|
|
The authentication, authorization and accounting (AAA) suite of security services now supports the use of configurable, personalized login and failed-login banners. This feature lets you change the default message for login and failed-login. You can configure message banners that will be displayed when a user logs in to the system to be authenticated using AAA and when authentication, for whatever reason, fails.
Using this feature, you can display personalized information in the form of screen banners or messages.
Authentication, authorization, and accounting (AAA)--Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
The following platforms support login banners for AAA authentication:
None
The following sections describe these configuration tasks:
To configure a banner that will be displayed whenever a user logs in (replacing the default message for login), perform the following task in global configuration mode:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| aaa new-model | Enable AAA. | ||
| aaa authentication banner delimiter string delimiter | Create a personalized login banner. |
The maximum number of characters that can be displayed in the login banner is 2996 characters.
After you have configured a login banner, you need to complete basic authentication configuration using AAA if you have not already done so. For information about the different types of AAA authentication available, please refer to "Configuring Authentication" in the Cisco IOS Release 11.3 Security Configuration Guide.
To configure a message that will be displayed whenever a user fails login (replacing the default message for failed login), perform the following task in global configuration mode:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| aaa new-model | Enable AAA. | ||
| aaa authentication fail-message delimiter string delimiter | Create a message to be displayed when a user fails login. |
The maximum number of characters that can be displayed in the failed-login banner is 2996 characters.
After you have configured a failed-login banner, you need to complete basic authentication configuration using AAA if you have not already done so. For information about the different types of AAA authentication available, please refer to "Configuring Authentication" in the Cisco IOS Release 11.3 Security Configuration Guide.
aaa new-model aaa authentication banner *Welcome to Cisco!* aaa authentication login default radius
This configuration produces the following login banner:
Welcome to Cisco! Username:
The following example additionally configures a login-fail banner (in this case, the phrase "Failed login. Try again.") that will be displayed when a user tries to log in to the system and fails. The asterisk (*) is used as the delimiting character. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication banner *Welcome to Cisco!* aaa authentication fail-message *Failed login. Try again.* aaa authentication login default radius
This configuration produces the following login and failed login banner:
Welcome to Cisco! Username: Password: Failed login. Try again.
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
To configure a personalized banner that will be displayed at user login, use the aaa authentication banner global configuration command. Use the no form of this command to disable this feature.
aaa authentication banner dstringd| d | The delimiting character at the beginning and end of the string that notify the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner. |
| string | Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996. |
Not enabled
Global configuration
This command first appeared in Cisco IOS Release 11.3(4) T.
Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.
To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication login default radius
This configuration produces the following standard output:
User Verification Access Username: Password:
The following example configures a login banner (in this case, the phrase "Welcome to Cisco!") that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication banner *Welcome to Cisco!* aaa authentication login default radius
This configuration produces the following login banner:
Welcome to Cisco! Username:
aaa authentication fail-message
To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message global configuration command. Use the no form of this command to disable this feature.
aaa authentication fail-message dstringd| d | The delimiting character at the beginning and end of the string that notify the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner. |
| string | Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996. |
Not enabled
Global configuration
This command first appeared in Cisco IOS Release 11.3 (4) T.
Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.
To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication login default radius
This configuration produces the following standard output:
User Verification Access Username: Password: % Authentication failed.
The following example configures both a login banner ("Welcome to Cisco!") and a login-fail message ("Failed login. Try again."). The login message will be displayed when a user logs in to the system. The failed-login message will displayed when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.
aaa new-model aaa authentication banner *Welcome to Cisco!* aaa authentication fail-message *Failed login. Try again.* aaa authentication login default radius
This configuration produces the following login and failed login banner:
Welcome to Cisco! Username: Password: Failed login. Try again.
aaa authentication banner
For more information about the security services provided by AAA, refer to the Cisco IOS Release 11.3 Security Configuration Guide.
|
|