01-09-2004 02:49 AM - edited 03-02-2019 12:46 PM
ICND and BSCI mentions that "Some experts recommend that you configure one of the vty terminal lines differently than the others. This way have a back door into the router"
Could you explain how to make a back door to the router and how to connect with the back door?
Solved! Go to Solution.
01-09-2004 03:48 AM
Suppose you're running TACACS or RADIUS for login and enable authentication, authorization and accounting to Cisco devices.You'll probably have lines like these:
aaa new-model
aaa authentication login login-telnet group tacacs+ local
aaa authentication enable default group tacacs+ enable
And:
line vty 0 4
login authentication login-telnet
In some problem cases (suppose tacacs is running but you router isn't defined on it) you may nat telnet to the router. If you add this line:
aaa authentication login loginlocal local
And apply this method (loginlocal) to the vty 4 line:
line vty 0 3
login authentication login-telnet
line vty 4
login authentication loginlocal
This way in worst case scenario you open 5 telnet sessions to the router and fifth session will use only local passwords (Assuming you defined "username.....password...." commands).
Regards.
01-09-2004 04:31 AM
You can also add "rotary 1" under line vty 4 so that the system admin can access that vty directly. To do so the administrator (or anybody else for that matter) has to use the following command: telnet
For more information on the rotary command, see the following URL:
01-09-2004 03:48 AM
Suppose you're running TACACS or RADIUS for login and enable authentication, authorization and accounting to Cisco devices.You'll probably have lines like these:
aaa new-model
aaa authentication login login-telnet group tacacs+ local
aaa authentication enable default group tacacs+ enable
And:
line vty 0 4
login authentication login-telnet
In some problem cases (suppose tacacs is running but you router isn't defined on it) you may nat telnet to the router. If you add this line:
aaa authentication login loginlocal local
And apply this method (loginlocal) to the vty 4 line:
line vty 0 3
login authentication login-telnet
line vty 4
login authentication loginlocal
This way in worst case scenario you open 5 telnet sessions to the router and fifth session will use only local passwords (Assuming you defined "username.....password...." commands).
Regards.
01-09-2004 04:31 AM
You can also add "rotary 1" under line vty 4 so that the system admin can access that vty directly. To do so the administrator (or anybody else for that matter) has to use the following command: telnet
For more information on the rotary command, see the following URL:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide