Most network devices from Cisco and other vendors have one or more physical ports that are dedicated for command line configuration with another device. These are console ports. While there are ways to configure a device without being in close physical proximity with it, sometimes you still need to go and plug a cable into the actual box itself. That’s where the console port comes in.
Console Port Security
By default, no password is needed to access the CLI of a Cisco IOS via the console port. While it may be unlikely that a bad actor could get physical access to the hardware of a network, a password is cheap insurance, just in case.
You can easily configure a password on the console line. That way, only someone with the password will be able to edit the device’s configurations. In theory. See the Configuration section below.
Alternatively, you can configure the console line to require users to login using one of the configured usernames on the device.
Configuration
Cisco IOS
(config)#line console 0- Enter console line config mode
- There is only a single console line, so the number is always ‘0’
(config-line)#password password- Configure a password for the console line
(config-line)#login- Enables the password — the device will now require the password for CLI access via the console port
(config)#username name secret password- Create a user & password for the device. A device can have multiple users on it. This can be used for verifying access to the console line in place of a normal password (like the above commands)
- Users can serve other purposes, covered better in Security Fundamentals
(config-line)#login local- Tell the device to require a login using one of the configured usernames
- As opposed to having a single master password for the device
(config-line)#exec-timeout minutes seconds- Configure an auto-logout timer after some time of inactivity. Useful for security, in case an engineer leaves a console logged in by accident.