This article is part of the “SOLID CONFIG” series, in which I cover some of the everyday configuration templates I have put together over the years to provide a solid configurational base for a specific feature, or use case.

Introduction

In this article, we take a look at a configuration template for deploying AAA TACACS+ for administrator access and general password and remote access settings on Cisco switches and routers.

The following configuration has been tested on:

• Cisco Catalyst C9200L-24P-4X running IOS-XE 16.12.4.

• Cisco Catalyst WS-C3560CX-8PC-S running IOS 15.2(7)E5.

I had trouble running “password encryption aes” on earlier versions of 15.2, but on the version above, everything seems to have worked out fine.

While I will not explain every command one by one, I will provide a general result of using each section’s commands, before presenting the commands used to achieve this result.

At the bottom of this page, there are links to two whitepapers published by the US National Security Agency (NSA) regarding best practices in terms of network administrator access, password management, and general security practices for hardening Cisco switches and routers. I highly recommend checking them out.

General Password Settings

This first section of configuration covers some general good practices when it comes to managing local passwords.

Most network administrators today use the secret parameter when configuring the Enable password or a local user account’s password on Cisco switches and routers today.

While the secret parameter makes the password hashed and/or encrypted to some degree, this protection is rather weak by modern standards, by default, and can be broken with tools commonly found on the internet.

To make these passwords more secure, you should use what is called a Type 8 password, using the algorithm-type command, found below. There is also a Type 9 password available using the algorithm-type script command, which is also considered very strong, but this feature has yet to go through the National Institute of Standards and Technology’s (“NIST”) evaluation process, as of today’s date (March 2022).

These two commands make sure that all passwords entered as plaintext (like user passwords, TACACS keys, RADIUS keys) are encrypted as Type 6 passwords, which are way better than the Type 7 passwords offered by “service password-encryption” which are easily decrypted. You should still use “algorithm-type sha256” for local usernames, but these two commands will give you some sort of protection in case a user password is entered incorrectly by using the “password” instead of the “secret” command.

The “key config-key password encrypt <master_key>” command is hidden in running/startup-config, you must write down this MASTER KEY somewhere in case your switch/router needs to be replaced when you must paste the configuration back into a new unit!

LINE CON and LINE VTY Configuration

Check your switch/router to see if it has 0-4 or 0-15 or 0-97 VTY Lines.

The newer the hardware, the more VTY Lines are usually available for use. For example, Cisco Catalyst 9K switches have a whopping 0-97 VTY Lines.

You should assign an ACL to limit the source IP networks that can access your switch/router, even if the management interface belongs to a management-only network behind a firewall, or similar since you don’t want a potential attacker to be able to jump from one device to another.

FOR Layer 2 Switch or Router (using global routing table)

FOR LAYER 3 SWITCH OR ROUTER WITH MULTIPLE VRF running

AAA TACACS Configuration

CONFIGURE AAA TACACS+ servers

If you didn’t already activate AAA configuration in the General Password Settings above, use the “aaa new-model” command and then define the TACACS+ servers to send authentication requests to, and then put them in a Server Group.

The “single-connection” parameter enables TACACS+ communication between the switch/router and the TACACS server to take place within a single TCP session, instead of setting up new TCP sessions for every user that connects to the same switch/router. This contributes to better response times and less overhead. However, I have seen this feature cause issues on some ISE versions, where the network administrator is not put into Privileged Mode (Enable mode) after logging in sometimes. Usually just opening another SSH/Telnet session fixes the issue for the moment, but feel free to skip “single-connection” if you keep running into this issue way too often.

The “timeout” command states how long to wait for the TACACS server to respond to a request. The default value is 5 seconds (which can be changed) for a total of 3 attempts (1 initial + 2 retries, this cannot be changed, to my knowledge). If your TACACS server becomes unreachable and your switch falls back to local login credentials, this timeout period times the number of TACACS servers configured will be the amount of total timeout time you will have to wait between entering a command and the command being executed. This applies for when you have per-command authorization configured. If you do not use per-command authorization (meaning you are only using Privilege Levels for authorization), then there will be no delay in your commands’ execution.

Configure Authentication/Authorization/Accounting

What the following configuration will do:

• Administrators will primarily authenticate against TACACS-servers. Logging in will put the Administrator straight into privileged EXEC mode (“enable mode”).

• While you could flip the "group TAC-SERVERS" and "local/enable" parameters for the "aaa authentiation..." and "aaa authorization..." commands to always allow the local user account to work even when the TACACS servers are up and running, this means some network administrators might resort to always using the local user account (because it will always work) instead of their own personal user accounts connected to the TACACS-servers backend, which kind of defeats the purpose of having granular role-based access control with an audit log to show for. However, one upside of flipping these parameters is that in the event that the TACACS servers go offline, you wouldn't have to wait for the TACACS server "timeout" period to expire for each of the commands you type in, since TACACS wouldn't have priority over local user accounts in this case.

