Just configured that (login local on vty lines) and an enable secret pw as they were both left off my initial config and it didn't work either

I have a few comments for this issue:

- when aaa new-model is configured then login local under the vty is not needed. And if it is configured it is ignored. So do not bother with it.

- when aaa new-model is configured then the default behavior for authentication on the vty is local authentication. So the suggestion 

aaa authentication login default local

is redundant. It does not harm but it does no good either. So do not bother with it.

- the output posted of the attempt to ssh to the switch shows a prompt for password multiple times. This certainly suggests that the attempt to ssh did get to the switch and that the switch was attempting to authenticate the user but was not successful in authentication. It might be interesting to enable debug for ssh and attempt the access again. The logs (assuming that logging is enabled) should show attempts to initiate ssh. Perhaps debug for aaa authentication might be used and hopefully would confirm problems in authenticating the attempt to ssh.

 

The symptom of multiple prompts for password might be caused if the user name supplied for the ssh attempt did not match exactly the user name configured on the switch. The symptom might also be caused if the password used for the ssh attempt did not match exactly the user password configured on the switch. My suggestion is to configure a new user name (and keep it very simple) with a new password (and keep it very simple). Then test again using the new user name and password.

 

The output posted showed a successful ssh from switch to router 3. Then showed ssh attempt from router 3 to switch. It is not clear whether the attempt from router 3 to switch was in the session established from switch to router, or was from some connection to router 3 from somewhere else. I would think that an ssh from switch to router and then ssh from router to switch should work. But to keep it clean can we be sure that the session to router 3 was from somewhere other then from the switch?

 

And just to be very sure about it can the original poster give us the output of the command show ip ssh on the switch?

 

HTH

 

Rick

I think you missunderstond the prompt for password multiple it was only multiple times because I entered the password then hit enter then got prompted for password again. I did this a few times just to show that the password isn't accepted or working and I did indeed verify and even reconfigured the password I was using to be correct.

"The output posted showed a successful ssh from switch to router 3. Then showed ssh attempt from router 3 to switch. It is not clear whether the attempt from router 3 to switch was in the session established from switch to router, or was from some connection to router 3 from somewhere else. I would think that an ssh from switch to router and then ssh from router to switch should work. But to keep it clean can we be sure that the session to router 3 was from somewhere other then from the switch?"

I connected my pc to the switch using the console cable and ssh into router 3 successfully. Then I moved my connection (console cable) and plugged it into my router (Router 3) and attempted to ssh into the switch MGMT-SW unsuccessfully. I hope that clears that up, if not let me know (not in so many words) what you aren't sure of and I will give the explanation another shot.

Thanks

Thanks for the additional information. If you want to put this discussion on hold for a couple of weeks that is ok. But I do want to make a response to this recent information.

 

Thank you for clarifying that the attempt to SSH to the switch was from a console session on the router and not an activity in the SSH session from switch to router. 

 

I do not believe there was a misunderstanding about the multiple prompts for password. Your description of entering the password multiple times is exactly what I thought you were describing in my previous response. The fact that you attempt it multiple times does indicate that the switch was not accepting the entered password. As I said in my previous response that can be caused when the entered user ID and/or password do not match what was entered as the user name and password configured on the switch. Or perhaps it might indicate that what the switch is doing is different from what we understand in the configuration. debug aaa authentication might shed some light on what is happening as you attempt to SSH.

 

Is the user name configured the same on switch and router. If not, as a test, would you configure exactly the same user name and password on both devices. Also, as a test, would you attempt the SSH without specifying the -l parameter and let the switch prompt for the username?

 

HTH

 

Rick

Sir the user name and password are configured identically on all devices in the network, I actually thought of this and went back multiple times to check the config and even reconfigured it to match just in case I missed a character or something crazy like that but it still didn't work.
As far as your suggestion "trying without the -l" I can't do that until i get back home.

Thanks again for responding and trying to help me figure this out. Much appreciated.

Sorry for the late reply, I was traveling all day. Will be out of town (away from my lab) for the next 2 weeks. So if you don't mind lets pick this back up at that time.

I do appreciate all your help but can't do anything at the moment.