cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16672
Views
19
Helpful
10
Replies

Can't disable Telnet for vty lines?

thegreattriscuit
Beginner
Beginner

#sh run | inc user

!

username USER0 secret 5 $1$password
username USER1 privilege 15 secret 5 $1$password
username USER2 privilege 15 secret 5 $1$password

!

#sh run | inc aaa

!

aaa new-model
aaa authentication login local_authen local
aaa authentication login radius_authen group radius local
aaa authorization console
aaa authorization exec local_author local
aaa authorization exec radius_author group radius local
aaa session-id common

!

#sh run | begin line vty

!

line vty 0 4
access-class 3 in
exec-timeout 15 0
authorization exec radius_author
logging synchronous
login authentication radius_authen
transport input ssh
line vty 5 15
!
sh ver
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE6, RELEASE SOFTWARE (fc1)

the intent of the above is that management connections will only be accepted via SSH, and all of those will be authenticated via RADIUS, unless it's down, then it will use the local username/pw combinations, most of which are given Privledge level 15. Telnet should never work.

SSH works as expected (authenticates via RADIUS), but the problem is that Telnet also works, will ONLY use the local database (never RADIUS), and, for some reason, leaves the users at Privledge level 1, instead of the configured 15.

Essentially, it seems that at every point I have told it to do something that isn't the default with regards to telnet, it ignores me. Any ideas?

Prior to a recent IOS upgrade, the switch didn't support SSH, so the previous config was Telnet with RADIUS, and that worked fine.

2 Accepted Solutions

Accepted Solutions

Hi William,

Follow Glen's suggestion to check which line you're going in but if you dont want to have all 15 lines available use "transport input none" on the line you dont want available. That should disable both and any protocols.

Sent from Cisco Technical Support iPad App

View solution in original post

Hi Richard,

For me the "no exec" command is new and definitely works. I have done test which I share with you below. I did them on a 2800 but I believe results are the same on 3560. The default config (default transport input) results in allowing all protocols. Could not find command reference for command defaults.

Configuration for lines:

line vty 0

transport input telnet

line vty 1

transport input none

line vty 2 4

! defaut transport input

For line one I could get in. Line 1 I never go into. Following lines I can login.

ADSL-TEST#show line vty 0

...

Allowed input transports are telnet.

...

ADSL-TEST#show line vty 1

...

Allowed input transports are none.

...

ADSL-TEST#show line vty 2 ! default transport input

...

Allowed input transports are pad telnet rlogin lapb-ta mop v120 ssh.

...

I also tested no exec suggested by Richard. Difference from "transport input none" is with the last one I get a message "

The remote system refused the connection" while with "no exec" i get nothing and am simply disconnected.

ADSL-TEST#show line vty 1

...

Capabilities: EXEC Suppressed

View solution in original post

10 Replies 10

cadet alain
Mentor
Mentor

Hi,

You should disable telnet on all vty lines.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

lol.  Thanks.

No, what I'm saying is this: 

I have tried everything I can think of to disable telnet, but it's still running.   Everything I've found says that "transport input ssh" should disable telnet on that line, but (as you can see from the config I posted) I've done that, and telnet is still working.   What ELSE can i do to try and disable it?

John Blakley
Advisor
Advisor

Try deleting your "vty 5 15" with "no line vty 5 15" OR try configuring these lines with the same configuration that you have for vty 0 4.

HTH,

John

HTH, John *** Please rate all useful posts ***

Okay, so you're saying that even though the below config

line vty 5 15

!

doesn't include any explicit configuration for those lines, simply having them listed could allow telnet through the defaults?  I'll check it out when I'm back at that office tomorrow.  I'd noticed them there, and assumed that "no configuration" meant "no access". 

I'll post back with the results when I can verify, thanks.

I ran into the issue the other day. I had one router that had the lines configured, but I kept failing on radius requests. I realized that I had no configuration under those lines, so I deleted them and it resolved the issue. You'd think that you'd come in on lines 0 4, but apparently that's not always the case.

John

HTH, John *** Please rate all useful posts ***

glen.grant
Advisor
Advisor

   When you telnet in just do a show user and it will tell you what line you are coming in on.  The easiest way to alleviate what you are seeing is just  put the info you have on vty 0 -4  across all lines.  Telnet will not work  as long as you put transport inport SSH across all lines.

conf t

line vty  0 15

access-class 3 in

exec-timeout 15 0

authorization exec radius_author

logging synchronous

login authentication radius_authen

transport input ssh

Hi William,

Follow Glen's suggestion to check which line you're going in but if you dont want to have all 15 lines available use "transport input none" on the line you dont want available. That should disable both and any protocols.

Sent from Cisco Technical Support iPad App

Several people have correctly identified the issue being that lines vty 5 15 have no explicit configuration and by default telnet is enabled on them. There have been several solution suggested. My personal favorite is to include the same configuration parameters on vty 5 15 that are on 0 4. The solution to delete the excess vty may work or it may not. I have tried it on some routers which rejected it (and have done it on some that accepted the command and did delete the vty lines). The suggestion of transport input none probably works. And I would like to add one other alternative that is easy and absolutely works. Under the vty that you do not want to work just configure the command no exec

HTH

Rick

HTH

Rick

Hi Richard,

For me the "no exec" command is new and definitely works. I have done test which I share with you below. I did them on a 2800 but I believe results are the same on 3560. The default config (default transport input) results in allowing all protocols. Could not find command reference for command defaults.

Configuration for lines:

line vty 0

transport input telnet

line vty 1

transport input none

line vty 2 4

! defaut transport input

For line one I could get in. Line 1 I never go into. Following lines I can login.

ADSL-TEST#show line vty 0

...

Allowed input transports are telnet.

...

ADSL-TEST#show line vty 1

...

Allowed input transports are none.

...

ADSL-TEST#show line vty 2 ! default transport input

...

Allowed input transports are pad telnet rlogin lapb-ta mop v120 ssh.

...

I also tested no exec suggested by Richard. Difference from "transport input none" is with the last one I get a message "

The remote system refused the connection" while with "no exec" i get nothing and am simply disconnected.

ADSL-TEST#show line vty 1

...

Capabilities: EXEC Suppressed

Excellent work. 

So yes, I stopped by the site last night and confirmed that I was telnetting in on lines 5-15. 

Since I wasn't really on the clock, I just quickly configured the additional lines without devoting much thought to it.

no vty 5 15 did NOT work on the devices I attempted it on (but I *DO* seem to remember using that command in the past)

However looking back on it, now that I know what's actually going on "transport input none" and/or "no exec" look like  the real solution.

Thanks again for your help guys.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers