Telnet Question - Confused

dphills18 · ‎07-17-2008

Can someone explain to me why I am able to login to this router. I was under the impression that you need either a login command and/or a password. But I am able to login with no problems.

ROUTER#sh run

Building configuration...

Current configuration : 5039 bytes

!

! Last configuration change at 17:50:34 GMT Thu Jul 17 2008 by engineer

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ROUTER

!

boot-start-marker

boot-end-marker

!

no new-model

!

resource policy

!

clock timezone GMT 0

!

ip cef

!

voice-card 0

no dspfarm

!

crypto pki trustpoint TP-self-signed-382345668

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-382345368

revocation-check none

rsakeypair TP-self-signed-38068756668

!

crypto pki certificate chain TP-self-signed-3804574768

certificate self-signed 01

30820247 6E65642D A0030201 02020101 300D0609 2A864886 04050030

31312F30 2D060355 04031326 494F532D CCCCCC 2D536967 6E65642D 43657274

69666963 6174652D 33383037 38363536 3638301E 170D3038 30373137 31363538

35345A17 XXXXXX 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E XXXXXX 65727469 66696361 74652D33 SSSSSSS

36353636 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D6E4 3B61ABBD 0CC88F36 6EE5D569 308201B0 BDD64AD5 8140DE41 09EF00BC

79C2E0E5 88DD1BB8 6BE8A559 FF040530 91685D2D 3647394B 3F3352B9 E6FB16F4

5DFD9CC2 1DF90B6F C8C38B6B C7AA6D32 6CA7B3FD 53B2489A B0A44C3E B34799C9

8E7FC5B9 5C3BACD6 47778622 3CE20BFD 95AECB51 F8374B6C 5FA27A4C 83B16E2A

DB4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603

551D1104 13301182 0F535452 2D424750 484F552D 52543031 301F0603 551D2304

18301680 14CA11A2 88DD1BB8 B6B81C85 2927F485 8C4E55A4 A5301D06 03551D0E

04160414 CA11A282 8DD176B6 B81C8529 27F4858C 4E55A4A5 300D0609 2A864886

F70D0101 04050003 81810038 260FD33D D4125293 DE429B98 CC2ED0D8 3D2087E2

A52D5BBE 611CCC4E 6E5298AE D96D23CE

quit

username cisco privilege 14 password xxx

!

interface GigabitEthernet0/0

description UpLink to 4507 Inside

no ip address

duplex full

speed 1000

!

interface GigabitEthernet0/0.11

description Temp until DAP is ONLINE

encapsulation dot1Q 11

ip address 192.168.11.50 255.255.255.0

no snmp trap link-status

!

interface GigabitEthernet0/0.12

description SGM Houston Local Interface

encapsulation dot1Q 12

ip address 192.168.12.50 255.255.255.0

ip access-group DAP_ONLY in

ip access-group DAP_ONLY out

no snmp trap link-status

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

ip route 192.168.0.0 255.255.0.0 192.168.5.5 name to_DAP_Network

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip access-list extended DAP_ONLY

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

!

control-plane

!

line con 0

exec-timeout 60 0

line aux 0

line vty 0 4

exec-timeout 60 0

!

scheduler allocate 20000 1000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

ROUTER#

Jerry Ye · ‎07-17-2008

This will do it:

username cisco privilege 14 password 7 101A194D01A191

HTH,

jerry

dphills18 · ‎07-18-2008

yeah, but only via the console. i am able to telnet into this device. i was thinking you could not telnet into a device unless you had the login and/or password set for the device.

Edison Ortiz · ‎07-18-2008

You have no authentication set on this router.

The username command described by Jerry will create a local account. However, I recommend going with privilege 15 on this one.

username [username] priv 15 password [password]

If you want telnet to use this local account, you need to configure the vtys as such:

line vty 0 4

login local

HTH,

__

Edison.

dphills18 · ‎07-18-2008

but here is the thing. it is using the local account for login.

i just started at a new company, and the first thing i notice was this. throughout my career, i have always used "login local" or set a vty password. it's really bugging me, because i'm like, "how is this working". the engineers here don't know why. the config i posted is complete (all ip addresses have been changed).

it's really crazy. i'm configuring tacacs now, but this is a very puzzling thing.

yaminqureshi · ‎07-18-2008

As seen from the config, there is no passwords set for console, telnet and auxillary port, that is the reason you are not prompted for the password. Most likely you are using console port to access the router as telnet wont work unless you set the line password.

Thank you

Yamin

dphills18 · ‎07-18-2008

i am using telnet. it is prompting me for a username and password. the device is miles away. i am using secureCRT. port 23. i am able to telnet into this device and don't know why. i have never been able to do this on any other cisco device (without the vty being setup). i am going to have to put this into the lab at the house. this makes no sense to me. i'm baffled.

Richard Burts · ‎07-18-2008

Dwayne

There has been an interesting discussion about user names and accounts but so far no answer to your fundamental question (which you have asked several times): how does this work to be able to telnet with no password. Here is the answer:

if the vty is not configured with the "login" command then there is no prompt for password and the connection is granted without checking passwords (even if a password were configured it would not be used unless some version of the login command is used).

So in your other jobs (and the default in IOS) is to have login (or login local or aaa new-model) configured which will result in checking passwords (or user ID and password). But on this router someone configured "no login" and the result is to permit access with no password checking.

If you configure login (or login local) under the vty lines then it will begin to check for passwords.

HTH

Rick

HTH

Rick

dphills18 · ‎07-18-2008

thanks rburts.

two things:

1. i was thinking that you could not login to a device via telnet, without having a line password or login local under the vty.

2. it is prompting me for a username and password. i was thinking that it may have been something with the ios version, but i have seen it on at least two devices here.

however, i didn't check to see if the versions were the same.

Richard Burts · ‎07-18-2008

Dwayne

The more I dig into this the more unusual it becomes. Let me respond to your points here:

1) if a router is configured with "no login" then it will not prompt for a password when telnet is initiated and it will permit the telnet to connect. So yes there are circumstances where you can telnet to a router without a password being configured.

2) I am puzzled about your statement that it is prompting you for user name and password. I thought that the main point of this discussion was that you did not need a password to telnet to this router.

Perhaps there is some IOS version dependency here.

You state that the config that you post is complete, but I am finding that difficult to reconcile in what you posted. For example the posted config has no routing protocol and only a single static route:

ip route 192.168.0.0 255.255.0.0 192.168.5.5 name to_DAP_Network

but the next hop address of 192.168.5.5 is not in a local subnet and therefore is not reachable. This means that the static route is not functioning. So how are you able to reach it to telnet if it has no functioning static route?

Another thing that puzzles me is this: the posted config has no statement under the vty lines about login. So I assumed that this was the situation where the vty is configured with no login and that is what I discussed. But when I set up a test to demonstrate it I find that if I configure the vty that way then the vty has "no login" in the config. But your posted config does not have that. The only way that I can get the vty to not have any login statement at all is if I configure aaa new-model. But your posted config appears to have no new-model.

These inconsistencies make me wonder if the router that you access by telnet is really the same router from which you got the config that you posted. Perhaps you can clarify this?

HTH

Rick

HTH

Rick

Danilo Dy · ‎07-21-2008

If your intention is not to allow login in vty, try putting "no exec" in "line vty 0 4". This works for me http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cc13436

Why you can login, I don't know. But in my case, some IOS version does not allow you to login but some does. It happen in my catalyst switches