1.1.1.1 TACACS+

Information

Cisco IOS XR devices can use the TACACS+ protocol to communicate with a central AAA server. Using a central authentication store ensures that all administrative actions are tied to named users, making the tracking of changes much easier. It also makes tracking compromised accounts and malicious activities much easier.

Central authentication is key as it minimizes the effort in managing named user accounts. Keeping local admin accounts opens the door to all the issues inherent in shared accounts, namely:

- Errors in implementation being done by generic admin accounts, which can then be denied by all.
- Shared credentials staying unchanged when administrative staff leave the organization or change roles.
- Giving malicious actors the ability to recover shared credentials from saved device backups

Solution

For complete instructions how to configure AAA please refer to the

configuration guide

. Below you can find some minimum config snippets to implement a radius or tacacs+ server group.

IOSXR(config)#tacacs-server host {tacacs_ip_address} port 49
IOSXR(config-tacacs-host)#key {tacacs_key}

IOSXR(config)#aaa group server tacacs+ {tacacs_group_name}
IOSXR(config-sg-tacacs)#server {tacacs_ip_address}

Impact:

Implementing TACACS+ (or any central authentication solution) ensures that only named users are allowed to gain an administrative session to the device. This allows:

- Tracking of all changes to named users
- Simplification of reconciling changes to a change management process
- Off-loading password change cycles and password complexity requirements to that central authentication store
- Simplification of removing admin access as administrators leave the organization or change their roles in the organization

See Also

https://workbench.cisecurity.org/benchmarks/10473

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.2

Plugin: Cisco

Control ID: 71753c808aaa006d37d18edb5bd7408db8ae54a64f8d2a3a5f3b0819736924f5