Solved: Re: How to disable AUX port in ASR 9010

saikchak1 · ‎09-30-2012

Hi All,

How to disable the AUX port in ASR 9010. Inside "line aux" I can't configure anything except "login authentication" (which is used for aaa authentication).

Also after IOS XR 3.2 the configuration for AUX port has been removed

Platform used: ASR 9010

Version: IOS-XR 4.1.2

Best Regards

Saikat Chakraborty

Alexei Kiritchenko · ‎09-30-2012

Hi Saikat,

No, we can not disable AUX.

Regards,

/A

View solution in original post

Alexei Kiritchenko · ‎09-30-2012

Hi Saikat,

No, we can not disable AUX.

Regards,

/A

saikchak1 · ‎10-01-2012

Hi,

Can you refuse/deny connection to aux port? like "transport input none/transport out none or any access-list for denial of access to aux port". It's being asked by my customer for IOS XR hardening checklist they have. If not possible, then I can give them a sufficient reasoning.

Best Regards

Saikat

Alexei Kiritchenko · ‎10-01-2012

Hi Saikat,

AUX has the same authentication method as we have on the system. From this perspective, AUX is protected the same way as the Console port and only those who have an account can login via AUX (same way as via console). Any attempts to log on AUX will be logged:

Successful:

ksh[65902]: Successfully authenticated user 'XXX' for ksh access via 'aux' on '0/RSP0/CPU0'

Incorrect:

ksh[65902]: Failed authentication attempt by user 'YYY' for ksh access via 'aux' on '0/RSP0/CPU0

But if anyone has a physical access to the device, that would be even bigger threat compare to system protected AUX login.

BTW, tacacs authentication should work for AUX too. We’d need to define a template for it.

Example:

!

aaa authentication login tacacs_template group tacacs+ local

!

line template aux

login authentication tacacs_template

!

Regards,

/A