reverse telnet additional login required

Answered Question
Sep 10th, 2014
User Badges:
  • Red, 2250 points or more

Hello,

 

I'm configuring a  CISCO1921 router as a teminal server at the moment.

I used http://routing-bits.com/2008/09/30/cisco-terminal-server-with-menu-command/

as a config template and it works.

I just added ssh to access the router instead of Telnet.

 

But what's annoying:

Any time I choose from the menu to connect to a device via reverse Telnet, I'm getting a prompt for the router username and password.

Only after I enter them (the same ones I used to ssh to the router originally), I'm getting the prompt from the device I'm connecting to.

 

It seems to be a built-in feature of the aaa new-model command :-(

Even when I login to the router using a privilege 15 account and issue the reverseTelnet (=connect) command from the CLI, I have to fill the username/pwd again before being allowed to Telnet!

The only way I found so far was

Router(config)#aaa authentication login default none

which is not acceptable, of course.


When I try

Router(config)#no aaa new-model

I'm getting

"Changing configuration back to no aaa new-model is not supported.

Continue?[confirm]"

from the  15.4(1)T1 IOS.

 

Am I missing something?

Is there any way to get rid of this annoying filling the usernam/pwd all the time?

 

Thanks,

Milan

Correct Answer by Peter Paluch about 2 years 11 months ago

Hi Milan,

I do not have a similar router and the proper HWIC here right now, but what I am thinking about is configuring a separate AAA auth list for exactly those lines that represent the HWIC serial ports. So for example, something like this:

aaa authentication login NOAUTH none
!
line 0/0/0 0/0/15
login authentication NOAUTH

You could eventually protect these lines with an access-class statement, preventing telnetting into them from outside.

Best regards,
Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Peter Paluch Wed, 09/10/2014 - 03:13
User Badges:
  • Cisco Employee,

Hi Milan,

I do not have a similar router and the proper HWIC here right now, but what I am thinking about is configuring a separate AAA auth list for exactly those lines that represent the HWIC serial ports. So for example, something like this:

aaa authentication login NOAUTH none
!
line 0/0/0 0/0/15
login authentication NOAUTH

You could eventually protect these lines with an access-class statement, preventing telnetting into them from outside.

Best regards,
Peter

milan.kulik Wed, 09/10/2014 - 04:29
User Badges:
  • Red, 2250 points or more

Hi Peter,

 

great, seams to work!

(As usually when you advise something.)

 

I'll test more deeply but just connected without the annoying prompt, just an enter was necessary to get the prompt from the target device.

 

Thanks a lot,

Milan

 

Peter Paluch Wed, 09/10/2014 - 05:15
User Badges:
  • Cisco Employee,

Hi Milan,

Glad to have helped!

Best regards,
Peter

Actions

This Discussion