Username - VTY

[carlosAlberto]

Is it possible to specify a username for telnet access (VTY). I know it's possible for a password but would also like a prompt for a username.

This is possible with TACACs but are not using it in this scenario.

Thanks.

 

[marsd]

How are you going to use AAA without radius or tacacs?
It doesn't really make sense, sorry.

 

[FairbanksF]

No... its not possible.

 

[benzito]

Maybe I'm misunderstanding the question...but if u are trying to just prompt for a username as well as password, this is totally possible. you can even assign username dependant privilege levels. i won't certify this across the board, but i know this works w/ ios 12 up and 2600 to 7500 series routers.

sorry about the lack of punctuation...holding my daughter w/ one hand ..typing w/ the other

 

[benzito]

maybe i'm misunderstanding the question...but if u just want telnet users to be prompted for a username as well as password, this is totally possible. you can even assign username dependant privilege levels. i won't certify this across the board, but i know this works w/ ios 12 up and 2600 to 7500 series routers.

sorry about the lack of punctuation...holding my daughter w/ one hand ..typing w/ the other

Check section 5.2 of the following link :

http://rr.sans.org/netdevices/telnet.php

 

[marsd]

Hi,benzito.
I see the reference to username and pw auth, but I
don't see any reference to similar local privilege
enforcement?
On the other hand this may be exactly what the OP wanted::so us IOS 11.2 weenies better get with it.

 

[benzito]

Marsd,

Here's a link under "Multiple Levels of Privileges Examples" that covers privilege levels. I'm not sure which version of IOS this feature was introduced w/. I have a 2501 running 11.2 that I may give this setup a go on, just to see if it works w/ older versions of the IOS.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios

113ed/113ed_cr/secur_c/scprt5/scpasswd.htm#xtocid2905218

 

[ChrisAC]

You can use a local AAA database for authentication. This is what we use ...

aaa new-model
aaa authentication login word local
aaa authentication login CONSOLE none
!
username admin password 7 xxxxxxxxxxxx
username support password 7 xxxxxxxxxxxxx
!
line con 0
logging synchronous
transport input none
line vty 0 4
exec-timeout 15 0
!

Telnet users are then prompted for a username and a password, rather than just a password. TACACS or RADIUS would be a better option but you can do local authentication.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[marsd]

benzito,
The local privilege settings ARE available under 11.2, so
my mistake.
It looks like more trouble than it's worth to use them for more than several users though.

 

[Guest_imported]

To set a username and password for Vty lines (on Ios 11.2 and above I beleave) you do the following:

Router(config)# username Fred password 1aw2c

*you do this for each user you want to allow.

Router(config)# line vty 0 4
Router(config)#login local

this tells the router to check the username/passwords entered with the database you config above. You can also do this with con and aux lines.

If you wanted to use AAA with this you can but it optional

 

[benzito]

Carlos...

My suggestion would be to forego local login authentication and use Radius or TACACS to auth users instead. Marsd is right, this is not meant to be a secure solution. The first time I saw this I wondered what the point was too ;-) And it turned out that the network I saw it on quickly switched to TACACS.
My original point is that it can be done, but don't take that as an endorsement. I'd NEVER use this in a production network.
Local Authentication provides a false sense of security. Maybe I'm over-looking something. What exactly are you trying to accomplish?

 

[CCIEWANNABE]

"Caution If you use the enable use-tacacs command, you must also specify tacacs-server authenticate enable; otherwise, you will be locked out."Quote
Link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios

113ed/113ed_cr/secur_c/scprt2/sctcacs.htm#xtocid122096

Route once; switch many

 

[CCIEWANNABE]

You can set the TACACS protocol to determine whether a user can access the privileged EXEC level. Use the command enable use-tacacs. The EXEC enable command will ask for both a new username and a password. This information is then passed to the TACACS server for authentication.
Assigning a user name to A vty is not scalable--it's not manageable if you need to work with more than a few users.
Route once; switch many

 

[benzito]

Right, the whole prob w/ local auth is just that...it's local, compromising security and adding processes to your router that are not mission critical (related to routing). Carlos is aware that TACACs is an option. My question is why isn't he planning to use it in this application?

One other thing w/ TACACS...you always want to include local login as a backdoor in case your connection to the tacacs servers is broken <ckt drops..etc> This way you can still access your remote routers through a out of band connection or locally throught the console to troubleshoot / manage if need be.

 

[ChrisAC]

I guesss that it all comes down to the number of devices that you are managing and the number of remote users that you need to support and create logons for. We're all aware that RADIUS or TACACS is a better solution from a management point of view and perhaps security as well. If you wanted to change a logon password for a user it would be far easier to do it once on an authentication server than on one hundred remote routers. However, for many organizations it can be overkill if they only use a single &quot;admin&quot; password. There is always a cost involved in setting these things up and you have to have a business case for doing it.

You will still find that many companies only use line vty passwords, no usernames. If you must do local authentication at least use usernames as well. It's much harder to match a password to a username than to just crack a password.

'nuff said!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************