NetworkingCCNA

CCNA Device Management: SSH, Console, TACACS+, RADIUS & Cloud Management

Managing network devices securely is a core CCNA 200-301 topic. The exam tests in-band vs out-of-band management, the difference between SSH and Telnet, console port access, HTTPS management, and centralized authentication using TACACS+ and RADIUS. Cloud-based network management (Cisco DNA Center, Meraki) also appears. This guide covers each access method, its security posture, and the configuration essentials.

8 min

4 sections · 6 exam key points

5 practice questions

In-band vs out-of-band management

In-band management uses the same network infrastructure that carries production traffic — SSH, Telnet, HTTPS, and SNMP sessions travel over the same interfaces and VLANs as user data. If the network is congested or down, management access may be unavailable. Most networks use in-band management for its simplicity and cost.

Out-of-band (OOB) management uses a dedicated separate network — typically a console server connected to device console ports, or a dedicated management network accessed through a separate interface. When the production network fails, OOB still provides access. A Management VRF (with a dedicated management interface) is a software-based form of OOB that separates management traffic at the routing level without requiring separate physical infrastructure.

Best practice: use in-band management for routine tasks and OOB for emergency access when the production network is unreachable. The management plane — the traffic used to control network devices — should be isolated from the data plane where possible.

Console, SSH, Telnet, and HTTP/HTTPS

Console port access is physical — requires a rollover cable (or USB) connected to the device's console port. Console access is always available as long as the device is powered, regardless of network connectivity. Console is the primary method for initial configuration and disaster recovery. Default settings: 9600 baud, 8 data bits, no parity, 1 stop bit (9600 8N1).

SSH (Secure Shell) is the standard for remote CLI access. SSH version 2 encrypts all traffic including credentials. Configuration requires: a hostname, domain name, RSA key pair (`crypto key generate rsa`), and VTY lines configured for SSH (`transport input ssh`). SSH uses TCP port 22.

Telnet transmits everything in plaintext — passwords, commands, all output. Telnet should never be used on production networks accessible over untrusted links. It's useful only in isolated lab environments. Telnet uses TCP port 23.

HTTP and HTTPS provide GUI-based management. HTTPS (TCP 443) encrypts the management session; HTTP (TCP 80) does not. Cisco devices support web-based configuration via HTTPS — IOS uses `ip http secure-server` to enable HTTPS. On IOS-XE, the web UI is increasingly capable. For exam purposes: always prefer HTTPS over HTTP, SSH over Telnet.

TACACS+ vs RADIUS for AAA

Both TACACS+ and RADIUS provide centralized authentication, authorization, and accounting (AAA) for network device access. The key differences between them are architectural and functional.

TACACS+ (Terminal Access Controller Access Control System Plus) is a Cisco-proprietary protocol that uses TCP port 49. It separates authentication, authorization, and accounting into independent processes, which allows granular control — you can authorize specific commands per user or group. All TACACS+ traffic (including the body of the packet) is encrypted. This makes TACACS+ the preferred choice for network device administration.

RADIUS (Remote Authentication Dial-In User Service) uses UDP (ports 1812/1813). It combines authentication and authorization into a single process (the Access-Accept reply includes authorization attributes). Only the password is encrypted in the request; the rest of the packet is cleartext (though later extensions added more encryption). RADIUS is the standard for network access control (802.1X, VPN, wireless authentication).

For CCNA: TACACS+ = device administration (encrypts everything, separates A/A/A, TCP). RADIUS = network access (users connecting to the network via 802.1X or VPN, UDP).

Cloud-based management

Cloud-managed networking centralizes configuration and monitoring in a cloud platform. Cisco Meraki is the primary cloud-managed solution tested on CCNA: switches, wireless APs, security appliances, and cameras are all managed through a web dashboard. Devices phone home to the Meraki cloud; administrators never need CLI access.

Cisco DNA Center (now Catalyst Center) is an on-premises controller for enterprise networks running Cisco IOS-XE and IOS-XR. It provides intent-based networking: you describe desired policies and DNA Center configures the network automatically. It uses REST APIs and is the centerpiece of Cisco's Software-Defined Networking enterprise strategy.

Cloud management trade-offs: cloud management simplifies operations but introduces dependency on internet connectivity and a third-party cloud. On-premises controllers (DNA Center) keep management local but require more infrastructure. For CCNA, understand the conceptual differences between traditional CLI management, on-premises controllers, and cloud management.

TACACS+ vs RADIUS comparison

Aspect	TACACS+	RADIUS
Protocol	TCP	UDP
Port	49	1812 (auth), 1813 (accounting)
Encryption	Full packet encryption	Password only (RFC 2865); improved in later extensions
A/A/A separation	Fully separated	Auth and authz combined in one reply
Command authorization	Yes (per-command granularity)	Limited
Primary use	Device administration (CLI access)	Network access (802.1X, VPN, WLAN)
Proprietary?	Cisco proprietary	Open standard (RFC 2865/2866)

Key exam facts — CCNA

SSH: encrypted, TCP 22, requires hostname + domain + RSA key + `transport input ssh`
Telnet: plaintext, TCP 23 — never use on untrusted networks
Console: physical rollover cable, always available, 9600 8N1 default
TACACS+: TCP 49, full encryption, separates A/A/A, command authorization, device admin
RADIUS: UDP 1812/1813, password-only encryption, network access (802.1X, VPN, WLAN)
Cisco Meraki: cloud-managed (no CLI); DNA Center: on-premises SDN controller

Common exam traps

RADIUS encrypts the entire packet, making it as secure as TACACS+

Standard RADIUS (RFC 2865) only encrypts the password field in the Access-Request. The rest of the packet is transmitted in cleartext. TACACS+ encrypts the entire packet body, making it more secure for device administration.

SSH version 1 and version 2 provide the same security

SSH version 1 has known cryptographic weaknesses. SSH version 2 uses stronger algorithms and should always be used. On Cisco IOS: `ip ssh version 2` enforces version 2 only.

Telnet is acceptable for device management on the internal network

Telnet transmits all data including passwords in plaintext. Any device on the same broadcast domain or able to capture traffic can read credentials. SSH version 2 should always be used instead, even on internal networks.

Practice questions — Device Management

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which protocol provides encrypted remote CLI access to a Cisco router?

A.Telnet

B.HTTP

C.SSH

D.SNMP

Explanation: SSH (Secure Shell) provides encrypted remote CLI access over TCP port 22. Telnet transmits in plaintext. HTTP provides web-based GUI access (not CLI). SNMP is used for monitoring, not interactive CLI access.

Q2.Which AAA protocol uses TCP, fully encrypts its payload, and provides per-command authorization for device management?

A.RADIUS

B.TACACS+

C.Kerberos

D.LDAP

Explanation: TACACS+ uses TCP port 49, encrypts the entire packet body, and supports granular per-command authorization. These features make it the preferred protocol for network device administration. RADIUS uses UDP and encrypts only the password.

Q3.A network engineer needs to access a router that has no IP connectivity. Which access method is always available regardless of network state?

A.SSH over the management interface

B.Telnet over a VTY line

C.Console port with rollover cable

D.HTTPS to the web interface

Explanation: Console port access uses a physical cable connected directly to the device — it does not require IP connectivity. All other methods (SSH, Telnet, HTTPS) require a working network path to the device.

Q4.A company wants to use a single RADIUS server to authenticate wireless users connecting via 802.1X. The RADIUS server uses the default port. Which port must be allowed through the firewall?

A.TCP 49

B.UDP 1812

C.TCP 22

D.UDP 514

Explanation: RADIUS uses UDP port 1812 for authentication by default (and 1813 for accounting). TCP 49 is TACACS+. TCP 22 is SSH. UDP 514 is Syslog.

Q5.Cisco Meraki network devices are managed through which type of management plane?

A.On-premises controller (DNA Center)

B.CLI via SSH to each device

C.Cloud-based dashboard

D.SNMP management station

Explanation: Cisco Meraki uses a cloud-based dashboard for all device management. Devices phone home to the Meraki cloud; administrators configure everything through the web dashboard without CLI access to individual devices.

Frequently asked questions — Device Management

What is the difference between in-band and out-of-band management?

In-band management uses the same network as production traffic (SSH over the data network). If the network is down, management access is also unavailable. Out-of-band management uses a separate network or direct console connections — it's accessible even when the production network fails. OOB is critical for emergency access and troubleshooting network outages.

What commands are needed to enable SSH on a Cisco IOS device?

Minimum configuration: (1) `hostname <name>` — required for the RSA key. (2) `ip domain-name <domain>` — required for the key. (3) `crypto key generate rsa modulus 2048` — generates the RSA key pair. (4) `ip ssh version 2` — enforces SSHv2. (5) On VTY lines: `transport input ssh` — restricts VTY to SSH only. (6) `login local` or AAA authentication on the VTY lines.

When should I use TACACS+ vs RADIUS?

Use TACACS+ for network device administration (router/switch CLI access) — it provides per-command authorization, full encryption, and separate accounting. Use RADIUS for network access control — wireless 802.1X, VPN authentication, and wired 802.1X port authentication. RADIUS is an open standard; TACACS+ is Cisco proprietary.

What is Cisco DNA Center (Catalyst Center)?

Cisco DNA Center (rebranded as Catalyst Center) is an on-premises network management and automation platform for enterprise Cisco networks. It provides intent-based networking (policy-driven configuration), network assurance (AI-driven troubleshooting), automation via REST APIs, and integration with security platforms. It's the control plane for Cisco's Software-Defined Access (SD-Access) architecture.

What is the default console port speed on Cisco devices?

The default console port speed is 9600 baud, with 8 data bits, no parity, and 1 stop bit (9600 8N1). This must be matched in the terminal emulator (PuTTY, Tera Term, etc.) to see console output. Some newer platforms support higher speeds, but 9600 is the universal default.

Practice this topic

CCNApractice questions

Test yourself on Device Management

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime