By Mike Mullins
Accessing and administering network devices such as routers and switches should require strict authentication, authorization, and accounting (AAA) rules. You require logon and authentication for user access to files, and you need to apply the same rules for accessing network devices.
If you're using local username and passwords on your routers and switches, you're leaving your network wide open for a break-in attempt that will eventually succeed. Your username and password are stored in the device configuration (which you've downloaded and put on a network drive and floppy disk). When was the last time you changed your router/switch password?
Choose a method
The two most popular methods of router and switch authentication are RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System Plus).
Set up the device
Configuring your device is simple. For this example, we'll use a RADIUS configuration. Follow these steps:
aaa radius-server host #.#.#.#
radius-server key yourradiuspassword
aaa authentication login default group radius local
aaa authentication enable default group radius local
Note: Do not save your configuration file until you successfully establish a connection using your new configuration.
In this example, you'll notice I specified RADIUS and local for all authentication commands. This way, if the RADIUS server or path from the router to the server goes down, you can still authenticate with your previous local username and password.
Router and switch authentication is simple to configure, and it provides an excellent layer of security for these vital devices that make up the backbone of your network. Network device authentication is not a luxury—it is an absolute must-have for every corporate network.
For small single router networks, I recommend the RADIUS solution, and I suggest TACACS+ for larger router networks. RADIUS is a free network component of Windows 2000 Server and Windows Server 2003. TACACS+ is free from Cisco, and it runs on a variety of UNIX-flavored platforms.
The method you choose to authenticate to your network devices is up to you and your budget.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.