Skip navigation
Cisco Learning Home > Certifications > IP Networking (CCENT) > Discussions

_Communities

This Question is Answered
1161 Views 8 Replies Latest reply: Nov 4, 2012 9:44 PM by Adrian Kells RSS

Currently Being Moderated

The console port

Oct 28, 2012 7:52 PM

Mimma 13 posts since
Oct 23, 2012

Hi there , in ordre to put a password for the console port , you need two commands : the password command and the login command , so my Q is :

Why do we need to use the login command anyway , what's the point of using it ?? and if it's important and critical , how could it be reversable ?? in other word , how can I execute either of two command first , then the other one , yet , everyting still works fine ?? and vise versa .

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    1. Oct 28, 2012 8:12 PM (in response to Mimma)
    Re: The console port

    Hi-

     

    Great questions.

     

    The console port/line doesn't require a login by default.

     

    To change this behavior, we add the keyword "login" to the console line and then a password is required before allowing access.   The password is added so that we can specify what the required password should be for future console access.

     

    To reverse the process, the "no login" command in line console configuration mode will tell the router/switch that no login is required (even if there is a password configured on the line.

     

    Keith

  • Osanda 161 posts since
    Sep 18, 2012
    Currently Being Moderated
    3. Oct 28, 2012 10:56 PM (in response to Mimma)
    Re: The console port

    I think Keith has answered your question perfectly. login command tells the IOS to ask for a password next time you login in order to reverse it you simply type in no login and that's the pupose of login command

  • AshwinR 357 posts since
    May 7, 2012
    Currently Being Moderated
    4. Oct 29, 2012 2:22 AM (in response to Mimma)
    Re: The console port

    The Reason you need to put in the logincommand is that is tells the Routers/Switch to ask for the password you have configured. These are 2 separate step/processes.

     

    If you only configure the password, the router still doesn't know it has to ask for the password when someone connects. So if you leave out the login, someone connecting via SSH will immediately logged in to the Router/Switch. That is why you need the login command. You have to tell the router that is has to ask for the password you have configured.

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    5. Oct 29, 2012 5:36 AM (in response to Mimma)
    Re: The console port

    Hi Mimna

     

    There are lots of options on the login command. A single password is just one.

     

    Regards Conwyn

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    6. Oct 29, 2012 9:56 AM (in response to Osanda)
    Re: The console port

    Osanda wrote:

     

    I think Keith has answered your question perfectly. login command tells the IOS to ask for a password next time you login in order to reverse it you simply type in no login and that's the pupose of login command

    Good questions.

     

    Lets say we are going to visit a friend, and our friend told us they were out for a few minutes, and if we got to the house and they weren't home, to just open the door and come in.     Our friend also mentioned that there is a key under the door-mat in case the door is locked.

     

    When we show up, we try the door, it isn't locked so we just go in (no key required, although the key was available if needed).

     

    Now, lets apply that analogy to the console of a new router/switch.   If we go to line configuration mode for line con 0 (the console port) and say:

     

    password cisco

     

    That is similar to putting a key under the door-mat, the key is configured (in this case the password).     If we logged off from the console and reconnected, the door isn't locked (no key required) by default.      If we want to tell the console line that a password is "required" for access (similar to locking the door), we would then go to line con 0 and add the following:

     

    login

     

    Which means that a  "login" which in this case requires the correct password of "cisco" to be used before access is granted.

     

    If we try to configure the "login" command without having a password configured, the router/switch provides feedback, right then and there regarding the problem.  

     

    At the end of the day, if we want to provide basic password protection of the console, we would need both commands implemented.

     

    Let me know if that helps.

     

    Cheers,

     

    Keith Barker

  • Adrian Kells 148 posts since
    Jul 5, 2012
    Currently Being Moderated
    8. Nov 4, 2012 9:44 PM (in response to Mimma)
    Re: The console port

    Mimma,

     

    I just have a tip that I prefer to use myself.

    When it comes to routers and switches for logging in remotely either via ssh or telnet.

    in the vty and console section of the config, try using login local.

    The reason for this is, the router/switch checks a local database for a user.

    Switch(config)# username test privillage 15 secret cisco

    Now the line above says this: create username in the data base(test) set their privillage to privillaged mode (15 is the highest) and password is cisco.

     

    This is the reason why I think this is a better option than creating password cisco

    under the vty/con line - Password, even with service encryption isnt very great and you cant set a vty password as secret(secret being more secure encryption). Therefore if you set a username using secret rather than password. 1 you will have to provide a username to login as well as a password. If they have access to the config, secret provides better encryption.

     

    When you utilise this, you do not have to specify a password under vty/con and you also dont have to set an enable password, as they have to login as a specified user who (in this case) has full privilages over the router/switch.

     

    Hope this helps.

     

    Regards,

     

    Adrian

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)