Secure Cisco console with AAA

Table of contents

  1. Cicso console
  2. AAA (Authentication, Authorization and Accounting)
  3. Setup console

Cicso console

With a factory configuration a Cisco router, switch or access point comes without any serial console setup. This means connect a serial console to your laptop (I use a Serial-2-USB adapter) and you’re in. To protect the Cisco console from this some commands have to be set to get a user and password prompt to log in. The method I’m using is with Cisco’s new AAA model (Authentication, Authorization and Accounting) and a group.

AAA (Authentication, Authorization and Accounting)

In my opinion using aaa new-model now gives later a benefit if I want to move to RADIUS or TACACS. Also to use AAA groups is quite simple.

    rtr-881(config)# aaa new-model
    rtr-881(config)# aaa authentication login grp.console local-case
    rtr-881(config)# aaa authorization console

    rtr-881(config)# username [user] secrect [secretpassword]

Setup console

After I created the AAA ground and the user I am going to apply it to line con 0 as shown below.

    rtr-881(config)# line con 0
    rtr-881(config-line)# login authentication grp.console
    rtr-881(config-line)# exit
    rtr-881(config)# exit

    Press RETURN to get started.

    User Access Verification

    Username: [user]
    Password: [secretpassword]

If you set up logins with RADIUS or TACACS, just put the AAA group for RADIUS or TACACS in line con 0. Don’t forget to wr mem after a successful test.