routeprotocol

Component RADIUS TACACS+ Protocol and Ports Cisco:UDP Port 1645 (Authentication/Authorisation)UDP Port 1646(Accounting)Industry Standard:UDP Port 1812 (Authentication/Authorisation)UDP Port 1813(Accounting) TCP Port 49 Encryption Encrypts the password fieldSupports EAP for 802.1x authentication Encrypts entire payloadDoes not support EAP Authentication and Authorisation Combines authentication and authorisationCannot be used to authorise individual CLI commands Separates authentication and authorisationCan be…

RADIUS is an Internet Engineering Task Force AAA protocol. It follows a client-server model where the client can initiate a request to the server. RADIUS is the AAA protocol of choice for network access. The main reason is RADIUS is the AAA transport protocol for Extensible Authentication Protocol, whilst TACACS+ does not support any EAP…

TACACS+ is developed by Cisco and release as an open standard in the early 1990s. TACACS+ is mainly used for AAA device access control but it is possible for to be used for network access too. TACACS+ uses TCP port 49 to communicate between TACACS+ clients and the TACACS+ server TACACS+ can provide authentication, authorisation…

AAA is a framework that is for enabling a set of three independent security functions Authentication Enables a user to be identified and verified prior to being granted access Authorisation Defines the privileges and restrictions to be enforced on an authenticated user Accounting Provides the ability to track and log user access, including user identities,…

The command absolute-timeout <minutes> under line configuration mode terminates an EXEC session after the specified period has expired, even if the connection is being used (not idle) It is recommended to be used with the command logout-warning <notice-in-seconds> to display a warning to users about a connection timeout that is away to occur.

By default an idle EXEC session terminated after 10 minutes of inactivity The command exec-timeout <minutes> <seconds> under line configuration mode can be used to tweak this value Using the command exec-timeout 0 0 and no exec-timeout disables the EXEC timeout, but this is not recommended.

Some Cisco devices have an auxiliary port available for remote administration through a dial-up modem connection. In most cases this is not required, and the AUX port should be disabled with the command no exec under line aux 0

Telnet is a popular but insecure method of accessing IOS devices. Telnet sessions are sent in plain text and can make it easy to sniff and capture confidential session information. SSH can provide encryption and strong authentication as an alternative, it is available in two versions SSH Version 1 Improvement over telnet in its handling…

Protocols that can access the VTY lines can be restricted with the command transport input All protocols can be permitted with the command transport input all or individual protocols can be permitted by listing them ! Permit telnet and SSH only transport input telnet ssh

Access to VTY lines can be controlled with an access control list. To apply a standard or extended access control list to a VTY line, use the command access-class <ACL Number or Name> in under configuration mode for that line for an inbound access list, or access-class <ACL Number or Name> out for an outbound…