08-07-2014 08:10 PM - edited 03-07-2019 08:19 PM
Does anyone here operate their routers & switches without a username specified? We don't use the username in our login or enable authentication (use vty and enable passwords), just wondering if there is some requirement for a username that I don't know about. Security-wise, we'd like to eliminate specifying a username, if possible.
08-07-2014 08:39 PM
Does anyone here operate their routers & switches without a username specified?
Nope. You require username/password if you want to contact the appliances remotely. If all you do to connect to them is via console, then you're welcome not to have one.
Security-wise, we'd like to eliminate specifying a username, if possible.
Doesn't make any sense. Are you saying you're happy for anyone (and I mean ANYONE) to log into your router/switches?
08-07-2014 08:52 PM
No, a username is not required to access this remotely -- we use the vty and enable passwords (which I mentioned above). Or one could use AAA + radius/tacacs which authenticates against active directory or something similar. Just wondering if the username can be totally eliminated.
08-07-2014 10:33 PM
yes, devices can be configured for no logins/passwords but think what is the benefit we get if we disable it?
If we dont secure the devices that are managing your critical data, probably the only benefit is ease of login and cost savings in terms of not deploying third party authentication devices.
not securing your logins has many disadvantages, just try googling it ;)
08-10-2014 06:27 AM
If you remove the password from the VTY lines you will not be able to connect to the device!
OP, your question is both confusing and contradictory, you don't have username(s) configured, yet you would like to remove them?
Martin
08-10-2014 09:03 AM
No one said anything about removing vty passwords, just the usernames. And I don't want a local database either.
I should be more clear, we do have a username configured, but it is never used, since we use vty/enable passwords (I know, telnet is not safe), or we use Tacacs, which doesn't use usernames either, in our configuration. So I'd like to remove all usernames.
(Later) Maybe I've answered my own question: I just verified that a new router config contains *no* username statement. This leads me to believe it is not necessary for basic operations.
08-10-2014 10:20 AM
I was replying to Suraj above who said about removing them.
That is the command to remove your username(s).
By default there are no users configured, it is beneficial though, for the reasons stated.
Martin
08-08-2014 05:23 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I've worked on small networks where only non-user specific passwords were used. This in cases where there was only one or very, very few people who knew the passwords and performed device maintenance.
For somewhat larger networks, where muliple people could be doing maintenance, sometimes local usernames were configured so you could see "who" did the configuration changes. (From a security perspective, not much better than just using global passwords, unless you also wanted to tie certain priviledge levels to a particular username.)
Lastly, in big networks, you normally have RADIUS or TACACS user account authenication. The latter, of course, makes it much easier to add or revoke a new user to a set of devices.
08-08-2014 05:53 AM
I agree, better accountability with usernames. We do use Tacacs on a subset of network - in this case, is there any need to have a username specified (since our Tacacs doesn't use it either)?
Suraj2002, you misunderstood, I require *and* use authentication for login, I just don't use the username to do it.
08-09-2014 03:36 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Hmm, don't know if you cannot use a user name if using RADIUS or TACACS. However, if you don't want usernames per real person, what about a generic name? Everyone that knows the username and password, could use it.
08-10-2014 06:14 AM
You can have a local user database.
Wen connecting via SSH a username is required.
Martin
08-10-2014 06:31 AM
I don't want a local username database, that is sort of the point of my question. I want to delete all usernames, just wondering if this is feasible.
You *can* use SSH without using usernames, using Tacacs or Radius.
08-10-2014 07:07 AM
When using a local database you *do* have to create a username, this is what I was referring to.
You are connecting via Telnet (which isn't wise)
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide