Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315820
Views
121
Helpful
16
Replies

Line vty 0 4 and the login command

eddy.eurlings
Level 1
Level 1

‎01-29-2013 04:47 AM - edited ‎03-07-2019 11:22 AM

In ICND1 I find this configuration for the line vty :

emma(config)#line vty 0 15
emma(config-line)#password love
emma(config-line)#login

emma(config-line)#exit

Why U use here the login command?

In my experiance, even without the login command, when you open a TELNET connection, there must be an password set and you have to give the password. If there's no password set, the switch/router will refuse the TELNET session. (later followed by an enable password)

I always do this :

emma(config)#line vty 0 15
emma(config-line)#password love
emma(config-line)#exit

What's the difference between the 2 configs?

Thanks for your help,

Eddy

               

2 people had this problem
Labels:
16 Replies 16

mahmoodmkl
Level 7
Level 7

‎01-29-2013 04:54 AM

Hi

It is used to grant access to the vty lines by using a password.i,e, it forces the people connecitng to this device to provide password.

Thanks

0 Helpful

eddy.eurlings
Level 1
Level 1
In response to mahmoodmkl

‎01-29-2013 10:42 PM

Thank you for your answer,

But i have notice, when you don't use the "login" command, only use the "password" command, the device also will ask for the password.

My config on a 2960 switch or 1700 router :

ip address 1.0.0.1 255.0.0.0

line vty 0 4

password cisco

When i open a TELNET session on the host 1.0.0.1, and no login command in the config :

telnet 1.0.0.1

Trying 1.0.0.1 ..... open

User access verification

Password :

The system also ask me for a password, even when i don't use the login command.

Thank you very much for thinking with me,
Eddy

kcnajaf
Level 7
Level 7

‎01-29-2013 06:16 AM

Hi Eddy,

Consider the VTY 0 4 as the door of entry to the router. With the  "login" command you are basically locking the door.

The password is the key to open the door.

So if you dont type the "login" command that means you are not locking the door to enter the router and in that case there is no fun in putting the password.

But if you just type "login" command with out password the router will compaint that you need the password set to connect to it.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

eddy.eurlings
Level 1
Level 1
In response to kcnajaf

‎01-29-2013 10:42 PM

Thank you for your answer,

But i have notice, when you don't use the "login" command, only use the "password" command, the device also will ask for the password.

My config on a 2960 switch or 1700 router :

ip address 1.0.0.1 255.0.0.0

line vty 0 4

password cisco

When i open a TELNET session on the host 1.0.0.1, and no login command in the config :

telnet 1.0.0.1

Trying 1.0.0.1 ..... open

User access verification

Password :

The system also ask me for a password, even when i don't use the login command.

Thank you very much for thinking with me,
Eddy

0 Helpful

kcnajaf
Level 7
Level 7
In response to eddy.eurlings

‎01-29-2013 11:18 PM

Hi,

I tried this on GNS3 with 2 different IOS

C2600-J1S3-M), Version 12.3(24)

(C3745-ADVIPSERVICESK9-M), Version 12.4(17)

and i getting a responce as expected. If we dont have login command it directly falls to enable mode (>) as below.

R1

line vty 0 4

password cisco

no login

R2#10.10.10.1

Trying 10.10.10.1 ... Open

R1>

But from you post it looks like it is still as asking you the console password? By any chance have you got a enable password on the router? Also what version of IOS are you running?

Regards

Najaf

0 Helpful

eddy.eurlings
Level 1
Level 1
In response to kcnajaf

‎01-30-2013 12:05 AM

Hi Najaf,

Thanks for your answers.

In your config, you use "no login", and than it's logic that the device don't ask for a login.

In my config, I just give the password command, an don't even use the "login"

R1
line vty 0 4

password cisco

That's my complete config, i don't use "login" or "no login".

Regards,

Eddy

kcnajaf
Level 7
Level 7
In response to eddy.eurlings

‎01-30-2013 05:48 AM

Hi Eddy,

The problem was that on my devices by default the login was there, so only way to remove it is to use no form of it :-)

Regards

Najaf

0 Helpful

jj27
Spotlight
Spotlight

‎01-29-2013 07:27 AM

You can also use the local authentication database by using login local instead of just login.  Any usernames you have defined will then be able to login rather than using a telnet password that is defined on the VTY lines.

taufique.shaikh
Level 1
Level 1
In response to jj27

‎01-29-2013 11:27 PM

Good Day,

Login command is further executed with to allow local or Tacacas or Radious Server account to login via telnet

where in password with defined password is used to mandatory use that password for login to switch via vty.

Same applies for consle too..!

Thank you.

0 Helpful

eddy.eurlings
Level 1
Level 1
In response to taufique.shaikh

‎01-30-2013 02:54 AM

Thank you very much

0 Helpful

CiscoPurpleBelt
Level 6
Level 6

‎08-30-2017 11:09 AM

Better to go under Line console 0 and Line VTY and enter the "login local" config after creating local user accounts on the device.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎08-30-2017 02:12 PM

I believe that we are seeing a change in behavior in IOS about a command that is enabled by default.

 

The login command is enabled by default. In general IOS does not display in show run commands that are enabled by default. But there are exceptions to this. For many releases Cisco made an exception for the login command and displayed it. But at some point seems to have changed and no longer displays it. But it is still enabled. So if you want to do a really accurate test enter the no login command on the vty lines and see what happens.

 

What the login command really does is to enable the prompt for the login process which generates the prompt for the password. Note that the behavior is differennt between the vty lines and the console line.

 

Several responses have mentiond the option of using login local. This would enable the prompt and would require that a user name and password be configured on the router and would use that instead of the line password that can be configured on the lines.

 

Also note that the behavior of the login command is affected by whether you have enabled aaa new-model. When you enable aaa it superceeds the login command and controls the prompt and authentiation process regardless of what is configured for the login command.

 

HTH

 

Rick

HTH

Rick

harris.bob
Level 1
Level 1
In response to Richard Burts

‎10-23-2018 09:19 AM - edited ‎10-24-2018 04:54 AM

To add to this,  with AAA and TACACs configurations, your VTY lines will only allow you to configure your "login authentication"(not login local). Meaning all sessions will authenticate via the configured AAA\TACACS. You can do a verification test by removing AAA and TACACs. In doing so,  you will now see that your VTY lines can be configuration for local access "login local" only. Point here is, if you keep your AAA\TACACS configuration(why not), then the login local(enabled by default) and password commands are not required or needed on those lines because authentication defaults to AAA\TACACs. In fact, it's best to remove the VTY passwords anyway, leveraging the local database

0 Helpful

Wendell Taroa
Level 1
Level 1

‎03-01-2019 04:54 PM

Thanks for this input, it helped me put the pieces I have been thinking of together whilst doing my telnet configurations in my modelling.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card