1.1.1.1 Configure AAA Authentication - TACACS if applicable

Information

TACACS+ is an authentication protocol that Cisco NX-OS devices can use for authentication of management users against a remote AAA server. These management users can access the Cisco NX-OS device through any protocol and use this back-end authentication. Using a central authentication store (such as Active Directory) ensures that all administrative actions are tied to named users, making the tracking of changes much easier. It also makes tracking compromised accounts and malicious activities much easier.

Rationale:

Central authentication is key as it minimizes the effort in managing named user accounts. Keeping local admin accounts opens the door to all the issues inherent in shared accounts, namely:

Errors in implementation being done by generic admin accounts, which can then be denied by all.

Shared credentials staying unchanged when administrative staff leave the organization or change roles.

Giving malicious actors the ability to recover shared credentials from saved device backups

In many organizations TACACS+ is preferred over RADIUS when TACACS+ is supported by the AAA server and network device. This is because (with additional work) TACACS+ also supports command authorization, restricting specific users to the command set that they can use on the device. However, TACACS+ started as a Cisco centric protocol, so is not as widely supported by other vendors in comparison to RADIUS.

In addition, RADIUS use is much more widespread (primarily for secure wireless authentication), so is often already in place.

Finally, command authorization is a complex endeavor and is very rarely implemented because of that, so the main advantage of TACACS+ is very often not realized.

Impact:

Implementing TACACS+ (or any central authentication solution) ensures that only named users are allowed to gain an administrative session to the device. This allows:

Tracking of all changes to named users

Simplification of reconciling changes to a change management process

Off-loading password change cycles and password complexity requirements to that central authentication store

Simplification of removing admin access as administrators leave the organization or change their roles in the organization

Solution

First, enable TACACS+ in NX-OS

switch(config)#feature tacacs+

Next, define two or more TACACS+ servers:

switch(config)#tacacs-server host 3.4.5.6 key somekey
switch(config)#tacacs-server host 4.5.6.7 key someotherkey

define the aaa group for TACACS+:

switch(config)#aaa group server tacacs+ TACACSGROUP
server 3.4.5.6
server 4.5.6.7

Finally, create the aaa authentication list for both console and default access:

switch(config)#aaa authentication login default group TACACSGROUP local
switch(config)#aaa authentication login console group TACACSGROUP local

It is common to include 'local' as the last entry in the list, to allow access to administer the device even if the RADIUS server is offline. Note that while this ensures access in the case of the device or the RADIUS server being offline, it also means that if an attacker can DOS the RADIUS Servers, they can authenticate locally as well.

Default Value:

By default TACACS+ is not implemented

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.2

Plugin: Cisco

Control ID: 3c107bf7fa49dfe254c8c58979b303f4cfb5664d687f53ae3f1cdb141625727e