Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5253
Views
19
Helpful
10
Replies

SSH via tacacs+ without any crypto keys?

Go to solution
Martin L
VIP
VIP

‎07-22-2019 01:58 PM - edited ‎07-22-2019 02:38 PM

how is possible to use SSH via tacacs+ without any crypto keys?  How Crypto keys influence AAA login ? Or Are they for local login only?

we had replaced some old c3750 with new c3850 switches.  Procedure was to copy old config to new switch including crypto keys (from old sw).  Couple times out tech forgot to copy Crypto keys from old to new switch but still we were able to login to switch!

 

Here is relevant config:

 

username admin privilege 15 secret xyz

**********

aaa authentication login default group VTACACS local-case
aaa authentication enable default group VTACACS enable
aaa authorization exec default group VTACACS local if-authenticated
aaa authorization commands 15 default group VTACACS local if-authenticated

********

aaa group server tacacs+ VTACACS 

    server-private x x x x time out password xyz

*********

line con 0
exec-timeout 15 0
privilege level 15
password 7 xyz
stopbits 1

line vty 0 15
exec-timeout 15 0
password 7 xyz
length 0
transport input ssh
*******

following Crypto section was omitted when copied

crypto pki trustpoint TP-self-signed-2xxxx4
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxx44
revocation-check none
rsakeypair TP-self-signed-2xxxx44
!
crypto pki certificate chain TP-self-signed-2xxxx44
certificate self-signed 01
3082029F 3082029F ....and so forth

quit

**********

 

Remote Access using SSH via TACACS and via Console connections were successful !

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-22-2019 07:03 PM

Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.

crypto key generate rsa says,

...

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

...

View solution in original post

10 Replies 10

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-22-2019 07:03 PM

Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.

crypto key generate rsa says,

...

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

...

Go to solution
Martin L
VIP
VIP
In response to hslai

‎07-24-2019 06:55 AM - edited ‎07-24-2019 06:59 AM


I think TACACS sever provides keys for SSH as my device access is via server. is that plausible?
Is possible to determine where from keys are coming by looking at keys? I have snapshot of accept /deny access.

 

ssh keys.png

Go to solution
Martin L
VIP
VIP
In response to Martin L

‎07-24-2019 07:01 AM


Another question is what for are Crypto Keys that are store on switch? what is Self-Signed-Certificate for?

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Martin L

‎07-24-2019 08:25 PM - edited ‎07-24-2019 08:27 PM

Another question is what for are Crypto Keys that are store on switch? what is Self-Signed-Certificate for?

See A self-signed certificate is added to a... - Cisco Community

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Martin L

‎07-24-2019 08:23 PM - edited ‎07-24-2019 08:26 PM

... Is possible to determine where from keys are coming by looking at keys? I have snapshot of accept /deny access.

See Calculating a SSH Fingerprint From a (Cisco) Public Key | Didier Stevens

Go to solution
Martin L
VIP
VIP
In response to hslai

‎07-27-2019 05:47 PM

@hslai wrote:

Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.

crypto key generate rsa says,....s not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

...

I did ask about c3850,  not 3650.

are we assuming behavior is the same  on both or c3650 is a typo ?

0 Helpful

Go to solution
MJ666
Level 1
Level 1
In response to hslai

‎03-26-2024 03:44 AM

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

Go to solution
MJ666
Level 1
Level 1
In response to hslai

‎03-26-2024 03:47 AM

Hi @hslai 

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MJ666

‎03-26-2024 08:17 AM - edited ‎03-26-2024 08:18 AM

@MJ666 you added three almost identical posts replying to a 5 year old thread that is not on topic with your question.

Please create a new discussion with your question.

Go to solution
MJ666
Level 1
Level 1

‎03-26-2024 01:44 AM

Hi @Martin L e

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

Customers Also Viewed These Support Documents