Re: Please help with Terminal Server

From: nhatphuc (nhatphuc@gmail.com)
Date: Mon May 28 2007 - 01:04:10 ART

• Next message: Andy Wei: "OT:WIC-1T and VOICE study"
• Previous message: Danshtr: "Re: Curious about if any one use USB hub and USB-Serial adapter"
• Maybe in reply to: nhatphuc: "Please help with Terminal Server"
• Next in thread: Ronnie Higginbotham: "Re: Please help with Terminal Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Ronnie,

With the second test, I "reverse" telnet directly into devices through
TS from a PC, the command is: c:\> telnet terminal_server 2001

This bring me directly to the router on line 2001 without authentication.

How can I prevent this?

Phuc

On 5/28/07, Ronnie Higginbotham <ronniepaul@hotmail.com> wrote:
> Just so I understand you have already telneted into your access/terminal
> server and then typed telnet r1 which takes you to router 1 which now has no
> re-authentication applied to the line port.
>
> Then as a second test you then retelneted into your access/terminal server
> typed your username and password. Once authenticated you typed telnet
> terminal_server 2001? Which does the same thing as above 2001 will equal r1.
> So in summary the answer to your question will be no there is no way to
> prevent this.
>
> Ronnie
>
> ----- Original Message -----
> From: "nhatphuc" <nhatphuc@gmail.com>
> To: "Ronnie Higginbotham" <rhigginb@swbell.net>; "Cisco certification"
> <ccielab@groupstudy.com>
> Sent: Sunday, May 27, 2007 12:56 PM
> Subject: Re: Please help with Terminal Server
>
>
> > Hi Ronnie,
> >
> > This will disable authentication when I reverse telnet.
> >
> > But if I telnet directly to tty line like this: telnet terminal_server
> > 2001, the terminal server will let me in without asking for the
> > username/password.
> >
> > Is there anyway to prevent this?
> >
> > Thanks
> >
> > Phuc
> >
> > On 5/27/07, Ronnie Higginbotham <ronniepaul@hotmail.com> wrote:
> >> Phuc,
> >>
> >> Try this
> >>
> >> aaa authentication login NONE none
> >>
> >> line 1 16 <<<<Port numbers could vary
> >> login authentication NONE
> >>
> >> Ronnie
> >> CCIE 13834
> >>
> >> ----- Original Message -----
> >> From: "nhatphuc" <nhatphuc@gmail.com>
> >> To: "Darby Weaver" <darbyweaver@yahoo.com>; "Cisco certification"
> >> <ccielab@groupstudy.com>
> >> Sent: Saturday, May 26, 2007 1:51 PM
> >> Subject: Re: Please help with Terminal Server
> >>
> >>
> >> > Hi Darby,
> >> >
> >> > I can configure this with ACS Server using tacacs+ autocommand AV
> >> > pair. But I want to disable some messages and extra authentication
> >> > when reverse telnetting to router. I've asked this in separate mails.
> >> >
> >> > If you know how to do this, please help me.
> >> >
> >> > Thanks
> >> >
> >> > Phuc
> >> >
> >> > On 5/26/07, nhatphuc <nhatphuc@gmail.com> wrote:
> >> >> HI Darby,
> >> >>
> >> >> I've just seen it here:
> >> >>
> >> >> http://www.internetworkexpert.com/resources/termserv.htm
> >> >>
> >> >> Phuc
> >> >>
> >> >>
> >> >> On 5/26/07, Darby Weaver <darbyweaver@yahoo.com> wrote:
> >> >> > Did you see this on a lab recently?
> >> >> >
> >> >> > Out of my experience - I have not enabled aaa for term
> >> >> > servers at home to try it out.
> >> >> >
> >> >> > What do you get?
> >> >> >
> >> >> > If the option exists then that would likely be the
> >> >> > one.
> >> >> >
> >> >> > Darby
> >> >> > --- nhatphuc <nhatphuc@gmail.com> wrote:
> >> >> >
> >> >> > > Hi Darby,
> >> >> > >
