cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5002
Views
0
Helpful
7
Replies

Findout the logged in IP/username on switch

ittechk4u1
Level 4
Level 4

Hello Experts,

I wanted to know which username and IP logged in cisco switch two days ago and whcih commands he/she used!!!

 

Is there any possibility to find-out!!

 

Thanks

7 Replies 7

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

 

Do you have any functioning aaa accounting methods configured? Or configuration change notification and logging setup?

 

Without either of these you will not be able to trace users and cofiguratio changes.

 

cheers,

Seb.

 

 

no aaa accounting is not configured.

 

Thanks

no i dont. Is there any command whcih can show us the computername/IP logged in to switch few days ago: 

 

i found few commands but that are not sufficient.. show configuration history & sh history all

 

Thanks

Two configurations commands which would be of use are:

!
login on-success log
login on-failure log
!

However adding these retrospectivley is not going to help you now.

 

I think without any of the commands suggested so far being in place before the incident you will not be able to trace the user/ IP.

Sorry.

 

cheers,

Seb.

 

I agree with Sub that based on what you have told us about your environment that it is not possible to find out who logged in several days ago. The suggestion of login on-success log is a starting place but I would suggest that configuring aaa accounting would be a much better solution (assuming that you do have an aaa server that could receive and store the accounting records). The usefulness of login on-success log depends on how/whether logging is enabled (which we do not know) and unless you are sending your syslog messages to an external log server a reboot of your router would put you back in the situation where you can not determine who logged in days ago.

 

HTH

 

Rick

HTH

Rick

Hello

Just like to add to Seb's suggestion, You'll also need to enable login attacks for this to work successfully 


Example:
sh login | be Router
Router NOT enabled to watch for login Attacks

conf t
login block-for 300 attempts 3 within 180
end

 

sh login | be Router
Router enabled to watch for login Attacks.
If more than 3 login failures occur in 180 seconds or less,
logins will be disabled for 300 seconds.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card