This guide is designed to give you better performance and security out of any Cisco device that uses IOS.
It is assumed that the reader has some knowlege with configuring CiscoIOS devices.
The first things that need to be configured should be the following...
service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption
By default the timestamps are set to uptime, and if you don't set the timestamps to localtime, the default will be EST (Eastern Standard Time).
Service password-encryption will encrypt passwords with the hash algorithm which is designed to prevent eavesdropping. By default, passwords are not encrypted.
Other things to configure...
service tcp-keepalives-in no service tcp-small-servers no service udp-small-servers
ip subnet-zero ip classless
For earlier versions of IOS
no service finger
For later versions of IOS
no ip finger
Depending on the IOS version will depend on whether above settings are default or not, for IOS version 12.3 all of the above are default, nonetheless, enter them all in to be sure.
Because service password-encryption enables the hash algorithm to prevent eavesdropping, it is highly recommend to use secret rather than password because secret uses MD5 encryption. The privileged password has had this feature all along, and as from some releases of IOS version 12.2, the usernames also offer secret rather than password.
no enable password enable secret <<privileged password>>
Create some local users, if you can, use "secret" otherwise use "password"
username lindsay secret <<lindsay's password>> username lindsay password <<lindsay's password>>
Let's get authentication underway
aaa new-model aaa authentication login default local
Older RADIUS/TACACS+ Logins
aaa authentication login default {tacacs+} {radius} local
Newer RADIUS/TACACS+ Logins
aaa authentication login default group {tacacs+} {radius} local
This configuration will allow telnet (VTY) and console access without having to configure line con0, line aux0, or line vty 0 x. The alternative is to create passwords on each of those areas.
Always a good idea to allow local login when allowing tacacs or radius login. If you don't allow local login and the radius or tacacs server either fails or can't be seen by the Cisco device, you will be locked out.
No page links to CiscoBestPractices.
