The tacacs-server extended command enables a Cisco device to run in extended TACACS mode. The UNIX system must be running the extended TACACS daemon, which can be obtained via anonymous ftp to ftp.cisco.com. The file name is xtacacsd.shar. This daemon enables communication servers and other equipment to talk to the UNIX system and update an audit trail with information on port usage, accounting data, or any other information the device can send.
The command username <user> password [0 | 7] <password> enables you to store and maintain a list of users and their passwords on a Cisco device instead of on a TACACS server. The number 0 stores the password in clear text in the configuration file. The number 7 stores the password in an encrypted format. If you do not have a TACACS server and still want to authenticate users on an individual basis, you can set up users with the following configuration commands:
username rose password 7 rose-pass username rebekah password 7 rebekah-pass
The two users, Rose and Rebekah, will be authenticated via passwords that are stored in encrypted format.
Simple Network Management Protocol (SNMP) Access
SNMP is another method you can use to access your network equipment. With SNMP, you can gather statistics or configure the router. In fact, you could even configure the router to start an OSPF routing process! SNMP is also very useful to help you gather statistics with GETREQUEST and GETNEXTREQUEST messages and configure routers with SETREQUEST messages. Each of these SNMP messages has a community string that is a clear text password sent in every packet between a management station and the router (which contains an SNMP agent). The SNMP community string is used to authenticate messages sent between the manager and agent. Only when the manager sends a message with the correct community string will the agent respond.
The SNMP agent on the router allows you to configure different community strings for nonprivileged and privileged access. You configure community strings on the router via the following configuration command:
snmp-server community <string> [RO | RW] [access-list]
Unfortunately, SNMP community strings are sent on the network in clear text ASCII. Thus, anyone who has the ability to capture a packet on the network can discover the community string. This might allow unauthorized users to query or modify routers via SNMP. For this reason, using the no snmp-server trap-authentication command might prevent intruders from using trap messages (sent between SNMP managers and agents) to discover community strings.
The Internet community, recognizing this problem, greatly enhanced the security of SNMP version 2 (SNMPv2) as described in RFC 1446. SNMPv2 uses the MD5 algorithm to authenticate communications between an SNMP server and agent. MD5 verifies the integrity of the communications, authenticates the origin, and checks for timeliness. Further, SNMPv2 can use the Data Encryption Standard (DES) for encrypting information.
Nonprivileged Mode (Read Only)
Use the RO keyword of the snmp-server community command to provide nonprivileged access to your routers via SNMP. The following configuration command sets the agent in the router to allow only SNMP GETREQUEST and GETNEXTREQUEST messages that are sent with the community string public:
snmp-server community public RO 1
You can also specify a list of IP addresses that are allowed to send messages to the router using the access-list option with the snmp-server community command. In the following configuration example, only hosts 184.108.40.206 and 220.127.116.11 are allowed nonprivileged mode SNMP access to the router:
access-list 1 permit 18.104.22.168 access-list 1 permit 22.214.171.124 snmp-server community public RO 1
Privileged Mode (Read/Write)
Use the RW keyword of the snmp-server community command to provide privileged access to your routers via SNMP. The following configuration command sets the agent in the router to allow only SNMP SETREQUEST messages sent with the community string private:
snmp-server community private RW 1
You can also specify a list of IP addresses that are allowed to send messages to the router by using the access-list option of the snmp-server community command. In the following configuration example, only hosts 126.96.36.199 and 188.8.131.52 are allowed privileged mode SNMP access to the router:
access-list 1 permit 184.108.40.206 access-list 1 permit 220.127.116.11 snmp-server community private RW 1
Backup Configuration Files
If a router regularly downloads configuration files from or to a Trivial File Transfer Protocol (TFTP) or Maintenance Operations Protocol (MOP) server, anyone who can access the server can modify the router configuration files stored on the server.
This can be a very serious security breach if this server is not also protected in your security plan. It is absolutely essential in todays Enterprise networks to at least backup your router configuration files. Therefore, because this function is so essential to the safe and continued operation of a network, it must also be protected.
Using Banners to Set Up Unauthorized Use Notifications
It is also wise to use the motd banner exec global configuration command to provide messages and unauthorized use notifications, which will be displayed on all new connections. For example, on any network equipment, you could enter the following message:
OSPF_Router (config)# motd banner ********************************************************************* * ! ! ! ! ! ! ! WARNING ! ! ! ! ! ! ! ! * * THIS SYSTEM IS OWNED BY <company name>. UNAUTHORIZED ACCESS * * AND USE OF THIS SYSTEM IS NOT PERMITTED BY <company name> AND * * IS STRICTLY PROHIBITED BY <company name> SECURITY POLICIES, * * REGULATIONS, STATE AND FEDERAL LAWS. * * * * UNAUTHORIZED USERS ARE SUBJECT TO CRIMINAL AND CIVIL PENALTIES * * AS WELL AS COMPANY-INITIATED DISCIPLINARY PROCEEDINGS. * *********************************************************************