03-11-2013 02:30 AM - edited 03-10-2019 08:10 PM
Hey, I'm trying to make a setup on my Cisco 881 router, but I'm having some trouble.
I've managed to configure logging in with a Public-Private key pair over SSH, but it's also still possible to log in over SSH with just a username and password. I'd like to prevent this, if possible. I imagine I might have manually configured this to be allowed at some point, but I can't quite figure out how I did this, as no matter what I've tried to remove, it keeps allowing this option. I still need to be able to log in with a username, because I want users to have different privileges. Which brings me to my second problem...
Once I've logged in using the Public-Private key, I don't automatically go into privilege mode, even though the user is configured with a privilege level. I'd like to configure that users that I've configured to use a certain privilege mode, automatically go into privilege mode without a password prompt. I know it did this before I started using the Public-Private key (or before I used AAA, which was configured around the same time), so I wondered if it's possible to do this still.
If anyone needs a part of my configuration in order to help, just ask for the part that you need and I'll post it.
Thanks in advance for anyone trying to help!
03-11-2013 07:32 AM
Hi Niels,
Wrong section, try putting it in AAA, Identity and NAC.
Thanks
Chris
03-19-2013 04:22 AM
I've figured out how to make a user go straight into privilege mode and have lower ranking users not go into a higher privilege level. After configuring AAA, I used these commands:
(config)#aaa authorization exec default local
(config)#aaa authorization console
(config)#enable secret password
Now my last problem is with the SSH password login. I've configured to use a Public-Private keypair to login and this works just fine. The problem is that the router still allows people to log in using a regular password when they don't have a key. Anyone know how to fix this?
03-20-2013 12:24 AM
To restrict users to only do pubkey-authentication you need to remove the secret/password from the regular user-account:
username test privilege 15
That way the user can only log in with the stored public key information and still gets directly to privilege 15.
Sent from Cisco Technical Support iPad App
03-20-2013 03:31 AM
I've tried removing the password from the user, but it didn't quite work out. It still allows you to login without a key, only now you don't input anything when it asks for a password.
03-20-2013 03:39 AM
well, that's not how its supposed to be ...
Did you accidently use the "nopassword" keyword instead of removing the secret/password?
Wenn you do a "show run | i username" it should be in the form above.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
03-20-2013 03:52 AM
When I do a "show run | i username", this is what I get:
username admin privilege 15
username admin
Is it possible that I'm allowing the password prompt through a command I've used somewhere?
03-20-2013 04:36 AM
I just tested it again and you are right. I completely remembered wrong about how that worked. You could specify a long and random password that the user doesn't know. That would restrict it to pubkey-logins. Not very elegant but should work.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide