topic Re: Alternate SSH port on a switch IOS. in Network Access Control

Alternate SSH port on a switch IOS.

Santa.Hawes — Fri, 16 Jul 2021 19:28:23 GMT

Is there a solution to the inability to program a separate "alternate" port for SSH connections within a v12.x Cisco Switch IOS?

SITUATION:

Attempting to coordinate with CyberArk admin to facilitate automated password changes for our two local-auth reserve accounts. These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.

We have a method that works for routers, but does not seem to work on our switches.

IOS version: WS-C2960-24-S, 12.2(46)SE

command “ip ssh port 3333 rotary 1" Is not accepted

on the switch.

Any ideas?

Re: Alternate SSH port on a switch IOS.

Mark Elsen — Sat, 17 Jul 2021 06:05:10 GMT

- Presumably not all platforms and or IOS versions will accept that command, check this thread as an example :

https://community.cisco.com/t5/switching/how-to-change-ports-to-access/td-p/2102105

Re: Alternate SSH port on a switch IOS.

balaji.bandi — Sat, 17 Jul 2021 09:44:16 GMT

as per i know the command only introduced 15.X

Re: Alternate SSH port on a switch IOS.

Santa.Hawes — Wed, 28 Jul 2021 14:02:21 GMT

As this function is limited only to IOS v15.x, is there a work-around to enable a similar functionality for IOS v12,x?

As I have stated, we have MANY thousands of Cisco devices on our network, and a compliance mandate to manage and change the local-login user passwords, which actually are only used when the connection to ISE goes down.

Our implementation cannot be the only place that these issues have come up.

Re: Alternate SSH port on a switch IOS.

Amine ZAKARIA — Thu, 29 Jul 2021 20:42:53 GMT

These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.
This is the default behavior if you set ISE first in AAA, but you can set up local as primary authentication for AAA and TACACS+ as fallback method.

If i understand you clearly you want to access with local account AND ISE, while it's reachable.
if so you may need this assuming you're using tacacs+ in your deployment :

aaa authentication login default local group ISE_T+_G
aaa authorization exec default local group ISE_T+_G
aaa authorization commands 0 default local group ISE_T+_G
aaa authorization commands 1 default local group ISE_T+_G
aaa authorization commands 15 default local group ISE_T+_G

-Debug using local account :

*Jul 29 19:18:52.378: AAA/AUTHOR (0x38): Pick method list 'default'
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV cmd=
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV priv-lvl=15
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): Authorization successful
*Jul 29 19:20:09.230: AAA/AUTHOR/CMD: tty2 (70473958) user='cisco'
*Jul 29 19:20:09.230: tty2 AAA/AUTHOR/CMD (70473958): Method=LOCAL
*Jul 29 19:20:09.230: AAA/AUTHOR (70473958): Post authorization status = PASS_ADD

-Debug using account in ISE :
*Jul 29 19:19:22.095: AAA/AUTHEN/LOGIN (00000039): Pick method list 'default'
*Jul 29 19:19:25.583: AAA/AUTHOR (0x39): Pick method list 'default'
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=LOCAL
*Jul 29 19:19:34.740: AAA/AUTHOR/LOCAL: no entry for vdc-helpdesk
*Jul 29 19:19:34.740: AAA/AUTHOR (3610061040): Post authorization status = ERROR ( Here the method will fallback to ISE)
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=ISE_T+_G (tacacs+) (Switch Picked the group ISE_T+_G)
*Jul 29 19:19:34.950: TAC+: (-684906256): received author response status = PASS_ADD
*Jul 29 19:19:34.950: AAA/AUTHOR (3610061040): Post authorization status = PASS_ADD

Hope that helps!

Re: Alternate SSH port on a switch IOS.

Amine ZAKARIA — Thu, 29 Jul 2021 22:38:03 GMT

Sorry forget to mention, If you using different method than "default" dont forget to add it into line vty