Secure Cisco console with AAA
Table of contents
Cicso console
With a factory configuration a Cisco router, switch or access point comes without any serial console setup. This means connect a serial console to your laptop (I use a Serial-2-USB adapter) and you’re in. To protect the Cisco console from this some commands have to be set to get a user and password prompt to log in. The method I’m using is with Cisco’s new AAA model (Authentication, Authorization and Accounting) and a group.
AAA (Authentication, Authorization and Accounting)
In my opinion using aaa new-model now gives later a benefit if I want to move to RADIUS or TACACS. Also to use AAA groups is quite simple.
rtr-881(config)# aaa new-model
rtr-881(config)# aaa authentication login grp.console local-case
rtr-881(config)# aaa authorization console
rtr-881(config)# username [user] secrect [secretpassword]
Setup console
After I created the AAA ground and the user I am going to apply it to line con 0 as shown below.
rtr-881(config)# line con 0
rtr-881(config-line)# login authentication grp.console
rtr-881(config-line)# exit
rtr-881(config)# exit
Press RETURN to get started.
User Access Verification
Username: [user]
Password: [secretpassword]
If you set up logins with RADIUS or TACACS, just put the AAA group for RADIUS or TACACS in line con 0. Don’t forget to wr mem after a successful test.