12-14-2015 11:27 AM - edited 03-08-2019 03:06 AM
Hi. How can I password protect a console session so that someone is prompted when plugging a console in to a network switch?
Solved! Go to Solution.
12-16-2015 12:11 PM
Hi,
Can you try adding the lines like this
enable
!
conf t
line cons 0
password YOURPWD
login
!
end
quit
Wait 5 secs
Hit return & test
Regards
Alex
12-17-2015 04:13 AM
Hi,
So this means you have aaa new-model configured, I guess you are using TACAs+ or radius.
If not can you share you switch config as may be someone else has left config on the box which is stopping your needs.
Regards
Alex
12-14-2015 12:38 PM
Hi,
config t
!
service password-encryption
!
enable secret PASSWORD
!
line console 0
password PASSWORD
!
line vty 0 4
pasword PASSWORD
!
end
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c.html
Regards
Alex
12-16-2015 08:25 AM
No luck. I don't get any prompts going in through a console session. Only if I elevate to exec mode it prompts for a password but I want it to prompt from the very start.
It's a Cisco 3560 Switch
12-16-2015 09:09 AM
Hi,
So are you connected directly into the console port or are you accessing via telnet/ssh ?
If you are on the console direct the to see a prompt for security you need to configure
conf t
!
line cons 0
password YOURPASSWORD
!
end
quit
and retry the console port you should now require a password when you hit carriage return
Regards
Alex
12-16-2015 10:43 AM
So here's what I have and still no luck. The minute i open a Putty with a console cable plugged in I go right in to SWITCH>
line con 0
password 7 0202165A0E2570B2E5F
12-16-2015 12:11 PM
Hi,
Can you try adding the lines like this
enable
!
conf t
line cons 0
password YOURPWD
login
!
end
quit
Wait 5 secs
Hit return & test
Regards
Alex
12-16-2015 12:43 PM
So i can't do "login" has to be "login authentication...."
12-17-2015 04:13 AM
Hi,
So this means you have aaa new-model configured, I guess you are using TACAs+ or radius.
If not can you share you switch config as may be someone else has left config on the box which is stopping your needs.
Regards
Alex
12-17-2015 07:20 PM
Looks like that did it! I'm not using RADIUS or TACACS at the moment, but i removed aaa new-model and was able to set it. Now I get prompted.
If I was using RADIUS or TACACS though, would i be unable to accomplish this?
12-18-2015 08:40 AM
Hi,
If you were to use TACACS+ everyone who loggs on to
the box whether console port or telnet/ssh would need a username and password.
Users can be set up with different rights e.g.
May be you as full admin would have acess to all show,config read & write.
May be a different user could have show as read only etc.
Loads of info at:-
http://www.cisco.com/c/en/us/tech/security-vpn/terminal-access-controller-access-control-system-tacacs/index.html?referring_site=bodynav
Hope this helps
Regards
Alex
12-18-2015 09:46 AM
Right. Got it good to know. At least it can be done so you have a password in all areas either local or through TACACS. Thanks again for the help!
12-14-2015 02:14 PM
Hello,
Adding to Alex's answer.
line console 0
exec-timeout 5 0 [ 5 minutes 0 second]
It will end the session after 5 minutes if session is idle.
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide