5.1 Configure and verify device access control
📘CCNP Encore (350-401-ENCORE-v1.1)
1. What is Device Access Control?
Device access control means controlling who can access a network device (router or switch) and how they access it.
Cisco devices support different access methods, such as:
- Console access (physical)
- Remote access (SSH or Telnet)
- Auxiliary access (legacy modem)
To secure these access methods, Cisco uses:
- Lines (console, VTY, AUX)
- Authentication methods (local users, passwords, or AAA)
This sub-topic focuses on:
- Lines
- Local user authentication
2. What Are Lines in Cisco IOS?
In Cisco IOS, a line represents a connection method used to access the device.
Types of Lines (Exam Important)
| Line Type | Purpose |
|---|---|
| Console line | Local physical access |
| VTY lines | Remote access (SSH/Telnet) |
| AUX line | Legacy remote access via modem |
Each line can have:
- Passwords
- Login methods
- Timeout settings
- Transport settings (SSH/Telnet)
3. Console Line (line console 0)
What is the Console Line?
- Used for direct physical access
- Requires a console cable
- Works even if the device has no IP address
- Used for initial configuration and recovery
There is only one console line:
line console 0
Console Line Authentication
By default, the console has no security.
To protect it, you can use:
- Line password
- Local user authentication
Console Line with Password (Basic Method)
line console 0
password cisco
login
Explanation:
password cisco→ sets a passwordlogin→ forces password checking
📌 Exam Note:
This method is less secure and not recommended for production networks.
Console Line with Local User Authentication (Recommended)
username admin secret Admin@123
line console 0
login local
Explanation:
username admin secret Admin@123→ creates a local userlogin local→ tells the console to use the local user database
✔ More secure
✔ Uses usernames instead of shared passwords
4. VTY Lines (Virtual Terminal Lines)
What Are VTY Lines?
VTY lines are used for remote access to the device.
They support:
- SSH (secure – recommended)
- Telnet (not secure)
Common VTY lines:
line vty 0 4
line vty 0 15
VTY Line Access Methods
| Method | Security Level |
|---|---|
| Telnet | Not secure (plaintext) |
| SSH | Secure (encrypted) |
📌 Exam Requirement:
SSH should always be preferred over Telnet.
VTY Lines with Password (Old Method)
line vty 0 4
password cisco
login
⚠ Not secure
⚠ Same password for all users
VTY Lines with Local User Authentication (Recommended)
username admin secret Admin@123
line vty 0 4
login local
What happens here?
- User connects via SSH/Telnet
- Device asks for username and password
- Credentials are checked against the local user database
Allow Only SSH on VTY Lines (Exam Critical)
line vty 0 4
transport input ssh
This:
- Blocks Telnet
- Allows only SSH access
✔ Strongly tested in CCNP exams
5. Local User Authentication
What Is Local User Authentication?
Local user authentication means:
- Usernames and passwords are stored locally on the device
- No external server is needed
Users are created using:
username <name> secret <password>
Password vs Secret (Very Important)
| Command | Encryption |
|---|---|
| password | Weak (Type 0 or 7) |
| secret | Strong (Type 5 or better) |
📌 Always use secret, not password.
Example Local Users
username admin secret Admin@123
username network secret Net@456
Each user can log in independently.
6. How Local Authentication Works (Step-by-Step)
- User connects via console or SSH
- Line has
login local - Device prompts for username
- User enters username
- Device asks for password
- Credentials are verified against local database
- Access is granted or denied
7. AUX Line (Auxiliary Line)
What Is AUX Line?
- Used for modem-based remote access
- Rarely used today
- Still part of IOS for legacy reasons
Command:
line aux 0
Authentication works the same way as console and VTY lines.
8. Line Timeouts (Security Feature)
To disconnect inactive sessions:
line console 0
exec-timeout 5 0
This means:
- Disconnect after 5 minutes
- Prevents unattended sessions
9. Verifying Line and Authentication Configuration (Exam Commands)
Show Line Status
show line
Shows:
- Line numbers
- Connection status
- Active sessions
Show Users Logged In
show users
Displays:
- Who is currently logged in
- Which line they are using
Show Local Users
show running-config | section username
Confirms:
- Local users
- Encrypted passwords
Show VTY Configuration
show running-config | section line vty
Verifies:
login localtransport input ssh
10. Common Exam Mistakes to Avoid
❌ Using login instead of login local
❌ Using password instead of secret
❌ Allowing Telnet on VTY lines
❌ Forgetting to create a local user
❌ Not securing console access
11. Exam Summary (Must-Remember Points)
✔ Lines control how users access the device
✔ Console = physical access
✔ VTY = remote access (SSH/Telnet)
✔ Local authentication uses device-stored users
✔ login local enables username-based login
✔ username <name> secret <password> is best practice
✔ SSH is required for secure remote access
✔ Verification commands are important for troubleshooting
12. One-Page Quick Exam Checklist
line console 0line vty 0 4or0 15username admin secretlogin localtransport input sshexec-timeoutshow line,show users
