12-01-2006 11:50 AM
Hello gang, I'm trying to find a way around IOS's default behavior when individual VTY lines are configured with unique passwords.
Pretend for the moment that the only way to authenticate a VTY line user is via the line password. If lines 0-3 are given the password 'cisco' and line 4 is given the password 'test,' attempts to telnet to the router using the 'test' password won't work until lines 0-3 are in use. I know that the chance of needing to alter that behavior in a production environment are near nil due to AAA, local databases, etc, but I'm curious to know if it's possible.
Direct example: fire up an unconfigured router and enter only the lines below:
ena
conf t
int fa0/0
ip add 192.168.0.1 255.255.255.0
no shut
exit
line vty 0 3
login
password xxxx
exit line vty 4
login
password test
end
Now, without adding a username/password combo, aaa new-model or any other authentication other than the line password, tell the router to allow access with the pasword 'test' regardless of whether lines 0-3 are in use.
If it's impossible, that's fine. I'm just curious.
Solved! Go to Solution.
12-04-2006 12:25 AM
Hi, it's impossible, this is because the router selects the vty connection in a random way and it's have no sense to have a password if you don't know what vty line are you going to use, so this is because you need another authentication method like local database or aaa.
Regards
Hope this helpful, if so pls rate post
12-04-2006 12:25 AM
Hi, it's impossible, this is because the router selects the vty connection in a random way and it's have no sense to have a password if you don't know what vty line are you going to use, so this is because you need another authentication method like local database or aaa.
Regards
Hope this helpful, if so pls rate post
12-04-2006 01:46 AM
Hi
In addition to other posters comments you can try creating different access lists permitting the ips required to access the box.
Once you are done with the same apply the acls accordingly using access-class in command under the line vty so that the only permitted ips can access the router using those authentication criterias.
regds
12-04-2006 04:31 AM
one workaround for this is to setup a rotary group. eg. line vty 0 -3 are configured with a login password of cisco. Line vty 4 is configured with rotary group 1 and login local. When you telnet to the router (for instance and administrator) will telnet to
username test-user password 0 cisco
line vty 0 3
password cisco
login
line vty 4
login local
rotary 1
12-07-2006 10:59 PM
Thank you all for the replies. I apologize if the focus of my question was unclear; I know how to get around the line selection behavior. I was only curious to know if the behavior itself can be directly modified. As Icabrera has said, it's impossible, so I am content.
One minor correction: IOS selects the VTY lines on a round-robin basis, not random.
12-08-2006 12:38 AM
Hi olmsteadj,
did you try the workaround I supplied with rotary groups? This will meet your requirements. The only caviet is that you will need to telnet on port 3001 in my example to hit VTY4.
01-25-2007 10:03 AM
Pardon the delay please, Mark. I thank you again for your desire to assist, but my question only asked whether the default round-robin selective behavior can be directly altered. I now know that it cannot be done, but I don't and haven't had a problem getting around it. My interest in the function was that of a student learning where all the equipment's 'knobs' are located.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide