Giuseppe Larosa Fri, 06/04/2010 - 04:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Egeorgopolus,


sh run | inc username

if you find a line like

username root

you just need to deny it with

conf t

! report the whole line here with no in front

no username root

Hope to help


egeorgopoulos Fri, 06/04/2010 - 05:52
User Badges:

Actually there is no root username, so this username cannot be disabled. Any other clu

Thank you.

hobbe Fri, 06/04/2010 - 06:18
User Badges:
  • Gold, 750 points or more

Do you have any AAA statements to a tacacs or radius server that could contain the user root ?

How do you know that root is logging in ?

If there for some reason now is a user root who loggs in at the router without password

First, have you tried to login with root ?

Second, why not create the user root with an very complex password ?

would that keep them out ? atleast until you can figure out whats going on ?


egeorgopoulos Fri, 06/04/2010 - 06:35
User Badges:

Yes, I tried with root user and it can log in without entering any password. The AAA is enabled, so for the time being I modified the root user to enter the system with a password.

The odd thing is that there wasn't any username 'root' in the configuration before. At least now, this user is forced to enter a password.

Thank you.

hobbe Fri, 06/04/2010 - 07:21
User Badges:
  • Gold, 750 points or more

If you are using AAA you can use a user database outside the router. (radius/tacacs+)

If the AAA is enabled and you are using it, the root user gets his/her credentials from the AAA server.

So if the AAA server is a linux/unix style box, (most likely since windows does not use root) then most likely there is a problem with the root user at that machine, ie that root user does not have a password. (wich can be quite bad)

a local user database would have shown the username root in the config

(to check local database just do :  "sh ru | include root"  the | is the pipe sign.)



This Discussion