Re: Cisco 892FSP-K9 AAA Authentication issue

pwiscott · ‎12-31-2019

Hi,

I have an 892FSP-K9 running 15.3 and am struggling to get AAA Authentication to work for local username/password only.

This unit is deployed at an isolated site and as such has no tacacs/radius available however I want to secure the vty lines but am struggling with the commands.

I have configured and enabled SSH V2, I have a local username/password with level 15 privilege.

I have the following

aaa new-model
aaa authentication login default local
!

ip ssh version 2

I have added the below (this fails to show up after a wr/sh run)

(config-line)#login authentication default

I know I am missing something just cannot work out what it is ?

georgehewittuk1 · ‎12-31-2019

Hi,

This should work.

Have you created an RSA key and an ip domain-name?

Also check the line vty if there is a transport input and set to SSH. If still doesn't work share your running configuration.

Thanks

George

simranjitsingh1998 · ‎12-31-2019

Try to use Other name than Default then defined you list of preferred methods .. like RADIUS+ LOCAL .. like this ..

pwiscott · ‎03-02-2020

Had to shelve the project but its back on again and no still cannot get aaa new-model to work :-(

System image file is "flash:c800-universalk9-mz.SPA.153-3.M5.bin"

License Information for 'c800'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices

username manager privilege 15 password blahblahblah

aaa new-model

aaa authentication login router59 local

line vty 0 4
login authentication router59
transport input ssh

line vty 5 15
login authentication router59
transport input ssh

When I try to SSH all I get is repeat asking for password....

This is doing my head in

Richard Burts · ‎03-03-2020

I am not clear when you attempt to SSH do you get prompted for a username and then for a password or is it just prompting for password? Can you clarify?

HTH

Rick

pwiscott · ‎03-03-2020

Hi

I get prompted for a username and password, but just keeps rejecting on the password.

login as: manager
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

Richard Burts · ‎03-03-2020

Thanks for confirming that you are prompted for both username and password. And that the issue is that the password is not accepted. Am I correct in assuming that you do have console access to this router? If so are you logging in using the same user name and password?

As a test I would suggest logging in through the console and configuring a new user name and a new password and then attempt SSH with the new name and password.

Are you sure that your SSH request is getting to the right device? Perhaps run debug for SSH on the router and then attempt SSH and look for debug output. I remember troubleshooting an issue with a customer which was similar to what you are experiencing. It turned out that there was some confusion about routing and addressing and they were connecting to a machine different from what they were trying to test.

While it does look more sophisticated to configure authentication methods for the vty, it is not needed. In fact if you want the vty to authenticate using locally configured user ID and password, all that you really is is aaa new-method.

HTH

Rick