I totally get what it does:
line vty 0 4
password cisco
login
rotary 1
This config would allow you to telnet to this router on port 23, enter the password "cisco", and get privilege level 1. With "rotary 1", you could also telnet to 3001 and have the same experience. Basically, it would mimic port 23 on port 3001.
R2#telnet 192.168.0.1 3001
Trying 192.168.0.1, 3001 ... Open
User Access Verification
Password:
R1>
If you used "rotary 2", you'd be able to telnet to 3002, etc.
That's the nuts and bolts of what rotary does. I am immediately reminded of a quote from Despicable Me:
I haven't exactly been dying to telnet to my equipment on alternative port numbers.
Now, I finally understand the use case. It has to do with using different authentication methods on different lines.
For example:
line vty 0 4
privilege level 1 ! default, but included for clarity
password cisco
login
line vty 5
privilege level 15
password secretpassword
login
We see line 5 has a higher privilege level than lines 0-4. So how do you hit line 5? Well, I suppose you could telnet at the router 5 times and fill up the first four lines, then hit it again, but that's not very practical. Not to mention you may not know the password for 0-4, if you're an admin-type logging in to line 5. Enter rotary:
line vty 5
privilege level 15
password secretpassword
login
rotary 1
Now when we telnet to port 23:
R2#telnet 192.168.0.1
Trying 192.168.0.1 ... Open
User Access Verification
Password: cisco
R1>
Now when we telnet to port 3001:
R2#telnet 192.168.0.1 3001
Trying 192.168.0.1, 3001 ... Open
User Access Verification
Password: secretpassword
R1#
Trying each line's respective password on the other's port number produces the expected failure.
That's a simple use case, let's take a more advanced one.
Let's say you're using lock & key / dynamic ACLs and need *local* auth on one line only.
R1(config)#aaa new-model
R1(config)#aaa authentication login default group radius
R1(config)#aaa authentication login LOCKANDKEY local
R1(config)#username LOCK password ANDKEY
line vty 0 40
login authentication default
line vty 41
login authentication LOCKANDKEY
rotary 1
autocommand access-enable host
The idea here is to use RADIUS for authentication of lines 0-40, and local auth for line 41, to allow your Lock & Key ACL to work.
I didn't actually setup a lock & key ACL or a RADIUS server, but this can get the point across still:
Regular telnet just fails in our case because of the lack of RADIUS servers:
R2#telnet 192.168.0.1
Trying 192.168.0.1 ... Open
% Authentication failed
% Authentication failed
% Authentication failed
[Connection to 192.168.0.1 closed by foreign host]
However, telnetting to 3001:
R2#telnet 192.168.0.1 3001
Trying 192.168.0.1, 3001 ... Open
User Access Verification
Username: LOCK
Password: ANDKEY
% No input access group defined for FastEthernet0/0.
[Connection to 192.168.0.1 closed by foreign host]
The error message is because of the lack of a lock & key ACL, but the proof of concept is the same.
Cheers,
Jeff Kronlage
Nice post. I could see this being useful as a backup in case you get some radius failure and AAA is failing to local authentication for one reason or another. Have a ridiculously secure username and password tucked away somewhere for emergency access. One question though is, when applying the rotary command, does it default to using port 3000 + rotary number? Or do you have to set the 3000 variable somewhere in the config?
ReplyDelete