8 Replies Latest reply: Nov 4, 2012 9:44 PM by Adrian Kells RSS

    The console port

    Mimma

      Hi there , in ordre to put a password for the console port , you need two commands : the password command and the login command , so my Q is :

      Why do we need to use the login command anyway , what's the point of using it ?? and if it's important and critical , how could it be reversable ?? in other word , how can I execute either of two command first , then the other one , yet , everyting still works fine ?? and vise versa .

        • 1. Re: The console port
          Keith Barker - CCIE RS/Security, CISSP

          Hi-

           

          Great questions.

           

          The console port/line doesn't require a login by default.

           

          To change this behavior, we add the keyword "login" to the console line and then a password is required before allowing access.   The password is added so that we can specify what the required password should be for future console access.

           

          To reverse the process, the "no login" command in line console configuration mode will tell the router/switch that no login is required (even if there is a password configured on the line.

           

          Keith

          • 2. Re: The console port
            Mimma

            thanks alot Keith , but Maybe I didn't explain my Q very well , what I meant is that when we want to put a password for the console port , two commands are require : (correct me if I'm wrong )

            - password ( then the password you want )

            - login

            then save and exit

            however , if i did the opposit , like :

            - login

            - password ( then the password you want )

             

            still works perfectly , so what's the point of the (login) command ? , what the actual function of it ?? and how can it be revearseable if i has a critical role here?? hopefully I managed to clearify my point

            • 3. Re: The console port
              Osanda

              I think Keith has answered your question perfectly. login command tells the IOS to ask for a password next time you login in order to reverse it you simply type in no login and that's the pupose of login command

              • 4. Re: The console port
                AshwinR

                The Reason you need to put in the logincommand is that is tells the Routers/Switch to ask for the password you have configured. These are 2 separate step/processes.

                 

                If you only configure the password, the router still doesn't know it has to ask for the password when someone connects. So if you leave out the login, someone connecting via SSH will immediately logged in to the Router/Switch. That is why you need the login command. You have to tell the router that is has to ask for the password you have configured.

                • 5. Re: The console port
                  Conwyn

                  Hi Mimna

                   

                  There are lots of options on the login command. A single password is just one.

                   

                  Regards Conwyn

                  • 6. Re: The console port
                    Keith Barker - CCIE RS/Security, CISSP

                    Osanda wrote:

                     

                    I think Keith has answered your question perfectly. login command tells the IOS to ask for a password next time you login in order to reverse it you simply type in no login and that's the pupose of login command

                    Good questions.

                     

                    Lets say we are going to visit a friend, and our friend told us they were out for a few minutes, and if we got to the house and they weren't home, to just open the door and come in.     Our friend also mentioned that there is a key under the door-mat in case the door is locked.

                     

                    When we show up, we try the door, it isn't locked so we just go in (no key required, although the key was available if needed).

                     

                    Now, lets apply that analogy to the console of a new router/switch.   If we go to line configuration mode for line con 0 (the console port) and say:

                     

                    password cisco

                     

                    That is similar to putting a key under the door-mat, the key is configured (in this case the password).     If we logged off from the console and reconnected, the door isn't locked (no key required) by default.      If we want to tell the console line that a password is "required" for access (similar to locking the door), we would then go to line con 0 and add the following:

                     

                    login

                     

                    Which means that a  "login" which in this case requires the correct password of "cisco" to be used before access is granted.

                     

                    If we try to configure the "login" command without having a password configured, the router/switch provides feedback, right then and there regarding the problem.  

                     

                    At the end of the day, if we want to provide basic password protection of the console, we would need both commands implemented.

                     

                    Let me know if that helps.

                     

                    Cheers,

                     

                    Keith Barker

                    • 7. Re: The console port
                      Mimma

                      Thanks alot Keith Barker , that was the clearest explainaton I've ever got . Now it's clear to me , and now it makes scence that it's revearseable .. thanks again

                      • 8. Re: The console port
                        Adrian Kells

                        Mimma,

                         

                        I just have a tip that I prefer to use myself.

                        When it comes to routers and switches for logging in remotely either via ssh or telnet.

                        in the vty and console section of the config, try using login local.

                        The reason for this is, the router/switch checks a local database for a user.

                        Switch(config)# username test privillage 15 secret cisco

                        Now the line above says this: create username in the data base(test) set their privillage to privillaged mode (15 is the highest) and password is cisco.

                         

                        This is the reason why I think this is a better option than creating password cisco

                        under the vty/con line - Password, even with service encryption isnt very great and you cant set a vty password as secret(secret being more secure encryption). Therefore if you set a username using secret rather than password. 1 you will have to provide a username to login as well as a password. If they have access to the config, secret provides better encryption.

                         

                        When you utilise this, you do not have to specify a password under vty/con and you also dont have to set an enable password, as they have to login as a specified user who (in this case) has full privilages over the router/switch.

                         

                        Hope this helps.

                         

                        Regards,

                         

                        Adrian