Cisco IOS — How to make the console prompt for a password upon serial line session 0 connection

ciscocisco-ioscliethernetswitch

I'm using Putty to connect via a serial connection to the console. I have a line con 0 password set, as shown by show running-config. I close this session (via Putty), reconnect, and the CLI prompt shows the last state I was in (in enable mode), and it does not prompt for a password.

I went into configuration -> line console 0 -> login local and it just returns the root with no indication that this command took effect. Either way, when I restart the session, it still does not prompt for password.

How can I get a serial session to prompt for a password at the start of a serial session, and how do I refresh the serial session?

Best Answer

YLearn is correct in that you are not properly disconnecting the session. If I understand the way you have this configured (password on the line, login local on the line, and no global username and password configured), when you properly disconnect the session by exit, you will find yourself locked out of the router. If you use login local it doesn't look for the password under the line configuration.

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configure Passwords on the Line

To specify a password on a line, use the password command in line configuration mode. To enable password checking at login, use the login command in line configuration mode.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only).

Configuration Procedure

In this example, a password is configured for all users attempting to use the console.

  1. From the privileged EXEC (or "enable") prompt, enter configuration mode and then switch to line configuration mode using the following commands. Notice that the prompt changes to reflect the current mode.

    router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#line con 0
router(config-line)#

  2. Configure the password, and enable password checking at login.

    router(config-line)#password letmein
router(config-line)#login

  3. Exit configuration mode.

    router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console

    Note: Do not save configuration changes to line con 0 until your ability to log in has been verified.

Note: Under the line console configuration, login is a required configuration command to enable password checking at login. Console authentication requires both the password and the login commands to work.

This is how to use login local command:

Configure Local User-Specific Passwords

To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.

Configuration Procedure

In this example, passwords are configured for users attempting to connect to the router on the VTY lines using Telnet.

  1. From the privileged EXEC (or "enable") prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router:

    router#configure terminal
  Enter configuration commands, one per line.  End with CNTL/Z.
  router(config)#username russ password montecito
  router(config)#username cindy password belgium
  router(config)#username mike password rottweiler

  2. Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode.

    router(config)#line vty 0 4
router(config-line)#

  3. Configure password checking at login.

    router(config-line)#login local

  4. Exit configuration mode.

    router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console

Note: In order to disable auto Telnet when you type a name on the CLI, configure no logging preferred on the line that is used. While transport preferred none provides the same output, it also disables auto Telnet for the defined host that are configured with the ip host command. This is unlike the no logging preferred command, which stops it for undefined hosts and lets it work for the defined ones.

Related Topic