07-17-2008 12:24 PM
Can someone explain to me why I am able to login to this router. I was under the impression that you need either a login command and/or a password. But I am able to login with no problems.
ROUTER#sh run
Building configuration...
Current configuration : 5039 bytes
!
! Last configuration change at 17:50:34 GMT Thu Jul 17 2008 by engineer
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
no new-model
!
resource policy
!
clock timezone GMT 0
!
ip cef
!
voice-card 0
no dspfarm
!
crypto pki trustpoint TP-self-signed-382345668
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-382345368
revocation-check none
rsakeypair TP-self-signed-38068756668
!
!
crypto pki certificate chain TP-self-signed-3804574768
certificate self-signed 01
30820247 6E65642D A0030201 02020101 300D0609 2A864886 04050030
31312F30 2D060355 04031326 494F532D CCCCCC 2D536967 6E65642D 43657274
69666963 6174652D 33383037 38363536 3638301E 170D3038 30373137 31363538
35345A17 XXXXXX 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E XXXXXX 65727469 66696361 74652D33 SSSSSSS
36353636 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D6E4 3B61ABBD 0CC88F36 6EE5D569 308201B0 BDD64AD5 8140DE41 09EF00BC
79C2E0E5 88DD1BB8 6BE8A559 FF040530 91685D2D 3647394B 3F3352B9 E6FB16F4
5DFD9CC2 1DF90B6F C8C38B6B C7AA6D32 6CA7B3FD 53B2489A B0A44C3E B34799C9
8E7FC5B9 5C3BACD6 47778622 3CE20BFD 95AECB51 F8374B6C 5FA27A4C 83B16E2A
DB4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F535452 2D424750 484F552D 52543031 301F0603 551D2304
18301680 14CA11A2 88DD1BB8 B6B81C85 2927F485 8C4E55A4 A5301D06 03551D0E
04160414 CA11A282 8DD176B6 B81C8529 27F4858C 4E55A4A5 300D0609 2A864886
F70D0101 04050003 81810038 260FD33D D4125293 DE429B98 CC2ED0D8 3D2087E2
A52D5BBE 611CCC4E 6E5298AE D96D23CE
quit
username cisco privilege 14 password xxx
!
interface GigabitEthernet0/0
description UpLink to 4507 Inside
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/0.11
description Temp until DAP is ONLINE
encapsulation dot1Q 11
ip address 192.168.11.50 255.255.255.0
no snmp trap link-status
!
interface GigabitEthernet0/0.12
description SGM Houston Local Interface
encapsulation dot1Q 12
ip address 192.168.12.50 255.255.255.0
ip access-group DAP_ONLY in
ip access-group DAP_ONLY out
no snmp trap link-status
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
ip route 192.168.0.0 255.255.0.0 192.168.5.5 name to_DAP_Network
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip access-list extended DAP_ONLY
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
control-plane
!
line con 0
exec-timeout 60 0
line aux 0
line vty 0 4
exec-timeout 60 0
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
ROUTER#
07-17-2008 07:20 PM
This will do it:
username cisco privilege 14 password 7 101A194D01A191
HTH,
jerry
07-18-2008 06:10 AM
yeah, but only via the console. i am able to telnet into this device. i was thinking you could not telnet into a device unless you had the login and/or password set for the device.
07-18-2008 07:01 AM
You have no authentication set on this router.
The username command described by Jerry will create a local account. However, I recommend going with privilege 15 on this one.
username [username] priv 15 password [password]
If you want telnet to use this local account, you need to configure the vtys as such:
line vty 0 4
login local
HTH,
__
Edison.
07-18-2008 07:09 AM
but here is the thing. it is using the local account for login.
i just started at a new company, and the first thing i notice was this. throughout my career, i have always used "login local" or set a vty password. it's really bugging me, because i'm like, "how is this working". the engineers here don't know why. the config i posted is complete (all ip addresses have been changed).
it's really crazy. i'm configuring tacacs now, but this is a very puzzling thing.
07-18-2008 07:14 AM
As seen from the config, there is no passwords set for console, telnet and auxillary port, that is the reason you are not prompted for the password. Most likely you are using console port to access the router as telnet wont work unless you set the line password.
Thank you
Yamin
07-18-2008 07:24 AM
i am using telnet. it is prompting me for a username and password. the device is miles away. i am using secureCRT. port 23. i am able to telnet into this device and don't know why. i have never been able to do this on any other cisco device (without the vty being setup). i am going to have to put this into the lab at the house. this makes no sense to me. i'm baffled.
07-18-2008 07:34 AM
Dwayne
There has been an interesting discussion about user names and accounts but so far no answer to your fundamental question (which you have asked several times): how does this work to be able to telnet with no password. Here is the answer:
if the vty is not configured with the "login" command then there is no prompt for password and the connection is granted without checking passwords (even if a password were configured it would not be used unless some version of the login command is used).
So in your other jobs (and the default in IOS) is to have login (or login local or aaa new-model) configured which will result in checking passwords (or user ID and password). But on this router someone configured "no login" and the result is to permit access with no password checking.
If you configure login (or login local) under the vty lines then it will begin to check for passwords.
HTH
Rick
07-18-2008 07:46 AM
thanks rburts.
two things:
1. i was thinking that you could not login to a device via telnet, without having a line password or login local under the vty.
2. it is prompting me for a username and password. i was thinking that it may have been something with the ios version, but i have seen it on at least two devices here.
however, i didn't check to see if the versions were the same.
07-18-2008 08:52 AM
Dwayne
The more I dig into this the more unusual it becomes. Let me respond to your points here:
1) if a router is configured with "no login" then it will not prompt for a password when telnet is initiated and it will permit the telnet to connect. So yes there are circumstances where you can telnet to a router without a password being configured.
2) I am puzzled about your statement that it is prompting you for user name and password. I thought that the main point of this discussion was that you did not need a password to telnet to this router.
Perhaps there is some IOS version dependency here.
You state that the config that you post is complete, but I am finding that difficult to reconcile in what you posted. For example the posted config has no routing protocol and only a single static route:
ip route 192.168.0.0 255.255.0.0 192.168.5.5 name to_DAP_Network
but the next hop address of 192.168.5.5 is not in a local subnet and therefore is not reachable. This means that the static route is not functioning. So how are you able to reach it to telnet if it has no functioning static route?
Another thing that puzzles me is this: the posted config has no statement under the vty lines about login. So I assumed that this was the situation where the vty is configured with no login and that is what I discussed. But when I set up a test to demonstrate it I find that if I configure the vty that way then the vty has "no login" in the config. But your posted config does not have that. The only way that I can get the vty to not have any login statement at all is if I configure aaa new-model. But your posted config appears to have no new-model.
These inconsistencies make me wonder if the router that you access by telnet is really the same router from which you got the config that you posted. Perhaps you can clarify this?
HTH
Rick
07-21-2008 04:06 AM
If your intention is not to allow login in vty, try putting "no exec" in "line vty 0 4". This works for me http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cc13436
Why you can login, I don't know. But in my case, some IOS version does not allow you to login but some does. It happen in my catalyst switches
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide