Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1412
Views
0
Helpful
3
Replies

Question on best practice for "line console 0" authentication

Go to solution
news2010a
Level 3
Level 3

‎10-14-2009 05:09 AM - edited ‎03-06-2019 08:07 AM

Currently I have the below entry under my line console 0:

(...)

line console 0

login authentication default

password <desired password>

...)

Then when I attempt to access the router via console, I get prompted to authenticate via my TACACS+ credentials.

Instead, is it a better idea if I do the below in order to always get authenticated via the "password" under line console 0 instead of the TACACS+?

line console 0

no login authentication default

password <desired password>

login

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎10-14-2009 05:45 AM

It is easier to crack a simple password vs an username|password combination from TACACS+.

TACACS+ also offers accounting which will help if you need to run a report to determine who has logged onto the device.

Best Practice will always recommend the highest level of security possible and a simple password won't provide that.

Make sure to have a fall-back mechanism in the 'aaa' commands in case the TACACS+ isn't available. The norm is to fall-back to local authentication.

Regards,

Edison.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎10-14-2009 05:45 AM

It is easier to crack a simple password vs an username|password combination from TACACS+.

TACACS+ also offers accounting which will help if you need to run a report to determine who has logged onto the device.

Best Practice will always recommend the highest level of security possible and a simple password won't provide that.

Make sure to have a fall-back mechanism in the 'aaa' commands in case the TACACS+ isn't available. The norm is to fall-back to local authentication.

Regards,

Edison.

0 Helpful

Go to solution
nsn-amagruder
Level 5
Level 5
In response to Edison Ortiz

‎10-14-2009 06:16 AM

I agree with Edison. Use aaa authentication line default tacacs line (I think this is close) so if tacacs if unavailable it falls back to line authentication.

Another good tip is to set the tacacs-server timeout to 2-3 seconds. I think the default is 15sec. If tacacs is unavailable and you are on the console, it will take 15 sec per aaa server configured before you can try the line password. Been there....

Aaron

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to nsn-amagruder

‎10-14-2009 08:54 AM

Marlon

I would agree with Edison and Aaron that best practice is probably that TACACS is perferred to the line password. And if you want to use a line password on the console I do not believe that your suggested config would work. A config that would work might look something like this:

aaa authentication login cons_auth line

line con 0

login authentication cons_auth

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card