×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Multiple VTY line password problem

Answered Question
Dec 1st, 2006
User Badges:

Hello gang, I'm trying to find a way around IOS's default behavior when individual VTY lines are configured with unique passwords.


Pretend for the moment that the only way to authenticate a VTY line user is via the line password. If lines 0-3 are given the password 'cisco' and line 4 is given the password 'test,' attempts to telnet to the router using the 'test' password won't work until lines 0-3 are in use. I know that the chance of needing to alter that behavior in a production environment are near nil due to AAA, local databases, etc, but I'm curious to know if it's possible.


Direct example: fire up an unconfigured router and enter only the lines below:


ena

conf t

int fa0/0

ip add 192.168.0.1 255.255.255.0

no shut

exit

line vty 0 3

login

password xxxx

exit line vty 4

login

password test

end


Now, without adding a username/password combo, aaa new-model or any other authentication other than the line password, tell the router to allow access with the pasword 'test' regardless of whether lines 0-3 are in use.


If it's impossible, that's fine. I'm just curious.

Correct Answer by icabrera about 10 years 8 months ago

Hi, it's impossible, this is because the router selects the vty connection in a random way and it's have no sense to have a password if you don't know what vty line are you going to use, so this is because you need another authentication method like local database or aaa.


Regards


Hope this helpful, if so pls rate post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
Correct Answer
icabrera Mon, 12/04/2006 - 00:25
User Badges:
  • Silver, 250 points or more

Hi, it's impossible, this is because the router selects the vty connection in a random way and it's have no sense to have a password if you don't know what vty line are you going to use, so this is because you need another authentication method like local database or aaa.


Regards


Hope this helpful, if so pls rate post

spremkumar Mon, 12/04/2006 - 01:46
User Badges:
  • Red, 2250 points or more

Hi


In addition to other posters comments you can try creating different access lists permitting the ips required to access the box.

Once you are done with the same apply the acls accordingly using access-class in command under the line vty so that the only permitted ips can access the router using those authentication criterias.


regds


one workaround for this is to setup a rotary group. eg. line vty 0 -3 are configured with a login password of cisco. Line vty 4 is configured with rotary group 1 and login local. When you telnet to the router (for instance and administrator) will telnet to 3001. This will hit VTY 4 only.



username test-user password 0 cisco


line vty 0 3

password cisco

login

line vty 4

login local

rotary 1


olmsteadj Thu, 12/07/2006 - 22:59
User Badges:

Thank you all for the replies. I apologize if the focus of my question was unclear; I know how to get around the line selection behavior. I was only curious to know if the behavior itself can be directly modified. As Icabrera has said, it's impossible, so I am content.


One minor correction: IOS selects the VTY lines on a round-robin basis, not random.

olmsteadj Thu, 01/25/2007 - 10:03
User Badges:

Pardon the delay please, Mark. I thank you again for your desire to assist, but my question only asked whether the default round-robin selective behavior can be directly altered. I now know that it cannot be done, but I don't and haven't had a problem getting around it. My interest in the function was that of a student learning where all the equipment's 'knobs' are located.

Actions

This Discussion