topic follow-up questions: in Network Security

Tracking remote logon access to my 3750 switch

doddman11 — Fri, 21 Feb 2020 13:39:00 GMT

I need to know if someone logged into my switch without my knowledge. Is this information in default logs?

Do you have some TACACS or

7367wells — Fri, 18 Dec 2015 16:43:33 GMT

Do you have some TACACS or similar configured?

I had to google this term - I

doddman11 — Fri, 18 Dec 2015 16:56:47 GMT

I had to google this term - I do not.

Ah okay, in that case I dont

7367wells — Fri, 18 Dec 2015 17:05:32 GMT

Ah okay, in that case I dont know of a way to do it.

In the short term you can set up an ACL to restrict which VLANs have access via SSH to your switch. Then research setting up some kind AAA method, that way you can make sure there is a log of who is authenticating, a list of who can authenticate and what commands they have done.

Thanks for your help and time

doddman11 — Fri, 18 Dec 2015 17:39:45 GMT

Thanks for your help and time.

follow-up questions:

doddman11 — Fri, 18 Dec 2015 18:09:33 GMT

follow-up questions:

1. Does AAA require a central server with specific software? And by server, does it mean a computer?

2. These lines are at the end of the config:

line con 0
password x
login
exec-timeout 2 30
line vty 0 4
password x
login
exec-timeout 2 30
line vty 5 15
password x

Wouldn't "line 0 15" do the same thing if the passwords are the same?

3. What about system messages saved to the default syslog? Are these cleared once you log out of console or vty?

1. Yes you configure ACS on a

7367wells — Mon, 21 Dec 2015 15:10:32 GMT

1. Yes you configure ACS on a server (virtual is fine). Then you can configure the switch to authenticate that ACS server. (ACS provides the AAA)

2. https://learningnetwork.cisco.com/thread/2367 should be able to shed some light on that for you. Incidentally you have exec timeout configured on only the first 5 lines.

3. I think you are referring to the normal log (show log) then it isnt cleared when you log out.