Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Question on best practice for "line console 0" authentication

Currently I have the below entry under my line console 0:

(...)

line console 0

login authentication default

password <desired password>

...)

Then when I attempt to access the router via console, I get prompted to authenticate via my TACACS+ credentials.

Instead, is it a better idea if I do the below in order to always get authenticated via the "password" under line console 0 instead of the TACACS+?

line console 0

no login authentication default

password <desired password>

login

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Question on best practice for "line console 0" authenticatio

It is easier to crack a simple password vs an username|password combination from TACACS+.

TACACS+ also offers accounting which will help if you need to run a report to determine who has logged onto the device.

Best Practice will always recommend the highest level of security possible and a simple password won't provide that.

Make sure to have a fall-back mechanism in the 'aaa' commands in case the TACACS+ isn't available. The norm is to fall-back to local authentication.

Regards,

Edison.

3 REPLIES
Hall of Fame Super Bronze

Re: Question on best practice for "line console 0" authenticatio

It is easier to crack a simple password vs an username|password combination from TACACS+.

TACACS+ also offers accounting which will help if you need to run a report to determine who has logged onto the device.

Best Practice will always recommend the highest level of security possible and a simple password won't provide that.

Make sure to have a fall-back mechanism in the 'aaa' commands in case the TACACS+ isn't available. The norm is to fall-back to local authentication.

Regards,

Edison.

Community Member

Re: Question on best practice for "line console 0" authenticatio

I agree with Edison. Use aaa authentication line default tacacs line (I think this is close) so if tacacs if unavailable it falls back to line authentication.

Another good tip is to set the tacacs-server timeout to 2-3 seconds. I think the default is 15sec. If tacacs is unavailable and you are on the console, it will take 15 sec per aaa server configured before you can try the line password. Been there....

Aaron

Hall of Fame Super Gold

Re: Question on best practice for "line console 0" authenticatio

Marlon

I would agree with Edison and Aaron that best practice is probably that TACACS is perferred to the line password. And if you want to use a line password on the console I do not believe that your suggested config would work. A config that would work might look something like this:

aaa authentication login cons_auth line

line con 0

login authentication cons_auth

HTH

Rick

291
Views
0
Helpful
3
Replies
CreatePlease to create content