Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1302
Views
0
Helpful
2
Replies

AS5300 login with any random userid and password

Go to solution
richardmcmahon
Level 1
Level 1

‎06-15-2004 05:48 PM - edited ‎03-10-2019 07:52 AM

Hi,

A bit of a strange query I know, but is it possible to get an AS5300 to prompt for a userid and password for dial access but to accept any random data that is typed into these fields. This should allow any user to login whether they have a valid userid or password.

I have entered the following.

aaa authentication ppp USERS&TUNNELS local none

If I use a local username it works fine but a random one generates the following.

Harbour_Ex_as01#

*Jun 16 02:45:39.092 BST: %ISDN-6-CONNECT: Interface Serial1:30 is now connected to N/A N/A

*Jun 16 02:45:58.661 BST: %LINK-3-UPDOWN: Interface Async126, changed state to up

*Jun 16 02:45:58.661 BST: As126 PPP: Treating connection as a dedicated line

*Jun 16 02:46:00.429 BST: As126 PAP: I AUTH-REQ id 29 len 30 from "richarddfsdfsdf"

*Jun 16 02:46:00.429 BST: As126 PAP: Authenticating peer richarddfsdfsdf

*Jun 16 02:46:00.429 BST: AAA: parse name=Async126 idb type=10 tty=126

*Jun 16 02:46:00.429 BST: AAA: name=Async126 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=126 channel=0

*Jun 16 02:46:00.429 BST: AAA: parse name=Serial1:30 idb type=13 tty=-1

*Jun 16 02:46:00.429 BST: AAA: name=Serial1:30 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=1 channel=30

*Jun 16 02:46:00.429 BST: AAA/MEMORY: create_user (0x6242F3E0) user='richarddfsdfsdf' ruser='' port='Async126' rem_addr='async/08453500050' authen_type=PAP service=PPP priv=1

*Jun 16 02:46:00.429 BST: AAA/AUTHEN/START (116733842): port='Async126' list='USERS&TUNNELS' action=LOGIN service=PPP

*Jun 16 02:46:00.429 BST: AAA/AUTHEN/START (116733842): found list USERS&TUNNELS

*Jun 16 02:46:00.429 BST: AAA/AUTHEN/START (116733842): Method=LOCAL

*Jun 16 02:46:00.429 BST: AAA/AUTHEN (116733842): status = ERROR

*Jun 16 02:46:00.429 BST: AAA/AUTHEN/START (116733842): Method=NONE

*Jun 16 02:46:00.433 BST: AAA/AUTHEN (116733842): status = PASS

*Jun 16 02:46:00.433 BST: As126 PAP: O AUTH-NAK id 29 len 28 msg is "% Authorization failed."

*Jun 16 02:46:00.433 BST: AAA/MEMORY: free_user (0x6242F3E0) user='richarddfsdfsdf' ruser='' port='Async126' rem_addr='async/08453500050' authen_type=PAP service=PPP priv=1

*Jun 16 02:46:01.197 BST: %ISDN-6-DISCONNECT: Interface Serial1:30 disconnected from unknown , call lasted 22 seconds

*Jun 16 02:46:03.677 BST: %LINK-5-CHANGED: Interface Async126, changed state to reset

*Jun 16 02:46:08.685 BST: %LINK-3-UPDOWN: Interface Async126, changed state to down

Any help much appreciated.

Thanks,

Richard

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-16-2004 02:20 PM

I can think of at least two ways to allow anyone onto the 5300 router no matter what ID and/or password.

The first and most simple is to remove the ppp authentication command from the dial line. This will let anyone dialing onto the machine without checking for ID and password. I belive this will let them in without the router generating a request for ID but that may not be a big deal because most of the time the prompt is generated by the PC before dialing anyway. It might matter is the user was using post-terminal dial window in which the prompt IS generated by the router.

The second and more complicated is based on the fact that there are multiple authentication methods that can be specified for ppp including tacacs+, radius, local, and none. You could configure ppp authentication with tacacs+ or radius as the primary method and "none" as the backup and point the tacacs+ or radius at a non-existant server. This would cause the 5300 to attempt to authenticate against the tacacs+ or radius and when that did not get any answer it would let the user in. I can not guarantee that this would generate a prompt, but the same comments apply as in the preceeding paragraph about why it may not matter.

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-16-2004 02:20 PM

I can think of at least two ways to allow anyone onto the 5300 router no matter what ID and/or password.

The first and most simple is to remove the ppp authentication command from the dial line. This will let anyone dialing onto the machine without checking for ID and password. I belive this will let them in without the router generating a request for ID but that may not be a big deal because most of the time the prompt is generated by the PC before dialing anyway. It might matter is the user was using post-terminal dial window in which the prompt IS generated by the router.

The second and more complicated is based on the fact that there are multiple authentication methods that can be specified for ppp including tacacs+, radius, local, and none. You could configure ppp authentication with tacacs+ or radius as the primary method and "none" as the backup and point the tacacs+ or radius at a non-existant server. This would cause the 5300 to attempt to authenticate against the tacacs+ or radius and when that did not get any answer it would let the user in. I can not guarantee that this would generate a prompt, but the same comments apply as in the preceeding paragraph about why it may not matter.

HTH

Rick
0 Helpful

Go to solution
richardmcmahon
Level 1
Level 1
In response to Richard Burts

‎06-17-2004 03:53 AM

Hi,

The first one did the trick.

Thanks,

Richard

0 Helpful
Customers Also Viewed These Support Documents