07-22-2019 01:58 PM - edited 07-22-2019 02:38 PM
how is possible to use SSH via tacacs+ without any crypto keys? How Crypto keys influence AAA login ? Or Are they for local login only?
we had replaced some old c3750 with new c3850 switches. Procedure was to copy old config to new switch including crypto keys (from old sw). Couple times out tech forgot to copy Crypto keys from old to new switch but still we were able to login to switch!
Here is relevant config:
username admin privilege 15 secret xyz
**********
aaa authentication login default group VTACACS local-case
aaa authentication enable default group VTACACS enable
aaa authorization exec default group VTACACS local if-authenticated
aaa authorization commands 15 default group VTACACS local if-authenticated
********
aaa group server tacacs+ VTACACS
server-private x x x x time out password xyz
*********
line con 0
exec-timeout 15 0
privilege level 15
password 7 xyz
stopbits 1
line vty 0 15
exec-timeout 15 0
password 7 xyz
length 0
transport input ssh
*******
following Crypto section was omitted when copied
crypto pki trustpoint TP-self-signed-2xxxx4
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxx44
revocation-check none
rsakeypair TP-self-signed-2xxxx44
!
crypto pki certificate chain TP-self-signed-2xxxx44
certificate self-signed 01
3082029F 3082029F ....and so forth
quit
**********
Remote Access using SSH via TACACS and via Console connections were successful !
Solved! Go to Solution.
07-22-2019 07:03 PM
Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.
crypto key generate rsa says,
...
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
...
07-22-2019 07:03 PM
Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.
crypto key generate rsa says,
...
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
...
07-24-2019 06:55 AM - edited 07-24-2019 06:59 AM
I think TACACS sever provides keys for SSH as my device access is via server. is that plausible?
Is possible to determine where from keys are coming by looking at keys? I have snapshot of accept /deny access.
07-24-2019 07:01 AM
07-24-2019 08:25 PM - edited 07-24-2019 08:27 PM
Another question is what for are Crypto Keys that are store on switch? what is Self-Signed-Certificate for?
See A self-signed certificate is added to a... - Cisco Community
07-24-2019 08:23 PM - edited 07-24-2019 08:26 PM
... Is possible to determine where from keys are coming by looking at keys? I have snapshot of accept /deny access.
See Calculating a SSH Fingerprint From a (Cisco) Public Key | Didier Stevens
07-27-2019 05:47 PM
@hslai wrote:Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.
crypto key generate rsa says,....s not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
...
I did ask about c3850, not 3650.
are we assuming behavior is the same on both or c3650 is a typo ?
03-26-2024 03:44 AM
I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest
I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().
Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?
Thanks for your feedback
03-26-2024 03:47 AM
Hi @hslai
I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest
I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().
Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?
Thanks for your feedback
03-26-2024 08:17 AM - edited 03-26-2024 08:18 AM
@MJ666 you added three almost identical posts replying to a 5 year old thread that is not on topic with your question.
Please create a new discussion with your question.
03-26-2024 01:44 AM
Hi @Martin L e
I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use 
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local 
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest
I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().
Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?
Thanks for your feedback
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide