05-27-2004 12:35 AM - edited 03-09-2019 07:32 AM
Hi,
I would like to get recorded the information
"Who is getting logged into the router via telnet ?"
by using the function router has itself that is just
using "username" and "aaa authentication ... local"
commands, not using TACACS + or RADIUS.
I understand that I can record the information of
accessing NVRAM by telnet user using "conf t" command
with the following configuration.
----
username xxx password xxx
aaa authentication login test local
line vty 0 4
login authentication test
----
By configuring above, router logs the following
information/message onto the buffer which can be seen
by "sh log" command later.
%SYS-5-CONFIG_I: Configured from console
by "username" on vty 0 (xxx.xxx.xxx.xxx)
However this message is just generated when telnet
user access the NVRAM by "conf t" command.
It means I have no idea who is on the router, as
long as he executes the "conf t" command.
Are there any way to work out this issue or I can't
work out it without TACACS+ or RADIUS ?
Any information would be appreciated.
Regards,
05-27-2004 06:19 AM
If I understand your problem you can create an access-list:
access-list 101 permit tcp source-ip wildcard destination-ip wildcard -eq 23 log
with the log option you can log the user that access to the router
I think that you can use also logging buffered command
05-27-2004 06:51 AM
With an extended access list like 101 there are issues like what interface will it be applied to (probably the answer needs to be every interface) and what address needs to be defined as dentination address (probably every address on the router) and how do you distinguish telnet traffic going THROUGH the router (do not want to log that) from traffic going TO the router (do want to log that).
I believe a better solution would be:
access-list 1 permit any log
line vty 0 4
access-class 1 in
the access-class uses a standard access list to examine specifically telnet traffic where the router is the destination, so there is no issue of transit traffic vs destination traffic. Also it will examine only telnet traffic, where with an access list applied to an interface it will examine ALL packets coming into that interface which would be much more overhead on the router.
05-27-2004 10:17 AM
Yes, I'm agree whith you, it's a better solution,rburts.
05-27-2004 06:10 PM
Hi all,
Thank you very much for your help.
I understand I can record the IP adddresses which
used by telnet user (source IP address of telnet
traffic) by using access-class.
In this case, however, I think I still can not
record "username" which used by telnet user to get
logged into the router.
I would like to get recorded the "username" instead
of IP address of telnet user.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide