Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Authentication commands

Does anyone know of a document that outlines the different authentication options in IOS. Specifically I'm trying to understand the interplay between using radius, local, none(what is this option for?) and how the presence of an enable secret affects these. What is the difference between an enable secret and enable password anyway? Just the encryption type?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: Authentication commands

Ben

Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).

Let me give you my quick overview of the alternatives:

radius or tacacs will use a remote server (ACS or something similar) to authenticate.

local will authenticate with locally configured userID and password

line will authenticate with the configured passwords on line vty or line console

enable will authenticate with the enable passord (password or secret - depending on which is configured).

The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.

You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.

HTH

Rick

8 REPLIES
New Member

Re: Authentication commands

Hello, radius authentication can be done locally using the local UN and PW or it can be done by a remote server using the user profile on the remote server. The radius authentication service only authenticates the user you can configuer restriction on authorization for that user. The enable pw will be shown in clear text when you do a show run, the enable secret will be encrypted. You can have all your PW encrypted by using the password-encryption service then even the enable will be encrypted. Have a look at the document below for radius help. HTH

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schrad.html

New Member

Re: Authentication commands

Try wading through this guide:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/secpriv.html

It's the security configuration guide for the latest IOS. You'll find information on all of the different forms of authentication.

This link will explain "enable secret" (and scroll just before for "enable password"):

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_e1.html#wp1011838

Basically, you're right. The "enable secret" command simply uses a better encryption for the password to get to enable mode (or privilege exec mode). Enabling "enable secret" will override a configuration for "enable password". The following link is a shortened explanation of their differences, but still good:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00801d7efa.shtml

--Jeff

Re: Authentication commands

You are referring to "method lists".

e.g.: aaa authentication login default group radius local-case none

Interpretation:

- When a user tries to "login", first check the RADIUS server in an effort to authenticate the user.

- If the RADIUS server is unreachable, use the "local aaa database" configured on the router.

- If the user is not found in the local aaa database, perform no authentication.

The next method is NOT tried if an authentication "failure" is returned (e.g.: wrong password).

Maybe take a look at the Security Configuration Guide for info on AAA.

New Member

Re: Authentication commands

So what is the purpose of None in the aaa authentication methods? Does it just let anyone in if the other authentication methods are unavailable? What do you guys do for authentication, and do you even worry about what happens if the primary method fails?

Hall of Fame Super Gold

Re: Authentication commands

Ben

Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).

Let me give you my quick overview of the alternatives:

radius or tacacs will use a remote server (ACS or something similar) to authenticate.

local will authenticate with locally configured userID and password

line will authenticate with the configured passwords on line vty or line console

enable will authenticate with the enable passord (password or secret - depending on which is configured).

The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.

You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.

HTH

Rick

New Member

Re: Authentication commands

Thanks for the input, this is how I think I'm going to go, using radius with local fallback for default, and specifying local user only for console access:

username privilege 15 password 7 xxxxxxxxx

aaa new-model

aaa group server radius RadiusServerGroup

server 1.2.3.4

radius-server host 1.2.3.4 key xxxxxxxx

ip radius source-interface fa0/0

aaa authentication login default group RadiusServerGroup local

aaa authentication login ConsoleOnlyAuthentication local

line con 0

login authentication ConsoleOnlyAuthentication

Hall of Fame Super Gold

Re: Authentication commands

Ben

This looks ok and should do what you describe that you want it to do.

HTH

Rick

Hall of Fame Super Gold

Re: Authentication commands

Ben

I am glad that our advice was helpful and that your question is resolved. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read responses which did resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

294
Views
8
Helpful
8
Replies
CreatePlease to create content