5.1.a Lines and local user authentication
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
Line configuration is where many device-hardening mistakes start. A router can have a strong routing design and still be easy to compromise if VTY lines allow Telnet, accept weak line passwords, or let anyone on the network attempt SSH.
Console versus VTY
- Console line is local physical or virtual console access.
- VTY lines are remote CLI sessions: SSH or Telnet.
For ENCOR, focus on making VTY secure:
- Use SSH, not Telnet.
- Authenticate against local users or AAA.
- Restrict source IPs with
access-class. - Use timeouts.
- Prefer stronger secret hashing where supported.
Console · line con 0
VTY · SSH · login local
Authenticated CLILocal user baseline
hostname R1
ip domain-name ccnpstudy.local
crypto key generate rsa modulus 2048
ip ssh version 2
username admin privilege 15 algorithm-type scrypt secret <unique-local-secret>
ip access-list standard VTY-MGMT
permit 10.10.10.0 0.0.0.255
deny any log
line con 0
login local
exec-timeout 5 0
logging synchronous
line vty 0 4
transport input ssh
login local
access-class VTY-MGMT in
exec-timeout 10 0
logging synchronousUse a placeholder in published prose rather than a reusable-looking password. Students copy examples. Make the copy-safe behavior obvious.
What each command is doing
| Command | Why it matters |
|---|---|
ip domain-name | Required before generating RSA keys on many IOS/IOS XE platforms. |
crypto key generate rsa modulus 2048 | Creates keys used by SSH. |
ip ssh version 2 | Forces SSHv2. |
username ... secret | Creates a local user with an encrypted secret. |
transport input ssh | Prevents Telnet access. |
login local | Uses the local username database for login. |
access-class VTY-MGMT in | Restricts which source IPs may open VTY sessions. |
exec-timeout | Disconnects idle sessions. |
Verification
show ip ssh
show running-config | section line con
show running-config | section line vty
show users
show access-lists VTY-MGMTUseful test:
Then try from a source outside the management subnet. You should see the ACL deny counter increase.
Common mistakes
Mistake 1: using a line password instead of local users
line vty 0 4
password cisco
loginThat is weaker and does not identify individual admins. Prefer local users for lab/break-glass and AAA for production.
Mistake 2: allowing both SSH and Telnet
transport input allThis is easy to miss. Use transport input ssh.
Mistake 3: applying the ACL in the wrong place
access-class goes under the line. It filters management sessions to the VTY. It is not the same as ip access-group on an interface.
Lab
Goal: Build a secure local-login configuration and prove the controls work.
Tasks:
- Configure
R1with hostname, domain, RSA keys, and SSHv2. - Create user
adminwith privilege 15. - Allow VTY access only from
10.10.10.0/24. - Set console timeout to 5 minutes and VTY timeout to 10 minutes.
- Verify a permitted host can SSH.
- Verify a non-permitted host cannot SSH.
- Confirm the ACL counters match the tests.
Success criteria:
show ip ssh
show access-lists VTY-MGMT
show usersExam memory
login local= use local username database.access-class= restrict VTY source addresses.transport input ssh= no Telnet.exec-timeout 0 0= never time out. Do not use that in production.