cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3643
Views
11
Helpful
10
Replies

SSH via tacacs+ without any crypto keys?

Martin L
VIP
VIP

how is possible to use SSH via tacacs+ without any crypto keys?  How Crypto keys influence AAA login ? Or Are they for local login only?

we had replaced some old c3750 with new c3850 switches.  Procedure was to copy old config to new switch including crypto keys (from old sw).  Couple times out tech forgot to copy Crypto keys from old to new switch but still we were able to login to switch!

 

Here is relevant config:

 

username admin privilege 15 secret xyz

**********

aaa authentication login default group VTACACS local-case
aaa authentication enable default group VTACACS enable
aaa authorization exec default group VTACACS local if-authenticated
aaa authorization commands 15 default group VTACACS local if-authenticated

********

aaa group server tacacs+ VTACACS 

    server-private x x x x time out password xyz

*********

line con 0
exec-timeout 15 0
privilege level 15
password 7 xyz
stopbits 1

line vty 0 15
exec-timeout 15 0
password 7 xyz
length 0
transport input ssh
*******

following Crypto section was omitted when copied

crypto pki trustpoint TP-self-signed-2xxxx4
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxx44
revocation-check none
rsakeypair TP-self-signed-2xxxx44
!
crypto pki certificate chain TP-self-signed-2xxxx44
certificate self-signed 01
3082029F 3082029F ....and so forth

quit

**********

 

Remote Access using SSH via TACACS and via Console connections were successful !

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.

crypto key generate rsa says,

...

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

...

View solution in original post

10 Replies 10

hslai
Cisco Employee
Cisco Employee

Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.

crypto key generate rsa says,

...

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

...


I think TACACS sever provides keys for SSH as my device access is via server. is that plausible?
Is possible to determine where from keys are coming by looking at keys? I have snapshot of accept /deny access.

 

ssh keys.png


Another question is what for are Crypto Keys that are store on switch? what is Self-Signed-Certificate for?

Another question is what for are Crypto Keys that are store on switch? what is Self-Signed-Certificate for?

See A self-signed certificate is added to a... - Cisco Community

... Is possible to determine where from keys are coming by looking at keys? I have snapshot of accept /deny access.

See Calculating a SSH Fingerprint From a (Cisco) Public Key | Didier Stevens


@hslai wrote:

Those omitted are not really the crypto key info needed for SSH. I tried zero it out on a 3650 in our lab and regenerated the key pair and the crypto section of the run configuration remained the same.

crypto key generate rsa says,....s not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

...


I did ask about c3850,  not 3650.

are we assuming behavior is the same  on both or c3650 is a typo ?

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

Hi @hslai 

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

@Christory you added three almost identical posts replying to a 5 year old thread that is not on topic with your question.

Please create a new discussion with your question.

Christory
Level 1
Level 1

Hi @Martin L e

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: