ASA login banners

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
I'm trying to have a banner that shows before the username prompt when SSHing in. banner login just doesn't seem to work for me. Works fine in IOS. Perhaps I'm missing something obvious. I'm using Putty and Linux SSH clients. Any suggestions?
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/

Comments

  • nicklauscombsnicklauscombs Member Posts: 885
    i dont believe the banner login command works with SSH (could be wrong though). Might have to use exec or motd?
    WIP: IPS exam
  • kmcintosh78kmcintosh78 Member Posts: 195
    I think you want a Message of the Day.
    Here it is
    [h=2]Configuring a Login Banner[/h] You can configure a message to display when a user connects to the security appliance, before a user logs in, or before a user enters privileged EXEC mode.
    To configure a login banner, enter the following command in the system execution space or within a context:

    hostname(config)# banner {exec | login | motd} text



    Adds a banner to display at one of three times: when a user first connects (message-of-the-day (motd)), when a user logs in (login), and when a user accesses privileged EXEC mode (exec). When a user connects to the security appliance, the message-of-the-day banner appears first, followed by the login banner and prompts. After the user successfully logs in to the security appliance, the exec banner displays.
    For the banner text, spaces are allowed but tabs cannot be entered using the CLI. You can dynamically add the hostname or domain name of the security appliance by including the strings $(hostname) and $(domain). If you configure a banner in the system configuration, you can use that banner text within a context by using the $(system) string in the context configuration.
    To add more than one line, precede each line by the banner command.
    For example, to add a message-of-the-day banner, enter:

    hostname(config)# banner motd Welcome to $(hostname).

    hostname(config)# banner motd Contact me at admin@example.com for any

    hostname(config)# banner motd issues.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Member Posts: 195
    Try applying it as the MOTD command. I believe that should work.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I've tried both exec and motd but can't get it to work. Do you guys have working pre-login banners that you can verify? I'm looking for something that displays the banner before the username prompt appears.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • kmcintosh78kmcintosh78 Member Posts: 195
    I just checked, and my 6509s and my ASAs are set for MOTD/Banners. Telnet and even ASDM will display the Banner.
    SSH does not.
    Like what nicklauscombs stated, Don't think that SSL will give you the Banner before you login.
    Just don't think it is an option.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    Our ASA's display a banner with SSH. We use "banner motd".
  • kmcintosh78kmcintosh78 Member Posts: 195
    Really?!?!?!?!
    Don't happen to have the ability to post the part from the config?
    Is it a statement in the SSH login for it?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    Really?!?!?!?!
    Don't happen to have the ability to post the part from the config?
    Is it a statement in the SSH login for it?

    I'll check it out at work next week and post it up. I don't recall off the top of my head.
  • ColbyGColbyG Member Posts: 1,264
  • Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    ColbyG wrote: »
    It's never worked with SSH, AFAIK.

    Howto: configure a Cisco ASA 5505 Part 1 – how to connect to a cable modem with DHCP « atc.go0se.com <-- This guy got it working

    and

    Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3 - Configuring Management Access  [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems states: "After a banner is added, Telnet or SSH sessions to adaptive security appliance may close if:

    •There is not enough system memory available to process the banner message(s).

    •A TCP write error occurs when attempting to display banner message(s). "

    Which implies that it's supported, though I didn't see it in the Cisco docs. I know I'm not crazy, so tomorrow I'll remember to SSH in and post any relevant code. I usually use ASDM, so it's been a while since I've needed to SSH in. I do know these are 5540's using 8.3 code.
  • ColbyGColbyG Member Posts: 1,264
  • Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    ColbyG wrote: »
    That's AFTER login though, no?

    Tried today. You got the banner after entering your username/pw, and right before enable. Sucks.
  • NutsacjacNutsacjac Member Posts: 76 ■■■□□□□□□□
    I think you want a Message of the Day.
    Here it is
    [h=2]Configuring a Login Banner[/h] You can configure a message to display when a user connects to the security appliance, before a user logs in, or before a user enters privileged EXEC mode.
    To configure a login banner, enter the following command in the system execution space or within a context:

    hostname(config)# banner {exec | login | motd} text



    Adds a banner to display at one of three times: when a user first connects (message-of-the-day (motd)), when a user logs in (login), and when a user accesses privileged EXEC mode (exec). When a user connects to the security appliance, the message-of-the-day banner appears first, followed by the login banner and prompts. After the user successfully logs in to the security appliance, the exec banner displays.
    For the banner text, spaces are allowed but tabs cannot be entered using the CLI. You can dynamically add the hostname or domain name of the security appliance by including the strings $(hostname) and $(domain). If you configure a banner in the system configuration, you can use that banner text within a context by using the $(system) string in the context configuration.
    To add more than one line, precede each line by the banner command.
    For example, to add a message-of-the-day banner, enter:

    hostname(config)# banner motd Welcome to $(hostname).

    hostname(config)# banner motd Contact me at admin@example.com for any

    hostname(config)# banner motd issues.

    Thread necromancy I know, but I just ran into this issue today and it worked. Thanks and +rep
Sign In or Register to comment.