Options
Telnet question
Hi guys, let me get down to the problem;
Let's say i want one vty line to be for loc-and-key users, ie. users that need some other access beyond the firewall. These users must use username LOCK and password KEY. These users use normal port 23.
Let's that 5 other lines are for normal telnet users to local device and they use rotary group 7001.
line vty 0
login local
autocommand access-enable host
line vty 1 5
login local
rotary 1
access-class 199 in
username LOCK secret KEY
username TELNET secret TELNET
access-list 199 permit tcp any any eq 7001
In other words users that use normal 23 port will go to line vty 0 , and users that use 7001 will use normal telnet access. The question is, this configuration doesn't stop users using LOCK/KEY to use normal telnet access. And vice versa users with TELNET/TELNET can use lock-and-key.
Now i could use "autocommand access-enable" under username LOCK but that opens possibility that line vty 0 will be locked with someone using it, and it should always be open.
How can i do this, how can i restrict usernames to specific line ie. LOCK/KEY can be used for lock-and-key only, TELNET/TELNET only for access to local device.
Thanks for any insight
Let's say i want one vty line to be for loc-and-key users, ie. users that need some other access beyond the firewall. These users must use username LOCK and password KEY. These users use normal port 23.
Let's that 5 other lines are for normal telnet users to local device and they use rotary group 7001.
line vty 0
login local
autocommand access-enable host
line vty 1 5
login local
rotary 1
access-class 199 in
username LOCK secret KEY
username TELNET secret TELNET
access-list 199 permit tcp any any eq 7001
In other words users that use normal 23 port will go to line vty 0 , and users that use 7001 will use normal telnet access. The question is, this configuration doesn't stop users using LOCK/KEY to use normal telnet access. And vice versa users with TELNET/TELNET can use lock-and-key.
Now i could use "autocommand access-enable" under username LOCK but that opens possibility that line vty 0 will be locked with someone using it, and it should always be open.
How can i do this, how can i restrict usernames to specific line ie. LOCK/KEY can be used for lock-and-key only, TELNET/TELNET only for access to local device.
Thanks for any insight
Comments
-
Options
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
No answer, but I would be interested in one to, as I have come across this, but never had time to really look in to it.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
Options
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
anyone?
You will be lucky. Unless this has come up at work or in someones practice labs recently dont expect a rapid reply. But..someone might have either going for them and will respond accordingly! I hope you get a response soon. For my part this sort of stuff came up on practice labs but it was months ago! If I get a chance I will look into it and see if I can help. Security sections usually suck on things like this for us R&S guys.
More later..perhaps! -
OptionsDevilWAH
Member Posts: 2,997 ■■■■■■■■□□
The way I got round it was to run
#line vty 0
#login
#password LOCK-KEY
#autocommand access-enable host
#line vty 1 15
#login local
...
now filter what VTY lines the users use as you have above.
a user commming on to line vty 0 must use the associated password, where as any other lines must use the local data base.
its not perfect as the password on line vty 0 is not strongly encrypted, but it was the best I could come up with. And it also does not stop a user loggin in on the other vty lines running the auto command them selves.
I not sure if there is a way to prevent the auto command being run on a individual line. if so its a simple case of running that on the other
14 lines. (you could of course do this by building up a custome privelage level or view that removes the access of user TELNET from running the command and appling it to the user in the local data base)- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com