that an administrator will still have access to the router.  Remember to add at least one administrator to the local database. Central(config)# username joeadmin password 0 G0oD9pa$8 Central(config)# aaa authentication login default radius local One note about method lists for aaa authentication, what ever method is first, controls whether the authentication procedure will prompt for a username or not.  So if the first method in the list is line or enable, then any additional method which requires a username will automatically fail.  So when generating method lists decide whether to use usernames and passwords or just use a password.  For accounting purposes you should use the methods which allow for usernames and assign each administrator a distinct username. In a more complex scenario where a more limited set of administrators have access to the console line first create the default list again.  The default list should be for the limited set of administrators and should use the local database.  Additionally the default list should be developed to protect the console line.  Accounting records can still be sent to the security server but the security server's authorization capabilities can not be used since no authentication records will be sent to the security server.   The second list should be a named method list and should be applied to the appropriate lines to allow additional administrators onto the router.  For the named method list which will primarily use the security server, authorization can be used to control the larger set of administrators.  The following is a recommended configuration for using a TACACS+ security server and the local database. Central(config)# username annadmin password 0 G%oD9pa$8 Central(config)# username joeadmin password 0 badpasswd Central(config)# aaa authentication login default local Central(config)# aaa authentication login remotelist radius local Central(config)# line vty 0 4 Central(config-line)# login authentication remotelist Central(config)# line aux 0 Central(config-line)# login authentication remotelist In general the default list should be the most restrictive authorization list.  When multiple lists are used it would be a good idea if the default list only used the local method and then named lists can be used to override the default list as appropriate.