Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3639
Views
0
Helpful
2
Replies

SSH access by enable password

Jason Vanlandingham
Level 1
Level 1

‎01-26-2019 11:47 PM - edited ‎03-05-2019 11:13 AM

For authorization we have this line:

aaa authentication login default group tacacs+ enable

 

The vty lines only have:

privilege level 15
logging synchronous
transport input ssh

 

The WAN connection to the router is down, so it can't reach tacacs. I have a way to get to it by ssh from another device. (Not a Cisco device) Attempting ssh without specifying a username and then entering the enable password at the prompt doesn't work. Is there something I'm missing? My department inherited these routers and haven't spent much time looking at them, as we were planning to replace them quickly. Unfortunately that got put on hold.

Labels:
0 Helpful
2 Replies 2

Andrew Khalil
Spotlight
Spotlight

‎01-27-2019 12:53 AM

@Jason Vanlandingham

Greetings,

 

For SSH Configuration try:

#line vty 0 4

#login local

#exit

#ip domain-name xyxyxyxy (anything)

#crypto key generate rsa

Then choose any number 512 or 1024 or any which is representing the encryption degree.

#transport input ssh

 

For the AAA configuration

I am considering that you have already the correct configuration of the AAA in addition to this command:

#username Andrew password Cisco

then you should issue the following command:

#aaa authentication login default group tacacs+ local

 

Try it, it should work successfully!

 

Please don't forget to rate all helpful responses and mark solutions!

Bst Rgds,

Andrew Khalil

0 Helpful

Georg Pauwen
VIP
VIP

‎01-27-2019 01:00 AM - edited ‎01-27-2019 01:02 AM

Hello,

 

if you don't have access to the TACACS server, you need to have local fallback configured.

 

aaa new-model
aaa authentication login default group tacacs+ local

 

You need to have a domain name configured and a hostname other than the default:

 

Router#conf t

Router(config)#hostname R1

R1(config)#ip domain-name local.com

 

Then configure an RSA key:

 

R1(config)#crypto key generate rsa modulus 1024

 

Then configure a local username:

 

username admin privilege 15 password 0 cisco

 

Then configure the VTY lines:

 

line vty 0 4

privilege 15

login authentication default <-- this line is not visible in the running config

transport input ssh

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card