index_153
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
153
The Message of the Day should be used to provide the legal document for controlling
access to the device and allowing for monitoring. This message should be generic
and hopefully the same on all of your routers, firewalls, servers, workstations, etc.
Next configure the security server and turn on AAA mechanisms. Since the shared
secret to the TACACS+ server is stored in the clear do not use the same shared secret
for the router with any other device. Since communications to the security server are
protected and the connection does not go outside the corporate boundary it is
acceptable to allow communications to the server outside the router.
With the aaa authentication login command make sure local is in the list as
described earlier. Notice that the default accounting for exec is set to start-stop and
that a named list was created for wait-start. This way by applying the named list to
external connections and allowing the default list to automatically apply to console
you will not be locked out of the router. Use connection accounting to track
outbound connections generated by users logged onto the router, these should be
minimal. Also, include system and commands 15 accounting since this router is
providing protection to a special enclave.
As before, create and apply an access-list to the vty's to limit remote access to
internal networks only and if possible limit the remote hosts by actual host IP
addresses instead of a network address. Issue the login local command on the
console and vty's incase AAA services get turned off. This will continue to allow
limited remote access based upon the local database and will be ignored while AAA
mechanisms are still running. Also limit remote access to telnet only and limit the
connection idle time to 5 minutes. The auxiliary port is disabled in this example.
If a RADIUS server was used in this example instead of the TACACS+ server then
system and command accounting would not be specified.
4.6.3. Dial-In Users
AAA services were designed with remote network access in mind. This includes
remote access to routers as well as to network services like PPP. AAA using
RADIUS is one of the primary means by which this is accomplished by Internet
Service Providers (ISP's). Controlling access for dial-in users is similar to
controlling access to the router but there are different protocols that are used.
Additionally, although it is not shown, it is highly recommended that when dial-in
access to the network or router is in use, that AAA services should be used in
conjunction with a one-time password or similar token technology. Some important
commands for controlling dial-in users are:
§ aaa authentication ppp {default | list-name} <method-list> is
used to specify PPP authentication method lists.
§ aaa authorization {network | exec | commands level | reverse-
access} {default | list-name} <method-list> turns on AAA
authorization for the specified type and designates the order in which