×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Authentication commands

Answered Question

Does anyone know of a document that outlines the different authentication options in IOS. Specifically I'm trying to understand the interplay between using radius, local, none(what is this option for?) and how the presence of an enable secret affects these. What is the difference between an enable secret and enable password anyway? Just the encryption type?

Correct Answer by Richard Burts about 9 years 3 months ago

Ben


Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).


Let me give you my quick overview of the alternatives:

radius or tacacs will use a remote server (ACS or something similar) to authenticate.

local will authenticate with locally configured userID and password

line will authenticate with the configured passwords on line vty or line console

enable will authenticate with the enable passord (password or secret - depending on which is configured).


The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.


You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.

Hello, radius authentication can be done locally using the local UN and PW or it can be done by a remote server using the user profile on the remote server. The radius authentication service only authenticates the user you can configuer restriction on authorization for that user. The enable pw will be shown in clear text when you do a show run, the enable secret will be encrypted. You can have all your PW encrypted by using the password-encryption service then even the enable will be encrypted. Have a look at the document below for radius help. HTH



http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schrad.html

jeff.hardee Thu, 05/08/2008 - 12:48
User Badges:

Try wading through this guide:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/secpriv.html


It's the security configuration guide for the latest IOS. You'll find information on all of the different forms of authentication.


This link will explain "enable secret" (and scroll just before for "enable password"):

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_e1.html#wp1011838


Basically, you're right. The "enable secret" command simply uses a better encryption for the password to get to enable mode (or privilege exec mode). Enabling "enable secret" will override a configuration for "enable password". The following link is a shortened explanation of their differences, but still good:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00801d7efa.shtml


--Jeff

michael.leblanc Thu, 05/08/2008 - 13:03
User Badges:
  • Silver, 250 points or more

You are referring to "method lists".


e.g.: aaa authentication login default group radius local-case none


Interpretation:


- When a user tries to "login", first check the RADIUS server in an effort to authenticate the user.

- If the RADIUS server is unreachable, use the "local aaa database" configured on the router.

- If the user is not found in the local aaa database, perform no authentication.


The next method is NOT tried if an authentication "failure" is returned (e.g.: wrong password).


Maybe take a look at the Security Configuration Guide for info on AAA.


Correct Answer
Richard Burts Thu, 05/08/2008 - 20:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ben


Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).


Let me give you my quick overview of the alternatives:

radius or tacacs will use a remote server (ACS or something similar) to authenticate.

local will authenticate with locally configured userID and password

line will authenticate with the configured passwords on line vty or line console

enable will authenticate with the enable passord (password or secret - depending on which is configured).


The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.


You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.


HTH


Rick

Thanks for the input, this is how I think I'm going to go, using radius with local fallback for default, and specifying local user only for console access:


username privilege 15 password 7 xxxxxxxxx


aaa new-model

aaa group server radius RadiusServerGroup

server 1.2.3.4

radius-server host 1.2.3.4 key xxxxxxxx

ip radius source-interface fa0/0

aaa authentication login default group RadiusServerGroup local

aaa authentication login ConsoleOnlyAuthentication local


line con 0

login authentication ConsoleOnlyAuthentication






Richard Burts Fri, 05/09/2008 - 10:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ben


This looks ok and should do what you describe that you want it to do.


HTH


Rick

Richard Burts Fri, 05/09/2008 - 10:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ben


I am glad that our advice was helpful and that your question is resolved. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read responses which did resolve the question.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion