- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2021 12:28 PM
Is there a solution to the inability to program a separate "alternate" port for SSH connections within a v12.x Cisco Switch IOS?
SITUATION:
Attempting to coordinate with CyberArk admin to facilitate automated password changes for our two local-auth reserve accounts. These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.
We have a method that works for routers, but does not seem to work on our switches.
IOS version: WS-C2960-24-S, 12.2(46)SE
command “ip ssh port 3333 rotary 1" Is not accepted
on the switch.
Any ideas?
Solved! Go to Solution.
- Labels:
-
AAA
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2021 02:44 AM
as per i know the command only introduced 15.X
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2021 11:05 PM
- Presumably not all platforms and or IOS versions will accept that command, check this thread as an example :
https://community.cisco.com/t5/switching/how-to-change-ports-to-access/td-p/2102105
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2021 02:44 AM
as per i know the command only introduced 15.X
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2021 07:02 AM
As this function is limited only to IOS v15.x, is there a work-around to enable a similar functionality for IOS v12,x?
As I have stated, we have MANY thousands of Cisco devices on our network, and a compliance mandate to manage and change the local-login user passwords, which actually are only used when the connection to ISE goes down.
Our implementation cannot be the only place that these issues have come up.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2021 01:42 PM
These accounts only become active when the switches connection to ISE goes down for any reason, allowing access to the switch by a field tech.
This is the default behavior if you set ISE first in AAA, but you can set up local as primary authentication for AAA and TACACS+ as fallback method.
If i understand you clearly you want to access with local account AND ISE, while it's reachable.
if so you may need this assuming you're using tacacs+ in your deployment :
aaa authentication login default local group ISE_T+_G
aaa authorization exec default local group ISE_T+_G
aaa authorization commands 0 default local group ISE_T+_G
aaa authorization commands 1 default local group ISE_T+_G
aaa authorization commands 15 default local group ISE_T+_G
-Debug using local account :
*Jul 29 19:18:52.378: AAA/AUTHOR (0x38): Pick method list 'default'
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV cmd=
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): processing AV priv-lvl=15
*Jul 29 19:18:52.378: AAA/AUTHOR/EXEC(00000038): Authorization successful
*Jul 29 19:20:09.230: AAA/AUTHOR/CMD: tty2 (70473958) user='cisco'
*Jul 29 19:20:09.230: tty2 AAA/AUTHOR/CMD (70473958): Method=LOCAL
*Jul 29 19:20:09.230: AAA/AUTHOR (70473958): Post authorization status = PASS_ADD
-Debug using account in ISE :
*Jul 29 19:19:22.095: AAA/AUTHEN/LOGIN (00000039): Pick method list 'default'
*Jul 29 19:19:25.583: AAA/AUTHOR (0x39): Pick method list 'default'
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=LOCAL
*Jul 29 19:19:34.740: AAA/AUTHOR/LOCAL: no entry for vdc-helpdesk
*Jul 29 19:19:34.740: AAA/AUTHOR (3610061040): Post authorization status = ERROR ( Here the method will fallback to ISE)
*Jul 29 19:19:34.740: tty4 AAA/AUTHOR/CMD (3610061040): Method=ISE_T+_G (tacacs+) (Switch Picked the group ISE_T+_G)
*Jul 29 19:19:34.950: TAC+: (-684906256): received author response status = PASS_ADD
*Jul 29 19:19:34.950: AAA/AUTHOR (3610061040): Post authorization status = PASS_ADD
Hope that helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2021 02:10 PM - edited 07-29-2021 03:38 PM
Sorry forget to mention, If you using different method than "default" dont forget to add it into line vty
