https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183660#M123603 <HTML><HEAD></HEAD><BODY><P>well, that's not how its supposed to be ...</P><P></P><P>Did you accidently use the "nopassword" keyword instead of removing the secret/password?</P><P>Wenn you do a "show run | i username" it should be in the form above.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Wed, 20 Mar 2013 10:39:51 GMT Karsten Iwen 2013-03-20T10:39:51Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183655#M123598 <P>Hey, I'm trying to make a setup on my Cisco 881 router, but I'm having some trouble.</P><P></P><P>I've managed to configure logging in with a Public-Private key pair over SSH, but it's also still possible to log in over SSH with just a username and password. I'd like to prevent this, if possible. I imagine I might have manually configured this to be allowed at some point, but I can't quite figure out how I did this, as no matter what I've tried to remove, it keeps allowing this option. I still need to be able to log in with a username, because I want users to have different privileges. Which brings me to my second problem...</P><P></P><P>Once I've logged in using the Public-Private key, I don't automatically go into privilege mode, even though the user is configured with a privilege level. I'd like to configure that users that I've configured to use a certain privilege mode, automatically go into privilege mode without a password prompt. I know it did this before I started using the Public-Private key (or before I used AAA, which was configured around the same time), so I wondered if it's possible to do this still.</P><P></P><P>If anyone needs a part of my configuration in order to help, just ask for the part that you need and I'll post it.</P><P></P><P>Thanks in advance for anyone trying to help!</P> Mon, 11 Mar 2019 03:10:56 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183655#M123598 NielsvdBerghe 2019-03-11T03:10:56Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183656#M123599 <HTML><HEAD></HEAD><BODY><P>Hi Niels,</P><P></P><P>Wrong section, try putting it in AAA, Identity and NAC.</P><P></P><P>Thanks</P><P>Chris</P></BODY></HTML> Mon, 11 Mar 2013 14:32:13 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183656#M123599 Chris Illsley 2013-03-11T14:32:13Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183657#M123600 <HTML><HEAD></HEAD><BODY><P>I've figured out how to make a user go straight into privilege mode and have lower ranking users not go into a higher privilege level. After configuring AAA, I used these commands:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>(config)#aaa authorization exec default local</P><P>(config)#aaa authorization console</P><P>(config)#enable secret password</P></PRE><P>Now my last problem is with the SSH password login. I've configured to use a Public-Private keypair to login and this works just fine. The problem is that the router still allows people to log in using a regular password when they don't have a key. Anyone know how to fix this?</P></BODY></HTML> Tue, 19 Mar 2013 11:22:35 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183657#M123600 NielsvdBerghe 2013-03-19T11:22:35Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183658#M123601 <HTML><HEAD></HEAD><BODY><P>To restrict users to only do pubkey-authentication you need to remove the secret/password from the regular user-account:<BR /><BR />username test privilege 15<BR /><BR />That way the user can only log in with the stored public key information and still gets directly to privilege 15.<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Wed, 20 Mar 2013 07:24:55 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183658#M123601 Karsten Iwen 2013-03-20T07:24:55Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183659#M123602 <HTML><HEAD></HEAD><BODY><P>I've tried removing the password from the user, but it didn't quite work out. It still allows you to login without a key, only now you don't input anything when it asks for a password.</P></BODY></HTML> Wed, 20 Mar 2013 10:31:37 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183659#M123602 NielsvdBerghe 2013-03-20T10:31:37Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183660#M123603 <HTML><HEAD></HEAD><BODY><P>well, that's not how its supposed to be ...</P><P></P><P>Did you accidently use the "nopassword" keyword instead of removing the secret/password?</P><P>Wenn you do a "show run | i username" it should be in the form above.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Wed, 20 Mar 2013 10:39:51 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183660#M123603 Karsten Iwen 2013-03-20T10:39:51Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183661#M123604 <HTML><HEAD></HEAD><BODY><P>When I do a "show run | i username", this is what I get:</P><P></P><P>username admin privilege 15</P><P>&nbsp; username admin</P><P></P><P>Is it possible that I'm allowing the password prompt through a command I've used somewhere?</P></BODY></HTML> Wed, 20 Mar 2013 10:52:25 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183661#M123604 NielsvdBerghe 2013-03-20T10:52:25Z https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183662#M123605 <HTML><HEAD></HEAD><BODY><P>I just tested it again and you are right. I completely remembered wrong about how that worked. You could specify a long and random password that the user doesn't know. That would restrict it to pubkey-logins. Not very elegant but should work.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Wed, 20 Mar 2013 11:36:32 GMT https://community.cisco.com/t5/network-access-control/ssh-login-using-only-public-private-key-and-priv-levels/m-p/2183662#M123605 Karsten Iwen 2013-03-20T11:36:32Z