×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

aux port telnet login policy for IOS router

Unanswered Question
Jan 1st, 2014
User Badges:

Hi all, I hope you can make me understand better how login policies work on IOS.

My 1721 router is configured for ssh access to the IOS, when I login into ssh I grant EXEC privileged access. That's ok.

I have connected the AUX serial port to another apparatus, and enabled it as a modem port. I use telnet to access it. I want to have a simple authentication (only a password, or username&password) to have access to the telnet and the aux port. But in any case I don't want this account to access the IOS through ssh.

Here are some extracts of the configuration:

enable secret 5 [mysecret]

aaa new-model

aaa session-id common

username [myuser] privilege 15 secret 5 [mysecret] <- this is used with ssh


line con 0

line aux 0

password 7 [mypass]  <- only this does not work

modem InOut

no exec

transport input all

stopbits 1

speed 2400

line vty 0 4

access-class 1 in

privilege level 15

transport input ssh



I read that there are several methods, using or not AAA, but trying both I cannot reach my goal.

If I add an user with privilege 0, he still has access to IOS enabled console, that's not good.

If I disable AAA functionality, the configuration would be like this:

enable secret 5 [mysecret]

no aaa new-model

username [myuser] privilege 15 secret 5 [mysecret]

line aux 0

password 7 01000716580A1C152E

login

modem InOut

no exec

transport input all

stopbits 1

speed 2400

line vty 0 4

access-class 1 in

privilege level 15

password 7 00171214075A111C00

login

transport input ssh


In this case, I can have the telnet login for the AUX port to work, as I want, but I am no more able to log into SSH again.


What is wrong? How can I achieve the two different login to work, according to your experience?

Thanks.

Alessandro

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Sandeep Choudhary Thu, 01/02/2014 - 22:54
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Alessandro,


The AUX port is the auxiliary. Think of it as a secondary console port. The AUX ports don't get a lot of use except to access the router if locked out of the console port.


For VTY lines:


Router(config)# line vty 0 4

Router(config-line)# password 7 00171214075A111C00

Router(config-line)# login local

Router(config-line)# privilege level 15

Router(config-line)# transport input all -> (telnet or ssh)


what is the config for access-list 1 ???


Still not works...then can u please paste the config ....


Regards

Dont forget to rate helpful posts

alessandro mauro Fri, 01/03/2014 - 04:54
User Badges:

I will try to explain better what is my problem.

I need to have two different logins, in addition to the classic enable in the console port:

- (A) one SSH login, for router configuration, that is privileged and can do any administrative task.

- (B) one TELNET login to the AUX port, that is a dummy user, and accesses to another apparatus connected to the AUX port. This user is must be prohibited from accessing the router's IOS.


I will now paste two configurations:

- with configuration (1) I can do "ssh [email protected]", put the password, and then enter into "router#" (enabled command line), BUT if I do "telnet router 2005" (2005 is the port mapped to the aux0) I'm asked for user&pass and the only account that works is the main account. If add "username dummy privilege 0 password dummypass" to the conf, this user will be able to enter telnet but also ssh enabled command line. So (A) works, (B) does not.

- with configuration (2) I cannot do "ssh [email protected]", as no password is accepted. But I can do "telnet router 2005" and give "dummy" username and "dummypass" password. So (A) does not work, (B) does.


Configuration (1)

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash:c1700-k9o3sy7-mz.124-13a.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 [mysecret]

!

aaa new-model

!

!

!

aaa session-id common

clock timezone CEST 2

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address [someaddress]

!

ip dhcp pool InternalLan

[omitted]

!

ip cef

ip domain lookup source-interface Dialer0

ip domain name [mydomain]

ip host [omitted]

ip inspect name [omitted]

crypto pki trustpoint equifax

enrollment terminal pem

revocation-check none

!

!

crypto pki certificate chain equifax

certificate ca [omitted]

  quit

username user privilege 15 secret 5 [mysecret]

!

