Networking

Cisco IOS Device Hardening: AAA, SSH, RADIUS, NTP, and Privilege

Part of pathway: Full Guide for All IOS Commands
5 min read

Device Access Hardening Is Non-Negotiable

An unhardened router on a corporate network is a soft target. Default config: Telnet enabled, weak passwords, no logging of failed logins, AAA disabled, CDP advertising the device on every interface. Six commands fix most of it; another six lock it down to enterprise-grade. This article walks through both.

The Bare Minimum — Strong Local Authentication

! Strong enable password
R1(config)# enable secret 9 SHA-256-encrypted-password

! Console line
R1(config)# line console 0
R1(config-line)#  login local
R1(config-line)#  exec-timeout 5 0
R1(config-line)#  logging synchronous

! VTY (Telnet/SSH access)
R1(config)# line vty 0 4
R1(config-line)#  login local
R1(config-line)#  transport input ssh
R1(config-line)#  exec-timeout 5 0
R1(config-line)#  access-class MGMT in

! Local user
R1(config)# username admin secret 9 SHA-256-encrypted-password

! ACL restricting which sources can SSH in
R1(config)# ip access-list standard MGMT
R1(config-std-nacl)#  permit 192.168.10.0 0.0.0.255

! Encrypt remaining plaintext passwords (weak Vigenère cipher but better than nothing)
R1(config)# service password-encryption

! Set minimum password length
R1(config)# security passwords min-length 12

Three things to call out:

  • enable secret not enable password. The latter stores in cleartext (or weak Vigenère); the former uses MD5 or SHA-256.
  • transport input ssh on VTY removes Telnet. Always.
  • access-class on VTY restricts who can even attempt to log in.

SSH Configuration

R1(config)# hostname R1
R1(config)# ip domain-name corp.local
R1(config)# crypto key generate rsa modulus 2048
R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 3

2048-bit RSA is the minimum; some compliance regimes require 4096. SSH version 1 is insecure — force version 2.

To use SSH key-based auth (instead of passwords), upload the user’s public key:

R1(config)# ip ssh pubkey-chain
R1(conf-ssh-pubkey)# username admin
R1(conf-ssh-pubkey-user)# key-string
R1(conf-ssh-pubkey-data)# AAAA...rest of the key...
R1(conf-ssh-pubkey-data)# exit

Login Block (Failed-Attempt Lockout)

R1(config)# login block-for 600 attempts 5 within 60
R1(config)# login on-failure log
R1(config)# login on-success log
R1(config)# login delay 1

Translation: 5 failed logins within 60 seconds locks the device for 10 minutes. login delay 1 adds 1 second between attempts — defeats brute force without locking out legitimate users on retry.

AAA — Authentication, Authorization, Accounting

Beyond local accounts, enterprises use AAA to centralize login on a RADIUS or TACACS+ server. RADIUS is more common (also used for WiFi); TACACS+ is more granular (per-command authorization).

Enable AAA and define a method list

R1(config)# aaa new-model

! Authentication: try RADIUS, fall back to local if RADIUS unreachable
R1(config)# aaa authentication login default group radius local
R1(config)# aaa authentication enable default group radius enable

! Authorization: who can run what commands
R1(config)# aaa authorization exec default group radius local
R1(config)# aaa authorization commands 15 default group radius local

! Accounting: log start/stop of sessions and commands
R1(config)# aaa accounting exec default start-stop group radius
R1(config)# aaa accounting commands 15 default start-stop group radius

RADIUS server config

R1(config)# radius server PRIMARY-NPS
R1(config-radius-server)#  address ipv4 10.1.1.5 auth-port 1812 acct-port 1813
R1(config-radius-server)#  key SecretRadiusKey

R1(config)# aaa group server radius RADGROUP
R1(config-sg-radius)#  server name PRIMARY-NPS

Always include local as a fallback method. If the RADIUS server is unreachable, you still want to be able to log in with a local account — otherwise a network split between you and the AAA server locks you out.

NTP — Without Synchronized Clocks, Logs Are Useless

R1(config)# ntp server 0.pool.ntp.org
R1(config)# ntp server 1.pool.ntp.org
R1(config)# ntp source Loopback0
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 SecretNtpKey
R1(config)# ntp trusted-key 1
R1(config)# ntp server 0.pool.ntp.org key 1

R1# show ntp status
R1# show ntp associations

For internal networks: configure your top-tier devices as NTP clients of public sources, then have everything else sync to them. Authenticate the NTP exchange so attackers can’t feed you bad time.

Privilege Levels and Views

IOS has 16 privilege levels (0–15). User EXEC is 1; Privileged EXEC is 15. You can put commands at any level in between to give specific users limited access:

R1(config)# privilege exec level 5 show running-config
R1(config)# privilege exec level 5 show ip interface

R1(config)# username netops privilege 5 secret 9 ...

Or use the more modern parser views for proper RBAC:

R1(config)# parser view NETOPS
R1(config-view)#  secret SecretViewPass
R1(config-view)#  commands exec include show running-config
R1(config-view)#  commands exec include show ip route
R1(config-view)#  commands exec include ping
R1(config-view)#  commands exec include traceroute

Views are stricter and more auditable than privilege-level hacking.

Common Pitfalls

  • No fallback method in AAA. If RADIUS fails and the only authentication method is RADIUS, you’re locked out. Always include local as the second method.
  • Telnet still enabled. Default transport input includes Telnet. Set transport input ssh explicitly.
  • Weak SSH key size. 1024-bit RSA is broken. 2048 minimum, 4096 for high-security.
  • No access-class on VTY. Default lets the world try to log in (if SSH/Telnet reach the device). Always restrict.
  • Forgetting NTP. Logs without synchronized timestamps can’t be correlated. NTP is in the baseline for a reason.
  • Default community strings. Don’t use “public” or “private.” Pick something long and random.

Conclusion

The hardening checklist for a Cisco router:

  1. enable secret not enable password
  2. transport input ssh on every VTY
  3. access-class ACL on VTY restricting source IPs
  4. login block-for for brute-force defense
  5. 2048-bit RSA, SSH version 2 only
  6. AAA with local fallback
  7. NTP authenticated and synchronized
  8. service password-encryption + security passwords min-length 12
  9. Disable HTTP server unless explicitly needed
  10. Disable CDP on untrusted interfaces
Tags: #AAA #Cisco IOS #Hardening #RADIUS #SSH

Related Articles

Leave a Reply