Skip to main content

126 Messages

 • 

2.7K Points

Sun, Feb 9, 2020 1:45 PM

Answered

Can we set password for console access to ICX, if yes, how ? please help me, I would owe someone for life!!!!

Responses

Employee

 • 

100 Messages

 • 

2.1K Points

9 months ago

aaa authentication login default local
enable aaa console
username password  

Use console timeout to set a timeout for console sessions.

Lots more details in the management and security configuration guides 
https://docs.arris.com/bundle?labels=181&labels=187&labels=186&labels=185&labels=184&labels=184&labels=183&labels=182 

15 Messages

 • 

348 Points

9 months ago

Hi Simon,

Thank you for the answer, but I was looking for something like securing ICX so that people cannot connect a console and recover it using boot option. 

Regards,
Abilash PR.

15 Messages

 • 

348 Points

9 months ago

Hi  Simon,

Could we disable ICX console port ?


Regards,
Abilash PR.

Employee

 • 

100 Messages

 • 

2.1K Points

9 months ago

Hi Abi

I don't know of a way of disabling the console port completely, if this were done and the password lost there would not be any way of recovering the switch. Setting a strong password on the switch is probably the best option and making sure the device is physically secure as the password recovery process via the boot-interrupt is very disruptive (it requires the switch to be restarted twice) and requires physical access to the switch so it is not considered a security issue in normal environments.

Another option is to put the switch into FIPS mode which disables password recovery is disabled, this also enforces a number of other security policies so please study the FIPS guide closely before enabling it.

https://docs.arris.com/bundle/fastiron-08090-fipscc-config/page/GUID-C97DB143-3D67-4D0C-BDA3-96432B1C025D-homepage.html

Simon


208 Messages

 • 

3.7K Points

9 months ago

Too bad they don't have no service password-recovery like another vendor...

When you break the boot it just says PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

Do you want to reset the switch to factory default configuration and proceed [y/n] ?


...

That said, there is not too much intelligence that can be obtained recovering a configuration file from an ancillary site.  I mean they might know any backup usernames (provided you use RADIUS) those aren't even checked.  I am sure you are running SNMPv3 and not clear-text strings...

They might know the VLAN numbers and names for what those represent, which ports carry trunks to other switches, any local subnets and default gateways.

Most likely they have a next hop, IPs of DHCP servers, and the IPs on any access lists, which they would reasonably assume are of important items like RADIUS, monitoring tools, management devices, etc.  

I guess if you are running a routing protocol they can dump that table to enumerate available network subnets, too.

Overall though, I doubt this gives anybody access to anything they couldn't get running an ipconfig on their computer, opening AD Users and Computers, using nslookup, or even opening the DNS snapin, which most non-administrator users can ironically do on most AD networks though they won't have the right to change anything.  They could probably gather more intel running a traceroute unless you set up ICMP so that all their traceroutes return stars * * *...

I am just saying, I am not sure you gain all that much security preventing the threat of someone recovering a config.  I would certainly set a console password, use SSH only, and restrict remote access to the devices...  You are only in real danger if you have unencrypted passwords or SNMP strings (particularly private strings) particularly if they are the same network-wide.