Router(config)# aaa group server tacacs+ PPPAuth Router(config)# aaa group server tacacs+ LoginAuth In this case, you would assign the servers to named AAA server groups: For example, suppose you want to use one TACACS+ server for control plane authentication on the router itself, and the second server for authenticating PPP connections. This approach is sufficient for many deployments, but is problematic if you want to reference only a subset of the defined servers for a certain AAA function. Router(config)# tacacs-server host 192.168.2.3 key MySecretKey2 Router(config)# tacacs-server host 192.168.1.3 key MySecretKey1 In the first, servers are specified in global configuration mode using the command tacacs-server to specify an IP address and shared secret key for each server: There are two approaches to configuring TACACS+ servers. This example shows the configuration of TACACS+ servers, but the concept applies to RADIUS servers as well.
Next we need to configure the addresses of the AAA servers we want to use. Router(config)# aaa new-model Step 2: Configuring the TACACS+ servers Note that this command will break non-AAA line and enable passwords. The new AAA model of authentication is enabled with a single command, which unlocks all other aaa commands on the command line interface. Router(config)# username BackupAdmin privilege 15 secret MySecretPassword Step 1: Enabling AAA console and VTY lines).Īlthough not technically a part of AAA configuration, we want to ensure a backup user account exists in the event the AAA servers become unreachable, so that we can still log in to the router. Enforce AAA authentication on the relevant lines (e.g.Define authentication and authorization method lists.Configure the server(s) to be used for AAA (e.g.This article assumes that all back-end AAA server configuration has been completed and is working.Ĭonfiguring AAA on IOS for general administrative access entails four basic steps: Users must be able to log in using a backup local user account stored on the router only if neither TACACS+ server is reachable.
#Login local on cisco ios xe password
All users logging into the router must authenticate with a username and password to one of two redundant TACACS+ servers.This article will look at deploying a typical IOS router AAA configuration which must meet two requirements: For much more robust and easily managed authentication schemes, IOS supports the Authentication, Authorization, and Accounting (AAA) model, using the RADIUS or TACACS+ protocols to centralize these functions on dedicated AAA servers. While easily implemented, this approach is far from ideal for a production network.
For example:Įnable secret 5 $1$J19J$Q2jB2AM64H0U001nHStLW1 There are no workarounds that address this vulnerability.Cisco IOS supports minimal password authentication at the console/VTY line and privilege exec boundaries, through the use of static, locally defined passwords.
#Login local on cisco ios xe software
The CVSS score takes this into consideration.Ĭisco has released software updates that address this vulnerability. Through custom privilege configuration, Tcl shell access could be granted to a lower-privileged user. Note: By default, Tcl shell access requires privilege level 15. An exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. An attacker could exploit this vulnerability by executing crafted Tcl arguments on an affected device. The vulnerability is due to insufficient input validation of data passed to the Tcl interpreter. A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, unprivileged, and local attacker to cause a denial of service (DoS) condition on an affected system.