Sunday, January 5, 2014

[mini] VTY Rotary

I've always found it helps a great deal to have a use-case for a feature. There's thousands of features to learn and be at least somewhat familiar with when attempting the CCIE lab. Remembering them all is a real challenge, but knowing how to apply a feature and why you'd want to use it make it all that much easier to remember. One of those crazy features is "rotary" when used in conjunction with a VTY line.

I totally get what it does:

line vty 0 4
 password cisco
 login
 rotary 1

This config would allow you to telnet to this router on port 23, enter the password "cisco", and get privilege level 1.  With "rotary 1", you could also telnet to 3001 and have the same experience.  Basically, it would mimic port 23 on port 3001.  

R2#telnet 192.168.0.1 3001
Trying 192.168.0.1, 3001 ... Open


User Access Verification

Password:
R1>

If you used "rotary 2", you'd be able to telnet to 3002, etc.

That's the nuts and bolts of what rotary does.  I am immediately reminded of a quote from Despicable Me:

"...because I was wondering, under what circumstances would we use this?"

I haven't exactly been dying to telnet to my equipment on alternative port numbers.

Now, I finally understand the use case.  It has to do with using different authentication methods on different lines.

For example:
line vty 0 4
 privilege level 1 ! default, but included for clarity
 password cisco
 login
line vty 5
 privilege level 15
 password secretpassword
 login

We see line 5 has a higher privilege level than lines 0-4.  So how do you hit line 5?  Well, I suppose you could telnet at the router 5 times and fill up the first four lines, then hit it again, but that's not very practical. Not to mention you may not know the password for 0-4, if you're an admin-type logging in to line 5.  Enter rotary:

line vty 5
 privilege level 15
 password secretpassword
 login
 rotary 1

Now when we telnet to port 23:
R2#telnet 192.168.0.1
Trying 192.168.0.1 ... Open


User Access Verification

Password: cisco
R1>

Now when we telnet to port 3001:
R2#telnet 192.168.0.1 3001
Trying 192.168.0.1, 3001 ... Open


User Access Verification

Password: secretpassword
R1#

Trying each line's respective password on the other's port number produces the expected failure.

That's a simple use case, let's take a more advanced one.
Let's say you're using lock & key / dynamic ACLs and need *local* auth on one line only. 

R1(config)#aaa new-model
R1(config)#aaa authentication login default group radius
R1(config)#aaa authentication login LOCKANDKEY local
R1(config)#username LOCK password ANDKEY

line vty 0 40
 login authentication default
line vty 41
 login authentication LOCKANDKEY
 rotary 1
 autocommand  access-enable host
The idea here is to use RADIUS for authentication of lines 0-40, and local auth for line 41, to allow your Lock & Key ACL to work.  

I didn't actually setup a lock & key ACL or a RADIUS server, but this can get the point across still:

Regular telnet just fails in our case because of the lack of RADIUS servers:
R2#telnet 192.168.0.1
Trying 192.168.0.1 ... Open

% Authentication failed

% Authentication failed

% Authentication failed

[Connection to 192.168.0.1 closed by foreign host]

However, telnetting to 3001:
R2#telnet 192.168.0.1 3001
Trying 192.168.0.1, 3001 ... Open


User Access Verification

Username: LOCK
Password: ANDKEY

% No input access group defined for FastEthernet0/0.
[Connection to 192.168.0.1 closed by foreign host]

The error message is because of the lack of a lock & key ACL, but the proof of concept is the same.

Cheers,

Jeff Kronlage

1 comment:

  1. Nice post. I could see this being useful as a backup in case you get some radius failure and AAA is failing to local authentication for one reason or another. Have a ridiculously secure username and password tucked away somewhere for emergency access. One question though is, when applying the rotary command, does it default to using port 3000 + rotary number? Or do you have to set the 3000 variable somewhere in the config?

    ReplyDelete