The device you are configuring ssh for needs to have a hostname too.

Hi Ajay,

SSH is a secure shell which encrypts your data (user name and password) whee Telent send in clear text.
Telnet is not a suggested protocol to connect network devices especially over WAN.

So, I would strongly suggest go with SSH instead Telnet.

If you still need to go with Telnet only because of some reasons where your devices not support then define access-lists and apply under your line vty 0 4

Configure access-list like below

Router#ip accesslist extended 23
10 permit 10.40.x.0 0.0.0.255
20 permit 10.50.x.0 0.0.0.255
30 permit 192.168.xxx.0 0.0.0.255

line vty 0 4
access-class 23 in
login authentication device

You can use a Putty which is better tool to connect network devices as per industry standards.

Please rate if this helps you...

Regards,
Naidu.

Thankyou Naidu for your response. I have an idea about this that we can setup access-class allowing certain subnets to loginto devices.

Even we do that , how can we have security in telnet. Ultimately if we use telnet , we are giving chance to intruder to capture our packets and see the passwords in text format. Then I feel, there is not a big advantage in that except allowing a few trusted devices in our company.

My doubt is :  if we enable both , ssh and telnet,  will there be any chance to encrypt our passwords even we use telnet in big networks?  can we conigure in such a way?

Do you have any idea about user names integration with Active directory of windows via TACACS+ or Radius servers?

Thanks,

Ajay

Hi Ajay,

My doubt is :  if we enable both , ssh and telnet,  will there be any chance to encrypt our passwords even we use telnet in big networks?  can we conigure in such a way?

You can enable to both ssh and telnet, but the thing is if you are using ssh to connect a device over netowrk then the username and password and other traffic will be encrypted where in telnet that will not.

Because of the this problem with telnet ssh has been introduced.

Do you have any idea about user names integration with Active directory of windows via TACACS+ or Radius servers?

Yes, I have the same kind of setup for my devices authentication.

Please follow the below link to integrate the active directory with Radius.

http://support.mof.go.th/radius_windows.html

Please rate if this helps you.

Regards,

Naidu.

Telnet is inherently insecure.

That means that there is nothing you can do to secure it properly.

it is in clear text and therefor is vulnerable to many different attacks not the least sniffing.

ssh is the better solution, and is more and more becoming the standard.

To answer your direct question

"My doubt is :  if we enable both , ssh and telnet,  will there be any chance to encrypt our passwords even we use telnet in big networks?  can we conigure in such a way?"

NO you can not encrypt the telnet password over the network.

Yes there is a way to encrypt the password INSIDE the configuration ie you can not see the cleartext password in the configuration text.

In short that means that unless you take the config out and give it to someone the password is not encrypted.

and if you use telnet, one of several vulnerabilitys is that it is possible to do arp spoofing and man in the middle attacks towards it.

If you want to use tacacs+/radius for AAA it is possible to use that on most cisco network equipment both with telnet and ssh.

Good luck

HTH

Hi,

As per ur reply :

We can configure in such a way that our passwords don't appear in clear text in running config.  I know this can be done using service password encryption .

If you want to use tacacs+/radius for AAA it is possible to use that on most cisco network equipment both with telnet and ssh.

      so if we use AAA on our devices  along with TACACS+,  will there be good security even we use telnet . I saw in one company , they configured both telnet and ssh on their devices. some people use telnet also. They setup AAA with tacacs+.

If we integrate with AD, when we want to give some access to a new employee on devices, do we configure his windows user id name using AAA commands ?  What is the standard process we follow ?

please explain.

The short answer is no you can never have "good security" with Telnet. no matter how you try to tweak your question.

Anyone can see all data in cleartext and it is vulnerable to many different forms of attacks.

Telnet or ssh has nothing to do with using AAA or not as such.

Telnet and ssh is just the means to get your commands to the switch/router whatever device you are controlling.

AAA is the control method for the switch to know that what you are entering as username and password (using telnet or ssh) are indeed valid.

if you use telnet that information can easily be recorded and/or changed since the information is in clear text.

if you use ssh it will be harder to record and/or change the information since it is encrypted.

AAA = Authentication, Authorization and Accounting

Authentication = you are who you say you are

Authorization = you are alowed to do what you try

Accounting = you are logged doing what you do so fx that you can be billed. (roughly)

A tripple A (AAA) server can be fx Tacacs+ or Radius,

Radius is more common today than Tacacs+.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html

Is a good start to look at.

Why people are using telnet instead of ssh.

Sometimes one needs to do things like fx scripts but lack the ability to encrypt them and have to lower ones standard to what is available.

Ease of use is another one, they scarifice the higher security with ssh due to the fact that most windows machines comes with a telnet client default.

Lack of knowledge they do not know better.

They do not care since they figure the network to be safe enough anyway.

They do not care since they never thought about it.

Many different reasons for different people, but neither gives you "Good security", "acceptable" or "ok", maybe

Good luck

HTH

Message was edited by: hobbe

To reiterate what others have said, telnet and security are mutually exclusive. There are a few things you can do to make telnet slightly less insecure (access lists) but it is still insecure nonetheless.

Doing steps like enabling "service password-encryption" , using secrets instead of passwords, etc only secures your configuration file but does nothing to secure the telnet traffic itself. If you put a sniffer on it you will still see cleartext usernames and passwords.

The best yoiu can do is enable two-factor authentication but even still anyone with a sniffer will get your PIN so then you are down to one-factor authentication.

SSH is the ONLY way you should be access your network gear.