Line VTY inquiry

Unanswered Question
Jul 7th, 2009
User Badges:

Hi,


I know it's important to set "enable secret password" but I can't understand what's the importance to put password's for line vty?


Hope you can help me understand guys. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Edison Ortiz Tue, 07/07/2009 - 17:47
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The 'enable secret [password]' is what prompts after entering 'enable' on the ">" exec mode.


The line vty password is the one used for telnet connections, first form of authentication.


HTH,


__


Edison.

helios999 Tue, 07/07/2009 - 18:02
User Badges:

Hi Edison,


My 3500 Series XL switch right now is configured for aaa authorization and authentication. Then I have an enable secret password plus I created one user. But I didn't create a line vty password. So when I will telnet to my switch it will ask for my username and password then after logging in I will issue the enable secret password. My question is where does the line vty password will come in?


I attached here the config. Hope you can enlighten me. Thanks.



Edison Ortiz Tue, 07/07/2009 - 18:48
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Enabling 'aaa new-model' changes things a bit.


Per your configuration, you have indicated that you want to use local authentication:


aaa authentication login default local


which indicates to use the local username and password


If you wanted to use the line password the syntax would be:


aaa authentication login default line


In addition, if you wanted to avoid the use of the 'enable secret [password]' - you could do so by change the privilege level on the local account from:


username helios password 0 sdfsdf23Wdfgdf


to


username helios privilege 15 password 0 sdfsdf23Wdfgdf


HTH,


__


Edison.


helios999 Tue, 07/07/2009 - 19:00
User Badges:

Hi Edison,


Thanks for the info, I understand it now. I have one more question hope you can help me. Since I'm using aaa settings, how can I assign commands to be available on certain privilege levels? For example I want the command "sh ru" be available for user john and command "interface" be available only to user peter.


Hope you can help on this. Thanks.

Richard Burts Tue, 07/07/2009 - 18:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


The original answer provided by Edison is based on the classic default behavior of IOS devices. The classic default behavior assumes that aaa authentication is not yet configured. And in this environment configuring a password on the vty is essential to supporting remote access to the device.


In your configuration aaa authentication (and aaa new-model) is configured. And when aaa authentication is configured, then the password on the vty is not essential. It may be desirable, but it is not essential. If you do configure passwords for the vty then you can specify a backup method of authentication in case your primary method does not work. So if you do configure passwords on the vty then you might configure aaa authentication something like this:

aaa authentication login default local line


This would allow the device to authenticate with the vty password if the local authentication fails.


HTH


Rick

helios999 Tue, 07/07/2009 - 19:12
User Badges:

Rick,


Thanks a lot for your reply. It helps me understand the issue. I have one more question though as what I posted above. Is it possible to assign certain commands like "interface" or "sh ru" to be made available to certain user peter and hide the other commands to that user?


Hope you can also help me on this. Thanks.

Richard Burts Tue, 07/07/2009 - 19:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


It is certainly possible to change the privilege level of certain commands and to put them at a privilege level other than their default. And you can then configure certain users to be assigned certain privilege levels.


One thing to be aware of is that when you assign privilege levels to commands (perhaps like interface at level 5 and show run at level 7) that users at a privilege level (perhaps level 7) will get commands at that level and at any lower level. So the user at level 5 will only get the interface command. But the user at level 7 will get both show run and interface.


If you want a certain user to get only certain commands and some other user to get only certain other commands, then assigning privilege level to the commands is not so very effective. To accomplish that certain users have only specified commands you should do command authorization using aaa authorization commands on the router and configuring in ACS/TACACS which specific commands each user should get.


HTH


Rick


So

helios999 Tue, 07/07/2009 - 21:27
User Badges:

Hi Rick,


Thanks for this reply I really need this one. Can I configure aaa authorization commands on the switch without using ACS/TACACS? And what does it mean to configure it in ACS/TACACS? Do you also have a sample link for this?


Thanks for the reply.

Richard Burts Wed, 07/08/2009 - 13:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


There are 2 approaches to restricting access to commands. One approach (which is what you originally asked about) is to assign various commands to privilege levels and then to give particular users a specified privilege level which controls what commands that they have access to.


The other approach is to use command authorization. With command authorization you can specify that a particular user (or group of users) have access to some commands and not have access to other commands. I am familiar with doing this on Cisco ACS where you can build an authorization set to define what commands a user has access to. I am not sure how well it would work on a switch without using TACACS or ACS. It looks like in the syntax of configuring aaa authorization commands 15 that there is an option to specify local (which should use the database on the switch). But I can not see how to build a database or authorization set on the switch.


HTH


Rick

helios999 Wed, 07/08/2009 - 18:09
User Badges:

Hi Rick,


You're reply is very informative and it really helps me. I'd like to know more about using TACACS/ACS/Radius if you help me but in our company it is likely that we will only use local database for authorization.


Do you have guides about implementing TACACS and restricting user access of commands?

helios999 Wed, 07/08/2009 - 19:10
User Badges:

Rick,


I have read that link already. Yes it's a good place to start. Thanks for your reply. I think it's best that I will make another topic for aaa authorization using local database.


What you think?


Thanks.

Richard Burts Wed, 07/08/2009 - 19:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


I agree that starting a new thread focusing on authorization using the local database would be a good thing to do. The current thread and its title do not give people any clue that it is interested in authorization using the local database. A new thread with a new title could make this obvious and hopefully generate some new participants in the discussion.


HTH


Rick

helios999 Wed, 07/08/2009 - 19:28
User Badges:

Rick,


Thanks hope you will still contribute. I will put my new thread under Security > AAA.


Thanks again.

Actions

This Discussion