Home Blog Securing Cisco Devices: How to restrict VTY line access with AAA

Blog

Dec 4
Securing Cisco Devices: How to restrict VTY line access with AAA
Posted by Pablo Mirsoian

In network environments, security is a top priority. One of the critical aspects of securing Cisco devices is controlling who can access them and what level of permissions they have. Authentication, Authorization, and Accounting (AAA) is a Cisco framework designed to provide a robust and scalable security mechanism to manage access control on network devices. In this blog, we'll focus on using AAA to restrict access to the VTY lines of a Cisco router or switch.

What is AAA?

AAA stands for:

  1. Authentication: Verifying the identity of users or devices before allowing access.
  2. Authorization: Determining what actions, the authenticated user is allowed to perform.
  3. Accounting: Keeping a log of what users do once they are authenticated and authorized.

When configured on a Cisco device, AAA allows administrators to enforce security policies centrally and consistently, making it easier to manage large-scale network environments.

Why Use AAA on VTY Lines?

VTY lines (Virtual Teletype) control remote access to the router or switch through protocols like Telnet or SSH. Since remote access poses significant security risks, AAA can be employed to authenticate, authorize, and account for every session initiated over these lines, ensuring only authorized personnel have access to critical network devices.

By default, Cisco devices use a basic password for the VTY lines. However, this lacks flexibility and does not scale well for enterprise environments where multiple users with different access levels are common. AAA provides a centralized way to manage user credentials and permissions, usually through an external server-like RADIUS or TACACS+.

Setting Up AAA on Cisco Devices

 

Step 1: Enable AAA

First, we need to enable AAA on the Cisco device.

Router(config)# aaa new-model

This command enables the AAA feature, allowing us to configure authentication, authorization, and accounting for various services on the device, including VTY lines.

 

Step 2: Configure AAA Authentication

In this step, we’ll set up AAA to authenticate users who attempt to access the router or switch via the VTY lines.

If you are using a local database for authentication (instead of an external server-like RADIUS or TACACS+), define the users first:

Router(config)# username admin privilege 15 secret StrongPassword123

Router(config)# username guest privilege 1 secret GuestPass123

Now, configure the authentication method:

Router(config)# aaa authentication login VTY_AUTH local

In this case, we’re creating a method list named VTY_AUTH, which specifies that the local database will be used to authenticate login attempts on VTY lines.

 

Step 3: Apply AAA Authentication to VTY Lines

Once authentication is configured, we can apply it to the VTY lines.

Router(config)# line vty 0 4

Router(config-line)# login authentication VTY_AUTH

This command applies the VTY_AUTH method list to the first five VTY lines (0-4). Now, whenever someone tries to access the device via SSH or Telnet, AAA will authenticate them against the local database.

 

Step 4: Configure AAA Authorization

Authorization determines what users can do after they’ve successfully authenticated. Let’s configure AAA to authorize users based on their privilege levels.

Router(config)# aaa authorization exec default local

This command configures AAA to use the local database to determine user privileges after login. The privilege levels range from 1 to 15, with 15 being the highest level of access. In our example, we’ve created two users: admin with privilege level 15 and guest with privilege level 1.

 

Step 5: Restricting VTY Access by IP Address

Another way to restrict access to the VTY lines is to limit which IP addresses can initiate connections to the device. This can be done using an access control list (ACL).

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255

Router(config)# line vty 0 4

Router(config-line)# access-class 10 in

In this example, only devices within the 192.168.1.0/24 subnet will be able to connect to the router or switch through VTY lines.

 

Step 6: Configure AAA Accounting

AAA accounting keeps track of user activity, providing detailed logs for auditing purposes. This can be essential for understanding who accessed the device and what changes were made.

Router(config)# aaa accounting exec default start-stop local

This command enables accounting for all user sessions, recording the start and stop times of user access in the local database.

Example: Using RADIUS for AAA

In larger environments, it's common to use external AAA servers like RADIUS or TACACS+. Here’s how you can configure AAA with a RADIUS server for VTY line authentication.

1. Define the RADIUS server:

Router(config)# radius-server host 192.168.1.10 key RADIUSKey123

2. Configure AAA to use the RADIUS server for login authentication:

Router(config)# aaa authentication login VTY_AUTH group radius local

3. Apply this authentication method to the VTY lines:

Router(config)# line vty 0 4

Router(config-line)# login authentication VTY_AUTH

In this example, the device will first try to authenticate users via the RADIUS server. If the RADIUS server is unavailable, it will fall back to the local database.

Using AAA to restrict access to VTY lines provides a flexible and scalable way to secure your Cisco devices. By leveraging features like centralized user management with RADIUS or TACACS+, local databases for smaller environments, and accounting for detailed activity logs, AAA ensures that only authorized users can access the network devices and perform the actions they are permitted to.

Implementing AAA helps enforce corporate security policies, reduce unauthorized access risks, and provide accountability for all user actions across the network. Whether you're managing a small office or a large enterprise network, Cisco's AAA framework is an essential tool for securing access to your devices.

As always if you have any questions on getting the most out of your IT solutions for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!

Contact Us

Written By:

Pablo Mirsoian, Network Engineer

subscribe to our blog

Get New Unique Posts