> >> >> > > It works if I configure:
> >> >> > >
> >> >> > > line vty 0 4
> >> >> > > login local
> >> >> > >
> >> >> > > But it doesn't if:
> >> >> > >
> >> >> > > aaa new-model
> >> >> > > aaa authentication login TELNET local
> >> >> > > line vty 0 4
> >> >> > > login authentication TELNET
> >> >> > >
> >> >> > > Do I have to enable aaa authorization reverse-access
> >> >> > > TELNET?
> >> >> > >
> >> >> > > Thanks
> >> >> > >
> >> >> > > Phuc
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > > On 5/26/07, Darby Weaver <darbyweaver@yahoo.com>
> >> >> > > wrote:
> >> >> > > > Let me take a stab at this one:
> >> >> > > >
> >> >> > > > username R1 password cisco
> >> >> > > > username R1 autocommand R1 or Telnet R1
> >> >> > > >
> >> >> > > > username All password cisco
> >> >> > > > username All autocommand x.x.x.x or Telnet x.x.x.x
> >> >> > > >
> >> >> > > > username R2 password cisco
> >> >> > > > username R2 autocommand R2 or Telnet R2
> >> >> > > >
> >> >> > > >
> >> >> > > > line vty 0 4
> >> >> > > > login local
> >> >> > > >
> >> >> > > > Try this and let me know if doesn't work.
> >> >> > > >
> >> >> > > > Now you switch R1 for the loopback:2001
> >> >> > > > And R2 for loopback:2002
> >> >> > > >
> >> >> > > > Exchange loopback for whatever IP Address you used
> >> >> > > for
> >> >> > > > the reverse telnet IP Address.
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > > And you could wrap an acl around it and/or perhaps
> >> >> > > use
> >> >> > > > SSH depening on if your TS supports SSH.
> >> >> > > >
> >> >> > > > Check me on this - since I am shooting from the
> >> >> > > hip.
> >> >> > > > There may be one more step, but I this will do
> >> >> > > what
> >> >> > > > you require.
> >> >> > > >
> >> >> > > > Let use know if I missed anything please.
> >> >> > > >
> >> >> > > > Darby
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > > --- nhatphuc <nhatphuc@gmail.com> wrote:
> >> >> > > >
> >> >> > > > > Hi Group,
> >> >> > > > >
> >> >> > > > > I'm setting up my Terminal Server. How do I
> >> >> > > > > configure for this requirement?
> >> >> > > > >
> >> >> > > > > If I login using username all it will connect to
> >> >> > > > > terminal server
> >> >> > > > > If I login using username r1 it will connect
> >> >> > > > > directly to r1
> >> >> > > > > If I login using username r2 it will connect
> >> >> > > > > directly to r2
> >> >> > > > > .....
> >> >> > > > >
> >> >> > > > > I'm trying to use username.... autocommand, but
> >> >> > > it
> >> >> > > > > doesn't work.
> >> >> > > > >
> >> >> > > > > Thanks
> >> >> > > > >
> >> >> > > > > Phuc
> >> >> > > > >
> >> >> > > > >
> >> >> > > >
> >> >> > >
> >> >> > _______________________________________________________________________
> >> >> > > > > Subscription information may be found at:
> >> >> > > > > http://www.groupstudy.com/list/CCIELab.html
> >> >> > >
> >> >> > >
> >> >> > _______________________________________________________________________
> >> >> > > Subscription information may be found at:
> >> >> > > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> > _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Andy Wei: "OT:WIC-1T and VOICE study"
• Previous message: Danshtr: "Re: Curious about if any one use USB hub and USB-Serial adapter"
• Maybe in reply to: nhatphuc: "Please help with Terminal Server"
• Next in thread: Ronnie Higginbotham: "Re: Please help with Terminal Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:22 ART