Tech Tip: Control network device access

Find out how to control network device access.

By Mike Mullins

Accessing and administering network devices such as routers and switches should require strict authentication, authorization, and accounting (AAA) rules. You require logon and authentication for user access to files, and you need to apply the same rules for accessing network devices.

If you're using local username and passwords on your routers and switches, you're leaving your network wide open for a break-in attempt that will eventually succeed. Your username and password are stored in the device configuration (which you've downloaded and put on a network drive and floppy disk). When was the last time you changed your router/switch password?

Choose a method

The two most popular methods of router and switch authentication are RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System Plus).

  • RADIUS uses UDP, encrypts only the password, and doesn't allow users to control which commands you can execute on a router or switch.
  • TACACS+ uses TCP, encrypts the entire username/password packet, and allows separate authentication solutions that can use TACACS+ for authorization and accounting (i.e., Kerberos authentication).

Set up the device

Configuring your device is simple. For this example, we'll use a RADIUS configuration. Follow these steps:

  • Issue the following command in global configuration to enable AAA:

aaa new-model

  • Specify the RADIUS server or servers by IP address:

aaa radius-server host #.#.#.#

  • Provide the router with the shared, secret RADIUS server password to begin the authentication:

radius-server key yourradiuspassword

  • Configure the login methods and their order of use:

aaa authentication login default group radius local

  • Configure the Enable Privilege command to use RADIUS authentication:

aaa authentication enable default group radius local

Note: Do not save your configuration file until you successfully establish a connection using your new configuration.

In this example, you'll notice I specified RADIUS and local for all authentication commands. This way, if the RADIUS server or path from the router to the server goes down, you can still authenticate with your previous local username and password.

Final thoughts

Router and switch authentication is simple to configure, and it provides an excellent layer of security for these vital devices that make up the backbone of your network. Network device authentication is not a luxury—it is an absolute must-have for every corporate network.

For small single router networks, I recommend the RADIUS solution, and I suggest TACACS+ for larger router networks. RADIUS is a free network component of Windows 2000 Server and Windows Server 2003. TACACS+ is free from Cisco, and it runs on a variety of UNIX-flavored platforms.

The method you choose to authenticate to your network devices is up to you and your budget.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox