cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1265
Views
5
Helpful
5
Replies
Santa.Hawes
Beginner

Alternate SSH port on a switch IOS.

Is there a solution to the inability to program a separate "alternate" port for SSH connections within a v12.x Cisco Switch IOS?

SITUATION:

Attempting to coordinate with CyberArk admin to facilitate automated password changes for our two local-auth reserve accounts.  These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.

 

We have a method that works for routers, but does not seem to work on our  switches.

          IOS version: WS-C2960-24-S, 12.2(46)SE

          command “ip ssh port 3333 rotary 1" Is not accepted

          on the switch.

 

Any ideas?

 

Any thoughts, comments and/or reactions made by the above identified individual are the sole responsibility of the above named individual, and should not reflect on his employer, spouse or family name.
1 ACCEPTED SOLUTION

Accepted Solutions
balaji.bandi
VIP Master

as per i know the command only introduced 15.X 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

5 REPLIES 5
marce1000
VIP Advisor

 

 - Presumably not all platforms and or IOS versions will accept that command, check this thread as an example :

          https://community.cisco.com/t5/switching/how-to-change-ports-to-access/td-p/2102105

 M.

balaji.bandi
VIP Master

as per i know the command only introduced 15.X 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

Santa.Hawes
Beginner

As this function is limited only to IOS v15.x, is there a work-around to enable a similar functionality for IOS v12,x? 

As I have stated, we have MANY thousands of Cisco devices on our network, and a compliance mandate to manage and change the local-login user passwords, which actually are only used when the connection to ISE goes down.

Our implementation cannot be the only place that these issues have come up.

Any thoughts, comments and/or reactions made by the above identified individual are the sole responsibility of the above named individual, and should not reflect on his employer, spouse or family name.

These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.
This is the default behavior if you set ISE first in AAA, but you can set up local as primary authentication for AAA and TACACS+ as fallback method.

If i understand you clearly you want to access with local account AND ISE, while it's reachable.
if so you may need this assuming you're using tacacs+ in your deployment :

aaa authentication login default local group ISE_T+_G
aaa authorization exec default local group ISE_T+_G
aaa authorization commands 0 default local group ISE_T+_G
aaa authorization commands 1 default local group ISE_T+_G
aaa authorization commands 15 default local group ISE_T+_G

-Debug using local account :

*Jul 29 19:18:52.378: AAA/AUTHOR (0x38): Pick method list 'default'
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV cmd=
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV priv-lvl=15
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): Authorization successful
*Jul 29 19:20:09.230: AAA/AUTHOR/CMD: tty2 (70473958) user='cisco'
*Jul 29 19:20:09.230: tty2 AAA/AUTHOR/CMD (70473958): Method=LOCAL
*Jul 29 19:20:09.230: AAA/AUTHOR (70473958): Post authorization status = PASS_ADD

-Debug using account in ISE :
*Jul 29 19:19:22.095: AAA/AUTHEN/LOGIN (00000039): Pick method list 'default'
*Jul 29 19:19:25.583: AAA/AUTHOR (0x39): Pick method list 'default'
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=LOCAL
*Jul 29 19:19:34.740: AAA/AUTHOR/LOCAL: no entry for vdc-helpdesk
*Jul 29 19:19:34.740: AAA/AUTHOR (3610061040): Post authorization status = ERROR ( Here the method will fallback to ISE)
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=ISE_T+_G (tacacs+) (Switch Picked the group ISE_T+_G)
*Jul 29 19:19:34.950: TAC+: (-684906256): received author response status = PASS_ADD
*Jul 29 19:19:34.950: AAA/AUTHOR (3610061040): Post authorization status = PASS_ADD

Hope that helps!

Sorry forget to mention, If you using different method than "default" dont forget to add it into line vty 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel