Configure Telnet, Console, and AUX Port Passwords on Routers (2023)

Introduction

This document describes sample configurations to configurepassword protection for inbound EXEC connections to the router.

Prerequisites

Requirements

In order to perform the tasks described in this document, you must have privileged EXEC access to the routercommand line interface (CLI). For information aboutthe command line and to understand command modes, see Use the Cisco IOS Command-Line Interface.

For instructions on connection of a console to your router, refer to the documentation that accompanied your router, or refer to the online documentation for your equipment.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco 2509 router

• Cisco IOS® Software Version 12

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Information

The use of password protection to control or restrict access to the command line interface (CLI) of your router is one of the fundamental elements of an overall security plan.

To protect the router from unauthorized remote access, typically Telnet, is the most common security that needs to be configured, but to protect the router from unauthorized local access cannot be overlooked.

Note: Password protection is just one of the many steps to use in an effective in-depth network security regimen. Firewalls, access-lists, and control of physical access to the equipment are other elements that must be considered when you implement your security plan.

Command line, or EXEC, access to a router can be made in a number of ways, but in all cases the inbound connection to the router is made on a TTY line. There are four main types of TTY lines, as seen in this sample show line output:

2509#show line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int* 0 CTY - - - - - 0 0 0/0 - 1 TTY 9600/9600 - - - - - 0 0 0/0 - 2 TTY 9600/9600 - - - - - 0 0 0/0 - 3 TTY 9600/9600 - - - - - 0 0 0/0 - 4 TTY 9600/9600 - - - - - 0 0 0/0 - 5 TTY 9600/9600 - - - - - 0 0 0/0 - 6 TTY 9600/9600 - - - - - 0 0 0/0 - 7 TTY 9600/9600 - - - - - 0 0 0/0 - 8 TTY 9600/9600 - - - - - 0 0 0/0 - 9 AUX 9600/9600 - - - - - 0 0 0/0 - 10 VTY - - - - - 0 0 0/0 - 11 VTY - - - - - 0 0 0/0 - 12 VTY - - - - - 0 0 0/0 - 13 VTY - - - - - 0 0 0/0 - 14 VTY - - - - - 0 0 0/0 -2509#

The CTY line-type is the Console Port. On any router, it appears in the router configuration as line con 0 and in the output of the show line command as cty . The console port is mainly used for local system access with a console terminal.

The TTY lines are asynchronous lines used for inbound or outbound modem and terminal connections and can be seen in a router or access server configuration as line x . The specific line numbers are a function of the hardware built into or installed on the router or access server.

The AUX line is the Auxiliary port, seen in the configuration as line aux 0 .

The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software - there is no hardware associated with them. They appear in the configuration as line vty 0 4 .

Each of these types of lines can be configured with password protection. Lines can be configured to use one password for all users, or for user-specific passwords. User-specific passwords can be configured locally on the router, or you can use an authentication server to provide authentication.

There is no prohibition against a configuration ofdifferent lines with different types of password protection. It is, in fact, common to see routers with a single password for the console and user-specific passwords for other inbound connections.

This is an example of router output from the show running-config command:

2509#show running-configBuilding configuration...Current configuration : 655 bytes!version 12.2.. . !--- Configuration edited for brevityline con 0line 1 8line aux 0line vty 0 4!end

Configure Passwords on the Line

To specify a password on a line, use the password command in line configuration mode. To enable a password check at the log in, use the login command in line configuration mode.

Configuration Procedure

In this example, a password is configured for all users who attempt to use the console.

1. From the privileged EXEC (or enable) prompt, enter configuration mode and then switch to line configuration mode with thesecommands. Notice that the prompt changes to reflect the current mode.

   router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.router(config)#line con 0router(config-line)#

2. Configure the password, and enable password checking at log in.

   router(config-line)#password letmeinrouter(config-line)#login

3. Exit configuration mode.

   router(config-line)#endrouter#%SYS-5-CONFIG_I: Configured from console by console

   Note: Do not save configuration changes toline con 0until your ability to log in has been verified.

   Note: Under the line console configuration, login is a required configuration command to enable a password check when logging in.Console authentication requires both the password and the login commands to work

Verify the Configuration

Examine the configuration of the router to verify that the commands have been properly entered:

• show running-config - displays the current configuration of the router.

  router#show running-configBuilding configuration......!--- Lines omitted for brevity!line con 0password letmeinloginline 1 8line aux 0line vty 0 4!end

  To test the configuration, log off the console and log in again, and usethe configured password to access the router:

  router#exitrouter con0 is now availablePress RETURN to get started.User Access VerificationPassword: !--- Password entered here is not displayed by the routerrouter>

  Note: Before you perform this test, ensure that you have an alternate connection into the router, such as Telnet or dial-in, in case there is a problem during log in back into the router.

Troubleshoot Log in Failure

If you cannot log back into the router and you have not saved the configuration, reload the router to eliminate any configuration changes you have made.

If the configuration changes were saved and you cannot log in to the router,perform a password recovery. See Password Recovery Procedures to find instructions for your particular platform.

Configure Local User-Specific Passwords

To establish a username-based authentication system, use the username< /code>command in global configuration mode. To enable a password check at log in, use the login local command in line configuration mode.

Configuration Procedure

In this example, passwords are configured for users who attempt to connect to the router on the VTY lines with Telnet.

1. From the privileged EXEC (or enable ) prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router:

   router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.router(config)#username russ password montecitorouter(config)#username cindy password belgium
   router(config)#username mike password rottweiler

2. Switch to line configuration mode, and use these commands. Notice that the prompt changes to reflect the current mode.

   router(config)#line vty 0 4router(config-line)#

3. Configure a password check at log in.

   router(config-line)#login local

4. Exit configuration mode.

   router(config-line)#endrouter#%SYS-5-CONFIG_I: Configured from console by console

Note: In order to disable auto Telnet when you type a name on the CLI, configure no logging preferred /strong>on the line that is used. While transport preferred none provides the same output, it also disables auto Telnet for the defined host that are configured with the ip host command. This is unlike the no log preferred command, which stops it for undefined hosts and lets it work for the defined ones.

Verify the Configuration

Examine the configuration of the router to verify that the commands have been properly entered:

• show running-config - displays the current configuration of the router.

  router#show running-configBuilding configuration...!!--- Lines omitted for brevity !username russ password 0 montecitousername cindy password 0 belgiumusername mike password 0 rottweiler!!--- Lines omitted for brevity !line con 0line 1 8line aux 0line vty 0 4 login local!end

  To test this configuration, a Telnet connection must be made to the router. This can be done if you connectfrom a different host on the network, but you can also test from the router itself through telnet to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command.

Here is a sample output if the address ofinterface ethernet 0were 10.1.1.1:

router#telnet 10.1.1.1Trying 10.1.1.1 ... OpenUser Access VerificationUsername: mikePassword:!--- Password entered here is not displayed by the router router

Troubleshoot User-specific Password Failure

Usernames and passwords are case-sensitive. Users who attempt to log in with an incorrectly cased username or password are rejected.

If users are unable to log into the router with their specific passwords, reconfigure the username and password on the router.

Configure AUX Line Password

In order to specify a password on the AUX line, issue the password command in line configuration mode. In order to enable a password check at log in, issue the login command in line configuration mode.

Configuration Procedure

In this example, a password is configured for all users who attempt to use the AUX port.

1. Issue th e show line command in order to verify the line used by the AUX port.

   R1#show line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int* 0 CTY - - - - - 0 0 0/0 - 65 AUX 9600/9600 - - - - - 0 1 0/0 - 66 VTY - - - - - 0 0 0/0 - 67 VTY - - - - - 0 0 0/0 -

2. In this example, the AUX port is on line 65. Issue these commands in order to configure the router AUX line:

   R1#configure terminalR1(config)#line 65R1(config-line)#modem inoutR1(config-line)#speed 115200R1(config-line)#transport input allR1(config-line)#flowcontrol hardwareR1(config-line)#loginR1(config-line)#password ciscoR1(config-line)#endR1#

Verify Configuration

Examine the configuration of the router in order to verify that the commands have been properly entered:

• The show running-config command displays the current configuration of the router:

  R1#show running-configBuilding configuration...!!--- Lines omitted for brevity.line aux 0 password cisco login modem InOut transport input all speed 115200 flowcontrol hardware!--- Lines omitted for brevity.!end

Configure AAA Authentication for Log In

To enable authentication, authorization, and accounting (AAA) authentication for log ins, use the login authentication command in line configuration mode. AAA services must also be configured.

Configuration Procedure

In this example, the router is configured to retrieve users' passwords from a TACACS+ server when users attempt to connect to the router.

Note: Configuration ofthe router to use other types of AAA servers (RADIUS, for example) is similar. See ConfigureAuthentication for additional information.

Note: This document does not address configuration of the AAA server itself.

1. From the privileged EXEC (or enable ) prompt, enter configuration mode and enter the commands to configure the router to use AAA services for authentication:

   router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.router(config)#aaa new-modelrouter(config)#aaa authentication login my-auth-list tacacs+router(config)#tacacs-server host 192.168.1.101router(config)#tacacs-server key letmein

2. Switch to line configuration mode and use these commands. Notice that the prompt changes to reflect the current mode.

   router(config)#line 1 8router(config-line)#

3. Configure a password check at log in.

   router(config-line)#login authentication my-auth-list

4. Exit configuration mode.

   router(config-line)#endrouter#%SYS-5-CONFIG_I: Configured from console by console

Verify the Configuration

Examine the configuration of the router to verify that the commands have been properly entered:

• show running-config - displays the current configuration of the router.

  router#write terminalBuild configuration...Current configuration:!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname router!aaa new-modelaaa authentication login my-auth-list tacacs+!!--- Lines omitted for brevity ...!tacacs-server host 192.168.1.101tacacs-server key letmein!line con 0line 1 8 login authentication my-auth-listline aux 0line vty 0 4!end

To test this particular configuration, an inbound or outbound connection must be made to the line. See the Modem - Router Connection Guide for specific information on configuration of asynchronouslines for modem connections.

Alternately, you can configure one or more VTY lines to perform AAA authentication and perform your test thereupon.

Troubleshoot AAA log in Failure

Before you issue debug commands, see Important Information on Debug Commands.

To troubleshoot a failed log in attempt, use the debug command appropriate to your configuration:

• debug aaa authentication

• debug radius

• debug kerberos

Related Information

• Cisco IOS Debug Command Reference
• Cisco Technical Support and Downloads