Setting the login and enable passwords might not provide enough security in some cases. The timeout for an unattended console (by default 10 minutes) provides an additional security measure. If the console is left unattended in privileged mode, any user can modify the routers configuration. You can change the login timeout via the command exec-timeout mm ss where mm is minutes and ss is seconds. The following commands change the timeout to 1 minute and 30 seconds:
line console 0 exec-timeout 1 30 line vty 0 4 exec-timeout 1 30 line aux 0 exec-timeout 1 30
This command is useful not only from a security standpoint but from a network management standpoint as well. Let me explain. If a Telnet session is not closed properly, the router can still consider that session to be open although no activity is occurring. Large enterprise networks have this happen enough, and either the router will need to be rebooted or someone will have to gain access via the console port to break these ghost sessions. However, if you configure all ports (console, line vty, and aux) with this command, after 1 minute and 30 seconds (as specified in the preceding example), the router will disconnect the session for inactivity.
Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.
All passwords on the router are visible via the write terminal and show configuration privileged mode commands. If you have access to privileged mode on the router, you can view all passwords in clear text by default. There is a way to hide clear text passwords. The command service password-encryption stores passwords in an encrypted manner, so that anyone performing a write terminal or show configuration will not be able to determine the clear text password. However, if you forget the password, regaining access to the router requires you to have physical access to the router.
The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and both OSPF and BGP neighbor passwords. The service password-encryption command is primarily used for keeping unauthorized individuals from viewing your password in your configuration file.
Restricting Telnet Access to Particular IP Addresses
If you want to allow only certain IP addresses to use Telnet to access the router, you must use the access-class command. The command access-class nn in defines an access list (from 1-99) that allows access to the virtual terminal lines on the router. The following configuration commands allow incoming Telnet access to the router only from hosts on network 184.108.40.206:
access-list 12 permit 220.127.116.11 0.0.0.255 line vty 0 4 access-class 12 in
Terminal Access Controller Access Control System (TACACS)
Nonprivileged (VTY) and privileged (enable) mode passwords are global and apply to every user accessing the router either from the console port or from a Telnet session. As an alternative, the Terminal Access Controller Access Control System (TACACS) provides a way to validate every user on an individual basis before he or she can gain access to the router or communication server.
TACACS was derived from the United States Department of Defense and is described in Request For Comments (RFC) 1492. TACACS is used to allow finer control over who can access the router in VTY and enable modes.
When TACACS is enabled in a router, the router will prompt the user for a username and a password. Then the router queries a TACACS server to see if the user provided the correct password. A TACACS server typically runs on a UNIX workstation. Public domain TACACS servers can be obtained via anonymous ftp to ftp.cisco.com in the /pub directory. Use the /pub/README file to find the file name. A fully supported TACACS server is bundled with CiscoWorks Version 3.
The configuration command tacacs-server host specifies which UNIX host running a TACACS server will validate requests sent by the router. You can enter the tacacs-server host command several times to specify multiple TACACS server hosts that a router can validate users against. This use of multiple servers is effective in case a single server fails. In that event, you could potentially be locked out of your network until the server is restored.
As previously discussed, if all servers are unavailable, you could be locked out of the router. In that event, the configuration command
tacacs-server last-resort [password | succeed]
enables you to determine whether to allow a user to log in to the router with no password (succeed keyword) or to force the user to supply the standard login password (password keyword).
The following commands specify a TACACS server and allow a login to succeed if the server is down or unreachable:
tacacs-server host 18.104.22.168 tacacs-server last-resort succeed
To force users who access the router via Telnet to authenticate themselves using TACACS, enter the following configuration commands:
line vty 0 4 login tacacs
This method of password checking can also be applied to the privileged mode password with the enable use-tacacs command. If all servers are unavailable, you could be locked out of the router. In that event, the configuration command enable last-resort [succeed | password] enables you to determine whether to allow a user to log in to the router with no password (succeed keyword) or to force the user to supply the enable password (password keyword). There are significant risks to using the succeed keyword. If you use the enable use-tacacs command, you must also specify the tacacs-server authenticate enable command.