Image of Jeremy L. Gaddis, CCNA, CCNP (and Cortney, in case you were wondering)

Setting Login Banners on Cisco Devices

by Jeremy L. Gaddis on September 8, 2011 · 0 comments

Post image for Setting Login Banners on Cisco Devices

Now that you know how to set passwords on your routers and switches, it’s time to consider whether you need to implement banner messages as well.

A banner message is just text that is displayed to a user. In your home Cisco lab where you are the only user, banners are probably unnecessary. However, many organizations have security policies that require banner messages because they can be an important part of the legal process. In some jurisdictions, it is not legal to monitor users or even attempt to prosecute them for illegal access if a warning banner was not clearly visible.

The National Security Agency has this to say about banner messages:

A banner gives notice to anyone who connects to a switch that it is for authorized use only and any use of it will be monitored. Courts have dismissed cases against those who have attacked systems without banners. Thus, no banner on a switch may lead to legal or liability problems.

Some examples of text that you might display in a banner include:

  • Use of this device is for authorized personnel only.
  • Any activity on this device may be monitored.
  • Unauthorized use will be prosecuted.

One key thing to remember, from a legal standpoint, is that your banners should never “welcome” a user. An attacker could successfully argue that he was “invited” to use the device.

Types of Banners and Their Uses

There are three popular types of banners that you will need to be familiar with for the Cisco CCNA exam:

  • Message of the Day (MOTD)
  • Login
  • Exec

All three of these banners are configured in global configuration mode.

Message of the Day (MOTD) Banner

The MOTD banner is the first one seen by a user and is displayed before a user is able to login or access the CLI. It is often used to display short temporary messages that change often, such as notifying users that a device will be undergoing maintenance and unavailable at specific times.

Configuring the MOTD banner requires that we use a “delimiter” to identify the beginning and end of our message text. The delimiter is entered before our message begins and again after it ends. It cannot appear anywhere in the actual banner message itself. For this reason, I often choose characters such as ~ or #.

Let’s configure an example MOTD banner, save our changes, and completely exit out of the device:

Miami# conf t
Miami(config)# banner motd #
Enter TEXT message.  End with the character '#'.

NOTICE: This device will be down for maintenance from 1-2 a.m.

#
Miami(config)# end
Miami# wr
Building configuration...
[OK]
Miami# exit

Miami con0 is now available

Press RETURN to get started.

Press <RETURN> to get to the prompt as you normally would, but notice that the MOTD banner is displayed after connecting and before you are prompted to login.

NOTICE: This device will be down for maintenance from 1-2 a.m.

User Access Verification

Password:

To change the MOTD banner, simply configure a new message as we did above.

Login Banner

The login banner, like the MOTD, is displayed to the user before he or she is able to log in. Legal warnings that you want displayed to any users will usually be configured in the login banner.

Here’s the text of the sample login banner that we’ll configure:

This system is the property of Free CCNA Labs. It is for authorized use only and all communications may be monitored. Unauthorized or improper use of this system may result in administrative disciplinary action, civil charges, and/or criminal penalties. By using this system you indicate your awareness of and consent to these terms and conditions of use.

DISCONNECT IMMEDIATELY if you do not agree to the conditions stated in this warning.

NOTE: In a production network at your workplace, you should check with your company’s legal department before setting any legal warnings that will be displayed to your users. It is likely that there are already approved warnings that should be used.

The login banner is configured almost exactly the same as the MOTD banner, except that we use the banner login command instead.

Let’s set our login banner to the message above, save the changes, and then exit out of the device:

Miami(config)# banner login #
Enter TEXT message.  End with the character '#'.

This system is the property of Free CCNA Labs. It is for
authorized use only and all communications may be monitored.
Unauthorized or improper use of this system may result in
administrative disciplinary action, civil charges, and/or
criminal penalties. By using this system you indicate your
awareness of and consent to these terms and conditions of use.

DISCONNECT IMMEDIATELY if you do not agree to the conditions
stated in this warning.

#
Miami(config)# end
Miami# wr
Building configuration...

*Sep  8 21:42:36.268: %SYS-5-CONFIG_I: Configured from console by console[OK]
Miami# exit

At this point, you should once again be looking at a message such as the following:

Miami con0 is now available

Press RETURN to get started.

As before, press <RETURN> but note the messages that are displayed.

NOTICE: This device will be down for maintenance from 1-2 a.m.

This system is the property of Free CCNA Labs. It is for
authorized use only and all communications may be monitored.
Unauthorized or improper use of this system may result in
administrative disciplinary action, civil charges, and/or
criminal penalties. By using this system you indicate your
awareness of and consent to these terms and conditions of use.

DISCONNECT IMMEDIATELY if you do not agree to the conditions
stated in this warning.

User Access Verification

Password:

Both our MOTD banner and login banners were displayed this time. Also, note that both of them are shown before the user is given an opportunity to login. This is important for the legal reasons that we mentioned earlier.

While your MOTD banner may change quite often or be removed entirely, a login banner sometimes will not change for years at a time.

Go ahead and log back in to your device and let’s take a look at the third type of banner you’ll often need to configure.

Exec Banner

The exec banner is displayed to users after they log in. We use this banner for messages that we want to be visible to authorized users but that should not be shown to unauthorized users. It is configured in the same manner as the other two types of banners we’ve looked at.

Let’s configure an exec banner that tells the user some useful information about the device he or she is logged into. Because this information could be useful to an attacker, we don’t want it displayed in the MOTD or login banners.

Configure the exec banner, exit global configuration mode, save your changes, and exit out of the device.

Miami(config)# banner exec #
Enter TEXT message.  End with the character '#'.

This is a Cisco 2610XM router running 12.4(10a). It has
one FastEthernet interface and four Serial interfaces.

#
Miami(config)# end
Miami# wr
Building configuration...
[OK]
Miami# exit

Now, from the main screen, let’s log in and see all three banners in action:

Miami con0 is now available

Press RETURN to get started.

NOTICE: This device will be down for maintenance from 1-2 a.m.

This system is the property of Free CCNA Labs. It is for
authorized use only and all communications may be monitored.
Unauthorized or improper use of this system may result in
administrative disciplinary action, civil charges, and/or
criminal penalties. By using this system you indicate your
awareness of and consent to these terms and conditions of use.

DISCONNECT IMMEDIATELY if you do not agree to the conditions
stated in this warning.

User Access Verification

Password:

This is a Cisco 2610XM router running 12.4(10a). It has
one FastEthernet interface and four Serial interfaces.

Miami>

Changing and Deleting Banners

At times, you will want to change or completely remove banner messages that you have previously configured. While login banners usually don’t change very often, the MOTD banner may change on a daily or weekly basis.

To change one of the banners, you simply follow the same steps above to configure the new message. The new message you configure will overwrite the previous one.

To completely remove the login banners, you use the no banner ... commands, e.g.:

Miami(config)# no banner motd
Miami(config)# no banner login
Miami(config)# no banner exec

Lab Exercise

Summary

In this article, you’ve learned how to configure banner messages that can help protect us in legal matters that may arise due to unauthorized access. In addition, the messages can be useful in notifying users of upcoming maintenance or other general information.

NOTE: There are a couple of other types of banner messages that can be used on Cisco routers and switches but, since you don’t need to know them for the CCNA examination, we will not cover them here.

You might also be interested in reading Using Tokens in Cisco Banner Messages. By using tokens (variables), you can make your exec banners more useful to your users by displaying information specific to the device that they are logged into (you don’t need to know them for the CCNA, however).

Now that we’ve set passwords and configured our banner messages, it’s time to connect our router to the network. The next article, Configuring Interfaces on Cisco Devices, explains how.

Image Source

Previous post:

Next post: