Secure Cisco console with AAA

With a factory configuration a Cisco router, switch or access point comes without any serial console setup. This means connect a serial console to your laptop (I use a Serial-2-USB adapter) and you’re in. To protect the Cisco console from this some commands have to be set to get a user and password prompt to log in. The method I’m using is with Cisco’s new AAA model (Authentication, Authorization and Accounting) and a group.

In my opinion using aaa new-model now gives later a benefit if I want to move to RADIUS or TACACS. Also to use AAA groups is quite simple.

        rtr-881(config)# aaa new-model
        rtr-881(config)# aaa authentication login grp.console local-case
        rtr-881(config)# aaa authorization console
Use new AAA commands and create new AAA group
        rtr-881(config)# username [user] secrect [secretpassword]
Set username and password

After I created the AAA ground and the user I am going to apply it to line con 0 as shown below.

        rtr-881(config)# line con 0
        rtr-881(config-line)# login authentication grp.console
        rtr-881(config-line)# exit
        rtr-881(config)# exit
Secure console with AAA group
        Press RETURN to get started.

        User Access Verification

        Username: [user]
        Password: [secretpassword]
Test console access

If you set up logins with RADIUS or TACACS, just put the AAA group for RADIUS or TACACS in line con 0. Don’t forget to wr mem after a successful test.