Limit Local-User Login On Console/Vty Lines; Limit Console Access For Aaa-Based Users - Cisco ASR 5000 Administration Manual
Staros release 21.1
Hide thumbs
Also See for ASR 5000:
- Installation manual (294 pages) ,
- Administration manual (159 pages) ,
- Installation procedure (8 pages)
Table of Contents
Advertisement
Limit local-user Login on Console/vty Lines
Important
Limit local-user Login on Console/vty Lines
As a security administrator when you create a StarOS user you can specify whether that user can login through
the Console or vty line. The [ noconsole | novty ] keywords for the Global Configuration mode local-user
username command support these options.
configure
local-user username <username> [ noconsole | novty ]
exit
The noconsole keyword prevents the user from logging into the Console port. The novty keyword prevents
the user from logging in via an SSH or telnet session. If neither keyword is specified access to both Console
and vty lines is allowed.
Important
Important
Limit Console Access for AAA-based Users
AAA-based users normally login through on a vty line. However, you may want to limit a few users to
accessing just the Console line. If you do not use the local-user database (or you are running a Trusted build),
this needs to be done by limiting access to the Console line for other AAA-based users. Enable the noconsole
keyword for all levels of admin users that will not have access to the Console line.
The noconsole keyword is available for the Context Configuration mode commands shown below.
configure
context <ctx_name>
The noconsole keyword disables user access to the Console line. By default noconsole is not enabled, thus
all AAA-based users can access the Console line.
ASR 5000 System Administration Guide, StarOS Release 21.1
60
AAA TACACS+ services must be enabled in the Global Configuration mode (all contexts) before you
can selectively disable the services at the context level. You cannot selectively enable TACACS+ services
at the context level when it has not been enabled globally.
Use of the noconsole or novty keywords is only supported on the new local-user database format. If you
have not run update local-user database, you should do so before enabling these keywords. Otherwise,
noconsole and novty keywords will not be saved in the local-user database. After a system reboot, all
users will still be able to access the Console and vty lines. For additional information, see the
and Downgrading the local-user Database, on page
This command does not apply for a Trusted build because the local-used database is unavailable.
administrator <username> { encrypted | nopassword | password } noconsole
config-administrator <username> { encrypted | nopassword | password } noconsole
inspector <username> { encrypted | nopassword | password } noconsole
operator <username> { encrypted | nopassword | password } noconsole
exit
51.
System Settings
Updating
Advertisement
Table of Contents
Troubleshooting
