topic Unable to acces a Switch through SSH in Network Security

Unable to acces a Switch through SSH

David Calvillo — Sun, 17 May 2020 22:02:00 GMT

Hi everyone!

I have this switch with a username called "Backup" with default priviledges, then i applied TACACS and worked, i can access trough usernames declared in tacacs server or through the Backup user cofnigured locally.

Then i wanted to configure a new user called "david" like this:

username david secret [Password]

but when i try to access through SSH with the user david i can't access, it says Access denied...

So my question is, why the user "Backup" can access, but "David" cannot? They are configured the same way

Re: Unable to acces a Switch through SSH

Marvin Rhoads — Mon, 18 May 2020 12:21:40 GMT

Normally a device uses the aaa method list in order. If there is a TACACS server defined and available we cannot normally use the local username to login.

Can you share your aaa configuration?

Re: Unable to acces a Switch through SSH

Marius Gunnerud — Tue, 19 May 2020 07:05:32 GMT

As Marvin has mentioned, if a TACACS server is configured for device login and available (i.e. online and reachable) locally defined users are not available. It is possible that the Backup user is also defined on the TACACS server.

Re: Unable to acces a Switch through SSH

David Calvillo — Wed, 20 May 2020 03:23:49 GMT

I realized that my configuration for vty lines changed the login parameter (login local) after i turned on AAA, so all i had to do is turned off TACACS and type:

Line vty 0 15

and thats it

Thanks anyway!

Re: Unable to acces a Switch through SSH

Eric R. Jones — Mon, 15 May 2023 21:21:30 GMT

Hello, we are having a similar issue using ISE based TACACS+ with dot1x on our edge devices, 9300's. Our aaa new-model setup has local following our aaa authentication and authorization entries. Some time ago it was stated that if we had local at the end of these lines then if the username wasn't discovered in TACACS+ it will drop through and eventually check the local username and allow SSH; however, we haven't experienced this. Our line con 0 looks like this:

line con 0
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication CONSOLE
stopbits 1
line vty 0 4
access-class 3 in
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication VTY
transport input ssh
transport output ssh

should the priv level change from 0 to 15 or is it just not possible to access an edge device that uses RADIUS/TACACS+ by local user name either via ssh or console connection?

Re: Unable to acces a Switch through SSH

Marvin Rhoads — Tue, 16 May 2023 03:59:27 GMT

@Eric R. Jones the line "login authentication CONSOLE" implies your have a aaa method named "CONSOLE" elsewhere in the configuration. If TACACS is in that method prior to local AND a defined TACACS server is available, then the local user(s) will never be allowed to authenticate.

Re: Unable to acces a Switch through SSH

Eric R. Jones — Wed, 17 May 2023 00:58:16 GMT

I changed the line to "aaa authentication login CONSOLE local" and it began working on our test switches and one production switch. So far no errors.

Re: Unable to acces a Switch through SSH

Eric R. Jones — Wed, 17 May 2023 04:47:50 GMT

So the other shoe dropped. I changed our aaa settings from aaa authentication login CONSOLE group tacacs+ local, to aaa authentication login CONSOLE local matching our line con 0 configuration only to be meet with aaa authorization console (all lower case) which stopped me from logging in via the console port. My test switch didn't have this line and a few others. I had to go line by line until I found the offending one.

I figured this was allowing access for line con 0. The reading I did stated "aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console."

Not sure why we have it as removing that line but keeping the other setting doesn't stop us from logging in via console port nor prevent the use of commands in config t mode.

I'll have to play around with it a bit more and see what happens.