Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3304
Views
5
Helpful
5
Replies

Alternate SSH port on a switch IOS.

Go to solution
Santa.Hawes
Level 1
Level 1

‎07-16-2021 12:28 PM

Is there a solution to the inability to program a separate "alternate" port for SSH connections within a v12.x Cisco Switch IOS?

SITUATION:

Attempting to coordinate with CyberArk admin to facilitate automated password changes for our two local-auth reserve accounts.  These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.

 

We have a method that works for routers, but does not seem to work on our  switches.

          IOS version: WS-C2960-24-S, 12.2(46)SE

          command “ip ssh port 3333 rotary 1" Is not accepted

          on the switch.

 

Any ideas?

 

Any thoughts, comments and/or reactions made by the above identified individual are the sole responsibility of the above named individual, and should not reflect on his employer, spouse or family name.
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-17-2021 02:44 AM

as per i know the command only introduced 15.X 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎07-16-2021 11:05 PM

 

 - Presumably not all platforms and or IOS versions will accept that command, check this thread as an example :

          https://community.cisco.com/t5/switching/how-to-change-ports-to-access/td-p/2102105

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-17-2021 02:44 AM

as per i know the command only introduced 15.X 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Santa.Hawes
Level 1
Level 1

‎07-28-2021 07:02 AM

As this function is limited only to IOS v15.x, is there a work-around to enable a similar functionality for IOS v12,x? 

As I have stated, we have MANY thousands of Cisco devices on our network, and a compliance mandate to manage and change the local-login user passwords, which actually are only used when the connection to ISE goes down.

Our implementation cannot be the only place that these issues have come up.

Any thoughts, comments and/or reactions made by the above identified individual are the sole responsibility of the above named individual, and should not reflect on his employer, spouse or family name.
0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
In response to Santa.Hawes

‎07-29-2021 01:42 PM

These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.
This is the default behavior if you set ISE first in AAA, but you can set up local as primary authentication for AAA and TACACS+ as fallback method.

If i understand you clearly you want to access with local account AND ISE, while it's reachable.
if so you may need this assuming you're using tacacs+ in your deployment :

aaa authentication login default local group ISE_T+_G
aaa authorization exec default local group ISE_T+_G
aaa authorization commands 0 default local group ISE_T+_G
aaa authorization commands 1 default local group ISE_T+_G
aaa authorization commands 15 default local group ISE_T+_G

-Debug using local account :

*Jul 29 19:18:52.378: AAA/AUTHOR (0x38): Pick method list 'default'
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV cmd=
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV priv-lvl=15
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): Authorization successful
*Jul 29 19:20:09.230: AAA/AUTHOR/CMD: tty2 (70473958) user='cisco'
*Jul 29 19:20:09.230: tty2 AAA/AUTHOR/CMD (70473958): Method=LOCAL
*Jul 29 19:20:09.230: AAA/AUTHOR (70473958): Post authorization status = PASS_ADD

-Debug using account in ISE :
*Jul 29 19:19:22.095: AAA/AUTHEN/LOGIN (00000039): Pick method list 'default'
*Jul 29 19:19:25.583: AAA/AUTHOR (0x39): Pick method list 'default'
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=LOCAL
*Jul 29 19:19:34.740: AAA/AUTHOR/LOCAL: no entry for vdc-helpdesk
*Jul 29 19:19:34.740: AAA/AUTHOR (3610061040): Post authorization status = ERROR ( Here the method will fallback to ISE)
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=ISE_T+_G (tacacs+) (Switch Picked the group ISE_T+_G)
*Jul 29 19:19:34.950: TAC+: (-684906256): received author response status = PASS_ADD
*Jul 29 19:19:34.950: AAA/AUTHOR (3610061040): Post authorization status = PASS_ADD

Hope that helps!

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
In response to Santa.Hawes

‎07-29-2021 02:10 PM - edited ‎07-29-2021 03:38 PM

Sorry forget to mention, If you using different method than "default" dont forget to add it into line vty 

0 Helpful
Top