topic Re: Difference between %SSH-5-SS2_USERAUTH and %SEC_LOGIN-5-LOGIN_SUCCESS and %SSH-5-SS2_SESSION in Network Access Control

Difference between %SSH-5-SS2_USERAUTH and %SEC_LOGIN-5-LOGIN_SUCCESS and %SSH-5-SS2_SESSION

CarlosColon2948 — Mon, 01 Feb 2021 20:05:14 GMT

As stated above, I would like to know the differences between the above event messages and if there is a chance that each of those event can be generated from a one user login. I understand what SSH, User authentication, and session is... but, when do this events actually generated?

Re: Difference between %SSH-5-SS2_USERAUTH and %SEC_LOGIN-5-LOGIN_SUCCESS and %SSH-5-SS2_SESSION

Arne Bier — Mon, 01 Feb 2021 20:43:44 GMT

Good question: I tested in the lab on a switch that was not TACACS+ enabled, and another one that was TACACS+ enabled. Each time the same message.

Local auth (i.e. no RADIUS or TACACS+ was used)

011961: Feb  1 20:40:13.146: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: svc-dnac] [Source: 172.31.25.26] [localport: 22] at 20:40:13 UTC Mon Feb 1 2021

And then TACACS+

032021: Feb  1 2021 20:37:59.481 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin-biera] [Source: 172.31.25.26] [localport: 22] at 06:37:59 AEST Tue Feb 2 2021

Do you get those two different messages from the same switch? Perhaps it's from the console login (I can't test that - not on-site)

Re: Difference between %SSH-5-SS2_USERAUTH and %SEC_LOGIN-5-LOGIN_SUCCESS and %SSH-5-SS2_SESSION

hslai — Thu, 04 Feb 2021 06:13:07 GMT

From Cisco IOS XE Gibraltar 16 Error and System Messages, download

System Message Guide for Cisco Catalyst Series Switches, Cisco IOS XE Gibraltar 16.12.x (XLSX - 1 MB)

SSH-5-SSH_SESSION	5-Notice	SSH Session request from [chars] tty = [dec] using crypto cipher '[chars]' [chars]	The SSH session request information	ssh	"No action necessary - informational message"
SSH-5-SSH_USERAUTH	5-Notice	User '[chars]' authentication for SSH Session from [chars] tty = [dec]	The SSH user authentication status information	ssh	"No action necessary - informational message"

SEC_LOGIN-5-LOGIN_SUCCESS

5-Notice

A successful login happened with the device.

"A notification that login succeeded."

After following Julio E. Moisa suggested "ip ssh logging event", got on a C9300 running IOS-XE 17.03.02a

Feb  4 06:09:58.515: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.100.110 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
Feb  4 06:09:58.547: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.1.100.110] [localport: 22] at 06:09:58 UTC Thu Feb 4 2021
Feb  4 06:09:58.547: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.1.100.110 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
Feb  4 06:09:59.069: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.1.100.110 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed
Feb  4 06:10:00.664: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.1.100.110 (tty = 3) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed