Solved: Multiple VTY line password problem

olmsteadj · ‎12-01-2006

Hello gang, I'm trying to find a way around IOS's default behavior when individual VTY lines are configured with unique passwords.

Pretend for the moment that the only way to authenticate a VTY line user is via the line password. If lines 0-3 are given the password 'cisco' and line 4 is given the password 'test,' attempts to telnet to the router using the 'test' password won't work until lines 0-3 are in use. I know that the chance of needing to alter that behavior in a production environment are near nil due to AAA, local databases, etc, but I'm curious to know if it's possible.

Direct example: fire up an unconfigured router and enter only the lines below:

ena

conf t

int fa0/0

ip add 192.168.0.1 255.255.255.0

no shut

exit

line vty 0 3

login

password xxxx

exit line vty 4

login

password test

end

Now, without adding a username/password combo, aaa new-model or any other authentication other than the line password, tell the router to allow access with the pasword 'test' regardless of whether lines 0-3 are in use.

If it's impossible, that's fine. I'm just curious.

icabrera · ‎12-04-2006

Hi, it's impossible, this is because the router selects the vty connection in a random way and it's have no sense to have a password if you don't know what vty line are you going to use, so this is because you need another authentication method like local database or aaa.

Regards

Hope this helpful, if so pls rate post

View solution in original post

icabrera · ‎12-04-2006

Hi, it's impossible, this is because the router selects the vty connection in a random way and it's have no sense to have a password if you don't know what vty line are you going to use, so this is because you need another authentication method like local database or aaa.

Regards

Hope this helpful, if so pls rate post

spremkumar · ‎12-04-2006

Hi

In addition to other posters comments you can try creating different access lists permitting the ips required to access the box.

Once you are done with the same apply the acls accordingly using access-class in command under the line vty so that the only permitted ips can access the router using those authentication criterias.

regds

mark.edwards · ‎12-04-2006

one workaround for this is to setup a rotary group. eg. line vty 0 -3 are configured with a login password of cisco. Line vty 4 is configured with rotary group 1 and login local. When you telnet to the router (for instance and administrator) will telnet to 3001. This will hit VTY 4 only.

username test-user password 0 cisco

line vty 0 3

password cisco

login

line vty 4

login local

rotary 1

olmsteadj · ‎12-07-2006

Thank you all for the replies. I apologize if the focus of my question was unclear; I know how to get around the line selection behavior. I was only curious to know if the behavior itself can be directly modified. As Icabrera has said, it's impossible, so I am content.

One minor correction: IOS selects the VTY lines on a round-robin basis, not random.

mark.edwards · ‎12-08-2006

Hi olmsteadj,

did you try the workaround I supplied with rotary groups? This will meet your requirements. The only caviet is that you will need to telnet on port 3001 in my example to hit VTY4.

olmsteadj · ‎01-25-2007

Pardon the delay please, Mark. I thank you again for your desire to assist, but my question only asked whether the default round-robin selective behavior can be directly altered. I now know that it cannot be done, but I don't and haven't had a problem getting around it. My interest in the function was that of a student learning where all the equipment's 'knobs' are located.