Cisco 1921, Telnet

cpatterson · ‎03-30-2012

Ok, I've got a very rudimentary knowledge of Cisco commands, mainly picked up from trying to make things work, and banging on it until it gives up (ie. I get the command correct, finally). However, the Telnet sequence is kicking my butt. I enter the line vty 04, but the login command is not responding as research shows it should. Instead, it's telling me "login" is incomplete, "login local" is an invalid input, "Login Auth" needs an acl, and defining an ACL 1 of permit 1.0.0.0 0.0.0.255, and then "login auth 1" tells me that the list "1" is not defined for login.

"

C1921-UM(config)#access-list 1 permit 1.0.0.0 0.0.0.255

C1921-UM(config)#line vty 0 4

C1921-UM(config-line)#password notmypassword

C1921-UM(config-line)#login auth 1

AAA: Warning authentication list "1" is not defined for LOGIN."

It's driving me nuts, and I need to send the router 1200 miles away to finish configuring it, and can't get the telnet to work properly. What am I messing up or missing, please?

thanks

Vasileios Bouloukos MSc, ITIL, CCIE · ‎03-30-2012

Hi Chris,

What are you trying to do?

First Scenario

If you want to limit the access you need the next

access-list 1 permit 1.0.0.0 0.0.0.255

C1921-UM(config)#line vty 0 4

access-class 1 in

and you limit the traffic to the IP packets sourced by AL1

Second Scenario

If you want to create an auth list you have to do the next

username xxx privilege 15 password xxxx

aaa-new model

aaa authentication login local_auth local

aaa authorization exec default local

line vty 0 4

login authentication local_auth

Hope that helps

Vasilis

cpatterson · ‎03-30-2012

Thanks for the response. Basically, I'm trying to enable Telnet for a 1921 that we're sending to a remote location for a client. My first intention is to get it so that it will respond to a telnet request at all, then I'll change the ACL/add another ACL to allow us to connect remotely, and finish the configuration when it's in place. I would PREFER to be able to login from whereever with the right user/pwd, but I figured an IP list was quickest. I'll try the Access list first, and see what it does, and update here. Thanks again

Richard Burts · ‎03-30-2012

Chris

As Vasilis says you mis-interpreted what kind of list the login command was looking for. It is looking for a named method list for authentication. And I do not think that this was what you really want to do.

You say that at first you just want to get the router to respond to a telnet request. Well by default if there is IP connectivity the router will respond to a telnet request. Are you saying that you have tried telnet and it does not work? Or is it that you assume that you must do something to get it to work and are trying to figure out what is needed? (in which case the solution is much easier than you think)

HTH

Rick

HTH

Rick

cpatterson · ‎03-30-2012

Thanks for responding.

No way to quote...

"My first intention is to get it so that it will respond to a telnet request at all, then..."

Correct, I am saying that I have tried telnet and it doesn't work.The router won't answer to telnet at the IP address. Let me clarify if I can. I can telnet through Putty to the Console port, but when attempting to access the local router address (1.0.0.1) via Putty (telnet), it won't respond. I thought I read online that the 1921 was defaulted to NOT respond to telnet until enabled, but I could have misread. I need the router to answer on the external IP (T1 CSU/DSU), or at worst, the internal GigabitEthernet 0/0. This is currently in the config file, but it won't seem to respond on the 0/0 port.

line vty 0 4

access-class 23 in

privilege level 15

password 7 notmypassword

transport input telnet

Is there something configured wrong? Or is there something different I need to do for response to either port?

Vasileios Bouloukos MSc, ITIL, CCIE · ‎03-30-2012

Hi Chris,

I checked the configuration that you posted.

You have to add the login command under the line vty 0 4.

line vty 0 4

login

Then you can telnet to the router.

If you have enabled aaa (with the aaa new model command) then you have to create a user such as

username xxx privilege 15 password xxxx

Hope that helps!

Vasilis

cpatterson · ‎03-30-2012

Just putting the command "login" anywhere after that "line vty 0 4" returns "Incomplete command" from the router. If I use "login authentication local_auth", will that allow me to login from any ip address, or will it only allow a console login?

Vasileios Bouloukos MSc, ITIL, CCIE · ‎03-30-2012

If you take the "Incomplete command" means that you have enabled aaa to your router (second scenario in my previous post).

After using "login authentication local_auth", you can login from any ip address (telnet) allowed by the access-list 23.

You have to remove access-class if you want to permit telnet login by any source ip.

You do not need to be confused.

Line vty refers to TELNET login

Line con refers to Console login

Hope that helps!

Vasilis

cpatterson · ‎03-30-2012

This forum needs a chat window.

Ok, working on it, maybe I'm close now. Thanks for the assistance, I'll keep updating.

Vasileios Bouloukos MSc, ITIL, CCIE · ‎03-30-2012

Sure, I agree. A chat window will be helpful.

Ok, I do not think that you have any problem.

If helpful please rate

Regards,

Vasilis

Richard Burts · ‎03-30-2012

Chris

Your most immediate problem is this line under line vty

access-class 23 in

this uses access list 23 to control who can have remote access (including telnet).

In a sense you are correct that since this line was part of the config of the original router then the default behavior is to not accept telnet from most source addresses.

You can either modify access list 23 to include your addresses or you can remove that line from the vty. Either solution should allow you to telnet to the router. (in the long term you probably want to use the access class functionality to limit remote access if this router is going to a remote site.

And another piece of advice is that if this router is going to a remote location that you might want to configure it to use SSH and to limit remote access to SSH since it is much more secure than telnet.

HTH

Rick

HTH

Rick

cpatterson · ‎04-02-2012

Ok, so I finally got the config squared away enough that I can telnet properly, but apparently, I can't specify 2 Access-Classes for the same line. Ie:

line vty 0 4

access-class 24 in

privilege level 15

password 7 notmypassword

transport input telnet

I "need" this (read: would be convenient) in case we need to have a user locally to the device telnet to it, and enter commands with our input. We're concerned that the circuit may not be configured cleanly, and that we'll have a bit of tweaking to do before we can get it all up and running. Is there a way to specify 2 classes, or in a single access-list, to specify 2 IP ranges? Specifically, our local subnet external IP here (like 166.172.143.0) as well as the internal to the facility (1.0.0.0.).

Richard Burts · ‎04-02-2012

Chris

With the vty lines the access-class command uses an access list to control who can have remote access to the router. You can configure only a single access list in the access class. But you certainly can specify multiple IP networks or subnets in a single access list. It might look something like this:

access-list 24 permit 166.172.143.0 0.0.0.255

access-list 24 permit 1.0.0.0 0.255.255.255

HTH

Rick

HTH

Rick

cpatterson · ‎04-02-2012

Excellent. That did what I needed, thanks. Looks to be up and running, just gotta get it in the field, and see if the new circuit works. Thanks again everyone.

Can't seem to rate or select "Correct Answer" . Will try back a little later. thanks