C877 VTY 0 4 Won't accept Login local

[woter324]

Hi All,

I am trying to configure a C877 for site-to-site VPN. We have about 100 of these devices in our small branch offices. All work ok.

I have taken over the setup of these sites and I have been given a config that I adjust for each new site.

In the Line vty 0 4 section, I am trying to add the line Login Local, All I get is:

% Invalid input detected at '^' marker.

All our other working configs have this line. I just can't work out why it isn't working. According to Cisco doco, Login Local: Enables local password checking at login time. Authentication is based on the username specified.

I take a standard config, modify in notepad, then copy and paste a few lines at a time.

I have tried writing the line vty 0 4 by hand, straight after a wri erase | reload and it works, but after putting all the other line in, it disappears and then it won't let me add it.

I have also entered the following command by hand:
username blar privilege 7 password blar

I am loosing hair at a rapid rate of knotts here.

If anyone has any ideas as to what it might be or if you need the full sh run, I'd be very grateful if you could share.

Many thanks

Woter

 

[North323]

what is the command you enter when you get that error?

 

[woter324]

Hi North323,

The command I enter is:

login local

under the interface: line vty 0 4

Thanks

 

[North323]

do you have this anywhere?
aaa new-model

can you post your config?

 

[woter324]

Yes I have aaa new-model.

Here is the config:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ED877
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret 5 ####################
!
aaa new-model
!
!
!
!
aaa session-id common
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.###.###.### 10.###.###.51
!
ip dhcp pool CLIENT
   network 10.###.###.48 255.255.255.###
   default-router 10.###.###.49
   dns-server 10.###.###.3 10.###.###.11
!
!
no ip domain lookup
ip domain name ##########.co.uk
!
!
!
username ##### password 7 ######
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ######### address 146.###.###.76
!
!
crypto ipsec transform-set {SITENAME} esp-3des esp-md5-hmac
!
crypto map {SITENAME}-VPN 1 ipsec-isakmp
 description VPN-LHC
 set peer 146.###.###.76
 set transform-set {SITENAME}
 match address 100
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 shutdown
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 10.###.###.49 255.255.255.###
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address 79.###.###.165 255.255.255.###
 ip access-group FIREWALL in
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ######@#####.com
 ppp chap password ########
 crypto map {SITENAME}-VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip access-list extended FIREWALL
 permit ahp host 146.###.###.76 host 79.###.###.165
 permit esp host 146.101.133.76 host 79.###.###.165
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp host 158.###.###.33 host 79.###.###.165 eq ntp
 permit tcp host 80.###.###.124 host 79.###.###.165 eq 22
 deny   ip any any
!
access-list 100 permit ip 10.###.###.48 0.0.0.### 10.###.###.0 0.0.0.###
!
!
!
control-plane
!
banner login ^CCCC
-----------------------------------------------------------------------

       This is a private network. No unauthorised access

   If you are not authorised to use this equipment you must

                   DISCONNECT IMMEDIATELY

-----------------------------------------------------------------------
^C
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 password 7 ##############
 login local
 logging synchronous
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175058
ntp server 158.###.###.33
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Many thanks

 

[North323]

may have to add more aaa lines
something like
aaa authentication login default group tacacs+ local with out the tacacs+ piece

 

[woter324]

My boss and I have just been through, copy n' pasting section by section, between the comments (!) and it worked.

Strange.

Many thanks

 

[woter324]

I think I've solved this. The dangers of copying and pasting.

I was originally creating the ssh keys using:

crypto key generate rsa general-keys label ssh-key

But I can get away with:

crypto key generate rsa

When I say think, I have to confirm this when I do my next router config.

HTH

 

[woter324]

Nope. Same thing. Still no closer to getting to the bottom of this.

I've removed and recreated the user, this time specifying the privilage level of 15.

Anyone got any ideas? This is most frustrating.

 

[unclerico]

So type in login ?, does it show local in the list??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[woter324]

Hi Unclerico,

No. No local in the list.

Thanks

 

[burtsbees]

Do you have an AAA config in all the other routers, and ALSO "login local" for the VTY lines?

If you don't see "local" as one of the keywords when you do

router(config-line)#login ?

then your IOS does not support that command set, which would surprise me...I would suspect that since you have AAA configured, it may not be available, so if you do

router(config)#no aaa new-model

it may become available...

Burt

 

[woter324]

Hi Burt,

Thanks for the reply.

This is what I have found. "no aaa new-model" allows me to put in "login local", add "aaa new-model" and it removes login local from vty, or won't let me enter 2login local".

I have read the documentation and if I understand correctly login local isn't needed if it's using aaa, therefore the "login local" not being available with aaa would make sence.

Now, I would accept this as read, except we have 100+ 877 routers all with the same IOS version and the same VPN config (apart from the different IP addresses and labels).

When my boss copies in the config he gets aaa new-model and login local just fine when I do it, it won't take login local. I have watched him do it and we do it the same way. At least, neither of us can see any difference. Even same computer, same PuTTY client.

As you can see from the running-config above, we have both lines in the same config. No trickery.

Thanks again.

 

[burtsbees]

How exactly are you copying the config??? (EXACTLY how and with what terminal emulation program) I see a sh run from only one router...

Copy the config except the aaa new-model and vty config and try adding the line vty config FIRST, then aaa new-model---I suspect that this is why your boss' way works but yours does not (puts in aaa first, whereas you put in line vty first...)

In other words, manually typing all the commands, you can do

router(config)#line vty 0 4
router(config-line)#login local
router(config-line)#exit
router(config)#username bla priv 15 secret blablabla
---by the way, you should always use secret rather than password---Google "Cisco Password Cracker" and you'll see why!---
router(config)#aaa new-model

Here's the kicker---according to your config, you tell the router to get ready to accept some aaa commands, but you never put them in! You are not even USING AAA!!!

Burt

 

[woter324]

Thanks burtsbees,

I open up a copy of a working running-config from an existing site in notepad, make the changes to make the new site unique, i.e IP's public and private, CHAP hostname and password and the lables for crypto and firewall.

Then open up putty using console port to the router.

I do a write erase, reload saying no to the two questions.

I then copy (enable mode) the lines in from the notepad file. I select and copy the commands between sets of ! !, manually exiting from any sub command.

This is what we both do. We generate the rsa key before entering "ip ssh time-out 60" command.

I definetly saw my leader copy in "aaa new-model" BEFORE "login local".

I get your point about us not actually using aaa. That was the conclusing I came to today.

Thanks for the tip on password and secret. I shall let him know with a working example ;-).

I have tried manually entering usernames and the vty lines (not copying), but no luck.

I guess this is one that won't be resolved. No biggy as it works. Just anoying that I can't reproduce what my boss does.

Thanks for your help.

 

[burtsbees]

At least you can hack into your boss's router, and he won't be able to into yours...lol

Burt