AAA/802.1x
Highlighted
AAA/802.1x

ez Setup --- cannot telnet

‎10-01-2008 03:06 AM

Hi Guys,

 

when I run ez-setup on my ex series machine I enable ssh, telnet and http management consoles using the account "Root". However when I try to telnet to the machine I cannot connect via telnet. ssh & http both work no problem. I have used a workaround on this issue by setting up another user (Admin) with the same password as Root enabling telnet, http & ss. Then it works... no issues.

 I read in some of the bugfix threads that by default telnet is disabled because it has a low security threshold. Is that right or wrong? Has anyone else experienced this problem? I would like to eliminate having two accounts if possible and would appreciate and help.

(mods) PS: If I have posted in the wrong thread please move me. Could not see a suitable thread.

Thnx

Sirius.

Lifes too short
2 REPLIES 2
Highlighted
AAA/802.1x

Re: ez Setup --- cannot telnet

‎10-01-2008 06:19 AM

Hi -

 

Do you mean that you telnet to the box and successfully get a login prompt?   And you can log in there as 'admin' but not as 'root'?

 

If that's the case, I think this is probably a security feature of the underlying operating system.  The assumption is that you shouldn't really be managing devices as the root user, and certainly not over an unencrypted medium such as telnet.   The root user's password should be locked away somewhere safe in case you ever lock yourself out of the switch.

 

Instead, create (as you have done) an 'admin' user with superuser privileges and use that for every day administration.    Only use the root username/password in a crisis, and then only over relatively secure channels such as a direct physical console cable or an SSH session.

 

Hope that helps!

Andrew

JNCIP-M, JNCIS-ENT, JNCIS-SEC, CCIE
Highlighted
AAA/802.1x

Re: ez Setup --- cannot telnet

‎10-08-2008 02:21 AM

Hi,

 

Andy is spot on.  "root" login via telnet is blocked and, AFAIK, cannot be permitted.  Login as "root" via SSH is permitted by default but can be turned off using

 

[edit] 

user@host# set system services ssh root-login deny

 

Andy is also correct that it is a good idea to set the root password, distribute it to as few people as possible ('few' should be greater than 1 but not much greater 🙂 ), write a copy down and lock it away somewhere very safe that is accessible by only those few people.  It should be changed whenever one of those few people leaves the company.

 

Note that a config cannot be committed until you have configured the root password.  This is to prevent the root user being left with no password when SSH has been enabled and to prevent unauthenticated access to the device from the console after it has been given a non-factory-default config.

 

Rgds,

 

Guy 

Announcements

AAA/802.1X

IC Series Unified Access Control Appliances are hardened, centralized policy servers, combining the user identity, device security state and network location gathered by the UAC Agent to create unique network access control policy per user, per session.

RSS Icon
Feedback