!

ip ssh authentication-retries 2

ip ssh rsa keypair-name sshkeys

ip ssh version 2

!

!

!

interface ATM0

[omitted]

!

interface BRI0

[omitted]

!

interface FastEthernet0

description Interfaccia FastEthernet0/0 - Lan interna

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed auto

ntp multicast

!

interface Dialer0

description Interfaccia Dialer0 - ADSL

ip ddns update [omitted]

ip address negotiated

ip access-group 101 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

fair-queue 64 16 256

ppp pap sent-username [omitted]

!

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat translation [omitted]

[omitted - various nat tranlations]

!

ip dns server

ip dns primary [omitted]

!

!

ip access-list extended nat

permit ip 192.168.1.0 0.0.0.255 any

permit icmp 192.168.1.0 0.0.0.255 any

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark FastEthernet0 in

access-list 100 [omitted]

access-list 101 remark Dialer0 in - block all except dns, ntp, 220, 80, ssmtp, smtp, imaps

access-list 101 [omitted]

no cdp run

!

!

!

control-plane

!

!

line con 0

line aux 0

password 0 dummypass

modem InOut

no exec

transport input all

stopbits 1

speed 2400

line vty 0 4

access-class 1 in

privilege level 15

transport input ssh

!

ntp clock-period 17180048

ntp source Dialer0

ntp server [omitted]

end




Configuration (2)

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash:c1700-k9o3sy7-mz.124-13a.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 [mysecret]

!

no aaa new-model

!

!

clock timezone CEST 2

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address [someaddress]

!

ip dhcp pool InternalLan

[omitted]

!

ip cef

ip domain lookup source-interface Dialer0

ip domain name [mydomain]

ip host [omitted]

ip inspect name [omitted]

crypto pki trustpoint equifax

enrollment terminal pem

revocation-check none

!

!

crypto pki certificate chain equifax

certificate ca [omitted]

  quit

username user privilege 15 secret 5 [mysecret]

!

!

ip ssh authentication-retries 2

ip ssh rsa keypair-name sshkeys

ip ssh version 2

!

!

!

interface ATM0

[omitted]

!

interface BRI0

[omitted]

!

interface FastEthernet0

description Interfaccia FastEthernet0/0 - Lan interna

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed auto

ntp multicast

!

interface Dialer0

description Interfaccia Dialer0 - ADSL

ip ddns update [omitted]

ip address negotiated

ip access-group 101 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

fair-queue 64 16 256

ppp pap sent-username [omitted]

!

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat translation [omitted]

[omitted - various nat tranlations]

!

ip dns server

ip dns primary [omitted]

!

!

ip access-list extended nat

permit ip 192.168.1.0 0.0.0.255 any

permit icmp 192.168.1.0 0.0.0.255 any

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark FastEthernet0 in

access-list 100 [omitted]

access-list 101 remark Dialer0 in - block all except dns, ntp, 220, 80, ssmtp, smtp, imaps

access-list 101 [omitted]

no cdp run

!

!

!

control-plane

!

!

line con 0

line aux 0

password 0 dummypass

login

modem InOut

no exec

transport input all

stopbits 1

speed 2400

line vty 0 4

access-class 1 in

privilege level 15

password 0 [mypass]

login

transport input ssh

!

ntp clock-period 17180048

ntp source Dialer0

ntp server [omitted]

end

alessandro mauro Mon, 01/06/2014 - 06:52
User Badges:

I have partially solved by removing the following line from the "line vty" section

privilege level 15


Now the dummy user is not enabled by default, although can still access ssh.

A better solution would be restrict access to a user in the vty and one user in the aux, but I don't know how to do that.

Sandeep Choudhary Tue, 01/07/2014 - 00:13
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

HI Alessandro,

I am not sure but u can try to add this command under vty:


line vty 0 15

transport input all

transport output all

login local

access-class 1 in


Hope it helps.


Reagrds

Dont forget to rate helpful posts.

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network