Downloads |
Table Of Contents
Message Banners for AAA Authentication
Configuring a Failed-Login Banner
aaa authentication fail-message
Message Banners for AAA Authentication
Feature Summary
The authentication, authorization and accounting (AAA) suite of security services now supports the use of configurable, personalized login and failed-login banners. This feature lets you change the default message for login and failed-login. You can configure message banners that will be displayed when a user logs in to the system to be authenticated using AAA and when authentication, for whatever reason, fails.
Benefits
Using this feature, you can display personalized information in the form of screen banners or messages.
List of Terms
Authentication, authorization, and accounting (AAA)—Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
Platforms
The following platforms support login banners for AAA authentication:
•
Cisco 1003, Cisco 1004, Cisco 1005
•
•
•
•
•
•
•
•
Supported MIBs and RFCs
None
Configuration Tasks
The following sections describe these configuration tasks:
•
Configuring a Login Banner
To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
To configure a banner that will be displayed whenever a user logs in (replacing the default message for login), perform the following task in global configuration mode
1
aaa new-model
Enable AAA.
2
aaa authentication banner delimiter string delimiter
Create a personalized login banner.
:
The maximum number of characters that can be displayed in the login banner is 2996 characters.
After you have configured a login banner, you need to complete basic authentication configuration using AAA if you have not already done so. For information about the different types of AAA authentication available, please refer to "Configuring Authentication" in the Cisco IOS Release 11.3 Security Configuration Guide.
Configuring a Failed-Login Banner
To create a failed-login banner, once again you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the failed-login banner. Remember, the delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
To configure a message that will be displayed whenever a user fails login (replacing the default message for failed login), perform the following task in global configuration mode
1
aaa new-model
Enable AAA.
2
aaa authentication fail-message delimiter string delimiter
Create a message to be displayed when a user fails login.
:
The maximum number of characters that can be displayed in the failed-login banner is 2996 characters.
After you have configured a failed-login banner, you need to complete basic authentication configuration using AAA if you have not already done so. For information about the different types of AAA authentication available, please refer to "Configuring Authentication" in the Cisco IOS Release 11.3 Security Configuration Guide.
Configuration Examples
The following example configures a login banner (in this case, the phrase "Welcome to Cisco!") that will be displayed when a user logs in to the system. The asterisk (*) is used as the delimiting character. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication banner *Welcome to Cisco!*aaa authentication login default radiusThis configuration produces the following login banner:
Welcome to Cisco!Username:The following example additionally configures a login-fail banner (in this case, the phrase "Failed login. Try again.") that will be displayed when a user tries to log in to the system and fails. The asterisk (*) is used as the delimiting character. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication banner *Welcome to Cisco!*aaa authentication fail-message *Failed login. Try again.*aaa authentication login default radiusThis configuration produces the following login and failed login banner:
Welcome to Cisco!Username:Password:Failed login. Try again.Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
•
•
aaa authentication banner
To configure a personalized banner that will be displayed at user login, use the aaa authentication banner global configuration command. Use the no form of this command to disable this feature.
aaa authentication banner dstringd
no aaa authentication bannerSyntax Description
Default
Not enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3(4) T.
Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.
To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
Example
The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication login default radiusThis configuration produces the following standard output:
User Verification AccessUsername:Password:The following example configures a login banner (in this case, the phrase "Welcome to Cisco!") that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication banner *Welcome to Cisco!*aaa authentication login default radiusThis configuration produces the following login banner:
Welcome to Cisco!Username:Related Commands
aaa authentication fail-message
aaa authentication fail-message
To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message global configuration command. Use the no form of this command to disable this feature.
aaa authentication fail-message dstringd
no aaa authentication fail-messageSyntax Description
Default
Not enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 (4) T.
Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.
To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
Example
The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication login default radiusThis configuration produces the following standard output:
User Verification AccessUsername:Password:% Authentication failed.The following example configures both a login banner ("Welcome to Cisco!") and a login-fail message ("Failed login. Try again."). The login message will be displayed when a user logs in to the system. The failed-login message will displayed when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.
aaa new-modelaaa authentication banner *Welcome to Cisco!*aaa authentication fail-message *Failed login. Try again.*aaa authentication login default radiusThis configuration produces the following login and failed login banner:
Welcome to Cisco!Username:Password:Failed login. Try again.Related Commands
aaa authentication banner
What to Do Next
For more information about the security services provided by AAA, refer to the Cisco IOS Release 11.3 Security Configuration Guide.