• If TACACS servers are unreachable, authenticate using a Local username and password, followed by the Enable password to get into privilege EXEC mode.

• Already authenticated administrators can still do commands (due to the if-authenticated parameter) if TACACS-servers go down in the middle of their active session. Since proper Authorization cannot be performed while TACACS servers are down, there could be situations in which a “limited” administrator has access to commands they normally cannot use. Be aware of this! While the TACACS servers are unavailable, there will be a short delay when running commands due to the switch/router trying to re-establish contact with the TACACS server for verify the command, before falling back to allowing the command thanks to the “if-authenticated” parameters.

• By using the “default” keyword in all these commands, AAA is applied globally and does not need specific configuration on LINE CON/LINE VTY.

• aaa authorization console is an optional command that enables Authorization on Console port (LINE CON). This feature is disabled by default because activating it could lock you out of the router/switch in some scenarios. One of the upsides of using this command is that when your TACACS server is up and running and you authenticate using it when connecting to the Console port, you will be put directly into privilege EXEC mode (that is the Switch# prompt) without having to put in the Enable password, and all commands will logged thanks to all of them having to be authorized by the TACACS server. If you do not use this command and try to authenticate using TACACS when connecting to the Console port, you will have to type the “enable” command and enter your TACACS password to get into privileged EXEC mode, not the actual Enable password configured on the switch. Also, if you do not use this command, connecting to the Console port will always put you at Privilege Level 1 (that’s the Switch> prompt), where there are very few commands you can use. To then get access to the privilege EXEC mode you must type the “enable” command and enter the actual Enable password configured on the switch. While you could add the command “privilege level 15” under “line con 0” to always put the user into Privilege Level 15 (which makes it possible to use any command after logging in), this should be considered a security risk. The only annoying side effect of using the “aaa authorization console” command is that if your switch cannot reach the TACACS server and you then authenticate using the local username/password to get access to the Console port, the switch will try to reach the TACACS server every time you type in a command, making every command take a few seconds to get through since the switch’s attempt to reach the TACACS server has to time out first before falling back to the “local” authorization. Annoying as this delay is, I personally still believe this command should always be part of your standard configuration templates, purely for security and audit reasons.

• In the very first command below, you can change out “login” to “enable” at the end of the command in case you want to only login using the Enable password if TACACS servers are unreachable, and not use any Local usernames and passwords.

Messing with AAA commands on live switches can often be tricky, but the order of the commands below should allow you to paste them into a live switch without running into authorization issues mid-configuration, as the commands change the behavior of the switch as they are entered. Do note, the commands below will be in a different order in the running-config once they have all been entered into the switch.

After you have entered these commands either via SSH/Telnet or the Console port, you will need to quit your current session and establish a new session, which will then use the TACACS servers for authentication.

If you have not yet setup “exec-timeout 5 0” or similar on your Console Line and you plan to use it to enter the command below, I recommend doing that first to avoid your Console session from getting “stuck” with Authorization errors. The “exec-timeout 5 0” command should disconnect the Console session after 5 minutes of inactivity. See more on this configuration n the earlier section. Because of this, I recommend configuring your switches using SSH/Telnet instead, as you only need to close the connection to terminate the session.

SSH Configuration

The following settings are general configuration steps for setting up SSH access to your switch/router and tweaking some timeout/retries parameters to protect your network device from DoS attacks.

The “ip ssh server…” and “crypto key…” commands at the bottom of this section will activate stronger encryption algorithms for protecting your SSH sessions.

Depending on your switch/router model and IOS/IOS-XE version, you might need to change some of these values on your own, but know that the values below provide really strong encryption, so try to mimic them.

The “aaa authentication attempts 3” and “ip ssh authentication-retries 2” may sound very similar to each, but the first one is for console port access and the other one is for SSH access. Do note that the SSH command says “retries”, so setting this parameter to 2 means 3 login attempts in total.

The “logging buffered 16777216 informational” command increases local logging storage to 16 MB, which should be plenty enough.

HTTP and HTTPS CONFIGURATION

Access to the administrative web interface on switches and routers is rarely needed, but if you do want it, make sure to use the commands below to only allow HTTPS connection, force to use a greater TLS version (might only work on more high-end/newer switches like the Catalyst 9K series), and protect the access using an ACL and AAA authentication.

References

NSA Network Infrastructure Security Guidance

NSA Cisco Password Types: Best Practices