03-30-2012 06:30 AM - edited 03-04-2019 03:51 PM
Ok, I've got a very rudimentary knowledge of Cisco commands, mainly picked up from trying to make things work, and banging on it until it gives up (ie. I get the command correct, finally). However, the Telnet sequence is kicking my butt. I enter the line vty 04, but the login command is not responding as research shows it should. Instead, it's telling me "login" is incomplete, "login local" is an invalid input, "Login Auth" needs an acl, and defining an ACL 1 of permit 1.0.0.0 0.0.0.255, and then "login auth 1" tells me that the list "1" is not defined for login.
"
C1921-UM(config)#access-list 1 permit 1.0.0.0 0.0.0.255
C1921-UM(config)#line vty 0 4
C1921-UM(config-line)#password notmypassword
C1921-UM(config-line)#login auth 1
AAA: Warning authentication list "1" is not defined for LOGIN."
It's driving me nuts, and I need to send the router 1200 miles away to finish configuring it, and can't get the telnet to work properly. What am I messing up or missing, please?
thanks
03-30-2012 07:31 AM
Hi Chris,
What are you trying to do?
First Scenario
If you want to limit the access you need the next
access-list 1 permit 1.0.0.0 0.0.0.255
C1921-UM(config)#line vty 0 4
access-class 1 in
and you limit the traffic to the IP packets sourced by AL1
Second Scenario
If you want to create an auth list you have to do the next
username xxx privilege 15 password xxxx
aaa-new model
aaa authentication login local_auth local
aaa authorization exec default local
line vty 0 4
login authentication local_auth
Hope that helps
Vasilis
03-30-2012 07:45 AM
Thanks for the response. Basically, I'm trying to enable Telnet for a 1921 that we're sending to a remote location for a client. My first intention is to get it so that it will respond to a telnet request at all, then I'll change the ACL/add another ACL to allow us to connect remotely, and finish the configuration when it's in place. I would PREFER to be able to login from whereever with the right user/pwd, but I figured an IP list was quickest. I'll try the Access list first, and see what it does, and update here. Thanks again
03-30-2012 11:00 AM
Chris
As Vasilis says you mis-interpreted what kind of list the login command was looking for. It is looking for a named method list for authentication. And I do not think that this was what you really want to do.
You say that at first you just want to get the router to respond to a telnet request. Well by default if there is IP connectivity the router will respond to a telnet request. Are you saying that you have tried telnet and it does not work? Or is it that you assume that you must do something to get it to work and are trying to figure out what is needed? (in which case the solution is much easier than you think)
HTH
Rick
03-30-2012 12:01 PM
Thanks for responding.
No way to quote...
"My first intention is to get it so that it will respond to a telnet request at all, then..."
Correct, I am saying that I have tried telnet and it doesn't work.The router won't answer to telnet at the IP address. Let me clarify if I can. I can telnet through Putty to the Console port, but when attempting to access the local router address (1.0.0.1) via Putty (telnet), it won't respond. I thought I read online that the 1921 was defaulted to NOT respond to telnet until enabled, but I could have misread. I need the router to answer on the external IP (T1 CSU/DSU), or at worst, the internal GigabitEthernet 0/0. This is currently in the config file, but it won't seem to respond on the 0/0 port.
line vty 0 4
access-class 23 in
privilege level 15
password 7 notmypassword
transport input telnet
Is there something configured wrong? Or is there something different I need to do for response to either port?
03-30-2012 01:03 PM
Hi Chris,
I checked the configuration that you posted.
You have to add the login command under the line vty 0 4.
line vty 0 4
login
Then you can telnet to the router.
If you have enabled aaa (with the aaa new model command) then you have to create a user such as
username xxx privilege 15 password xxxx
Hope that helps!
Vasilis
03-30-2012 01:18 PM
Just putting the command "login" anywhere after that "line vty 0 4" returns "Incomplete command" from the router. If I use "login authentication local_auth", will that allow me to login from any ip address, or will it only allow a console login?
03-30-2012 01:25 PM
If you take the "Incomplete command" means that you have enabled aaa to your router (second scenario in my previous post).
After using "login authentication local_auth", you can login from any ip address (telnet) allowed by the access-list 23.
You have to remove access-class if you want to permit telnet login by any source ip.
You do not need to be confused.
Line vty refers to TELNET login
Line con refers to Console login
Hope that helps!
Vasilis
03-30-2012 01:38 PM
This forum needs a chat window.
Ok, working on it, maybe I'm close now. Thanks for the assistance, I'll keep updating.
03-30-2012 01:50 PM
Sure, I agree. A chat window will be helpful.
Ok, I do not think that you have any problem.
If helpful please rate
Regards,
Vasilis
03-30-2012 03:56 PM
Chris
Your most immediate problem is this line under line vty
access-class 23 in
this uses access list 23 to control who can have remote access (including telnet).
In a sense you are correct that since this line was part of the config of the original router then the default behavior is to not accept telnet from most source addresses.
You can either modify access list 23 to include your addresses or you can remove that line from the vty. Either solution should allow you to telnet to the router. (in the long term you probably want to use the access class functionality to limit remote access if this router is going to a remote site.
And another piece of advice is that if this router is going to a remote location that you might want to configure it to use SSH and to limit remote access to SSH since it is much more secure than telnet.
HTH
Rick
04-02-2012 07:33 AM
Ok, so I finally got the config squared away enough that I can telnet properly, but apparently, I can't specify 2 Access-Classes for the same line. Ie:
line vty 0 4
access-class 24 in
privilege level 15
password 7 notmypassword
transport input telnet
I "need" this (read: would be convenient) in case we need to have a user locally to the device telnet to it, and enter commands with our input. We're concerned that the circuit may not be configured cleanly, and that we'll have a bit of tweaking to do before we can get it all up and running. Is there a way to specify 2 classes, or in a single access-list, to specify 2 IP ranges? Specifically, our local subnet external IP here (like 166.172.143.0) as well as the internal to the facility (1.0.0.0.).
04-02-2012 07:45 AM
Chris
With the vty lines the access-class command uses an access list to control who can have remote access to the router. You can configure only a single access list in the access class. But you certainly can specify multiple IP networks or subnets in a single access list. It might look something like this:
access-list 24 permit 166.172.143.0 0.0.0.255
access-list 24 permit 1.0.0.0 0.255.255.255
HTH
Rick
04-02-2012 08:29 AM
Excellent. That did what I needed, thanks. Looks to be up and running, just gotta get it in the field, and see if the new circuit works. Thanks again everyone.
Can't seem to rate or select "Correct Answer" . Will try back a little later. thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide