cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
740
Views
0
Helpful
2
Replies

2960 switch - junk login credential accepting

Hello,

I am testing access switches for one project, I notice when i telnet from core to access and instead of appropriate username if i give some junk characters like shown in below output. Its accepting that username and not asking for password and landing me to the user-exec (>) mode.

CORE-SW#telnet 192.168.1.50
Trying 192.168.1.50 ... Open

User Access Verification

Username: aldkfjadfdslkdja

ACC-SW1>

I update the IOS of the switch as well as per Cisco recommended IOS but output is same.

Switch Model No: WS-C2960S-48FPS-L

Switch IOS Version: 15.2(2a)E1 | C2960S-UNIVERSALK9-M | flash:/c2960s-universalk9-mz.152-2a.E1/c2960s-universalk9-mz.152-2a.E1.bin"

Boot Loader (C2960S-HBOOT-M) Version 12.2(53r)SE

Show version Output 

-SW2#show version
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.2(2a)E1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 10-Dec-14 03:54 by prod_rel_team

ROM: Bootstrap program is C2960S board boot loader
BOOTLDR: C2960S Boot Loader (C2960S-HBOOT-M) Version 12.2(53r)SE, RELEASE SOFTWARE (fc3)

RUHHR-G-F9C1-SW2 uptime is 2 weeks, 2 days, 3 hours, 39 minutes
System returned to ROM by power-on
System restarted at 09:32:47 Riyadh Tue Dec 27 2016
System image file is "flash:/c2960s-universalk9-mz.152-2a.E1/c2960s-universalk9-mz.152-2a.E1.bin"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960S-48FPS-L (PowerPC) processor (revision B0) with 131072K bytes of memory.
Processor board ID 
Last reset from power-on
2 Virtual Ethernet interfaces
1 FastEthernet interface
52 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 
Motherboard assembly number : 
Power supply part number : 341-0382-02
Motherboard serial number : 
Power supply serial number : 
Model revision number : B0
Motherboard revision number : A0
Model number : WS-C2960S-48FPS-L
Daughterboard assembly number : 73-11933-04
Daughterboard serial number :
System serial number : 
Top Assembly Part Number : 800-32647-02
Top Assembly Revision Number : A0
Version ID : V02
CLEI Code Number : COMGB00ARB
Daughterboard revision number : A0
Hardware Board Revision Number : 0x01


Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960S-48FPS-L 15.2(2a)E1 C2960S-UNIVERSALK9-M


Configuration register is 0xF

2 Replies 2

Brian Beijl
Level 1
Level 1

Hi,

What kind of security is in place for allowing access to the switch? Are you using aaa, radius, tacacs, or is this an out-of-the-box switch with barely any configuration? Even in the last case, it should not accept any bogus usernames.

At minimum you should have the command "login local" under the line vty 0 15 instances.

Curious to know what relevant config is used..

Regards,
Brian

Found the Culprit. 

aaa authentication login default local none

Removed none from the above command and problem is fixed.

aaa authentication login default local

Review Cisco Networking for a $25 gift card