Solved: Re: SSH failing authentication but Serial Works

Zygodactyl · ‎07-23-2019

I have a Cisco ISR 4431 which i have enable SSH for and locked down to a only respond to single Subnet for SSH.

Weird part is when I try to ssh into the ISR from that subnet I am able to get to the login prompt. However it fails authentication for some reason, but that same user works over a serial connection. Is there maybe a setting for the user i missed or something.

pertainent config lines are as follows

username <redacted> access-class 15



ip access-list standard Limit_SSH
permit 10.92.1.0 0.0.0.255
permit 10.91.3.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any


line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class Limit_SSH in
access-class Limit_SSH out
transport input ssh
transport output ssh
line vty 5 15
access-class Limit_SSH in
access-class Limit_SSH out
transport input ssh
transport output ssh

Zygodactyl · ‎07-24-2019

Yep that is it, aaa policy was messing it up you cannot do local authentication with that for what ever reason once i removed that i was able to authenticate.

View solution in original post

GRANT3779 · ‎07-23-2019

If you are not using aaa then add login local under the vty lines

Line vty 0 15
Login local

balaji.bandi · ‎07-23-2019

Serial connection means, on console ?

if this is console you do not have any config on Console port.

what kind of authentication you using AAA with Local authentication ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Zygodactyl · ‎07-23-2019

Correct it should be local authentication and i believe AAA is enabled.

balaji.bandi · ‎07-23-2019

Can you post that AAA config to look. also post the login error of possible.,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Zygodactyl · ‎07-23-2019

Basically blank

aaa new-model

aaa authentication login default local enable
aaa authorization exec default local

Zygodactyl · ‎07-23-2019

Whoops did one thing wrong, i am actually getting a refused connection from the device not a failed authentication.

I was connecting to the IP of a different device.

But still a similar issue

GRANT3779 · ‎07-23-2019

Hello,

What is the status at the moment? Are you getting as far as being prompted for a username or can you not get as far as that?, e.g connection refused completely?

Zygodactyl · ‎07-23-2019

No prompt for authentication, i get a refused connection.

so i am accessing it from that 192.168.1.1/24 vlan which if i wrote the ACL right should be allowed.

But some how I am getting a connection refused error.

It is set to use aaa and they is an explicit deny all after the three allowed VLANs

GRANT3779 · ‎07-23-2019

Have you done all the initial SSH config, e.g create crypto key etc.?
Have you tried telnet for testing or remove the ACL to check if this is the issue?

Zygodactyl · ‎07-23-2019

It has been a while since i have tested that portion but if i remember correctly if i remove the ACL it starts working.

I will confirm that now

Zygodactyl · ‎07-23-2019

Once i remove the ACL i am able to get to the login prompt however somehow it fails authentication so i probably have not configured SSH correctly.

This is the entire config with password and external IPs redacted

Current configuration : 5120 bytes
!
! Last configuration change at 18:58:09 UTC Tue Jul 23 2019 by <redact>
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname ISR4431
!
boot-start-marker
boot system bootflash:/isr4400-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local enable
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
!
ip vrf Internet
 rd 2:2
!
ip vrf MPLS
 rd 1:1
!
!
!

ip domain name LWGINC.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4431/K9 sn <redact>
!
spanning-tree extend system-id
!
username <redact> access-class 15 secret 8 <redact>
username <redact> access-class 15 secret 8 <redact>
!
redundancy
 mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description LAN-VRF-MPLS
 ip vrf forwarding MPLS
 ip address 10.92.1.254 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/1
 description LAN-VRF-Internet
 ip vrf forwarding Internet
 ip address <redact> 255.255.255.224
 negotiation auto
!
interface GigabitEthernet0/0/2
 description WAN-VRF-MPLS
 ip vrf forwarding MPLS
 ip address <redact> 255.255.255.252
 negotiation auto
!
interface GigabitEthernet0/0/3
 description WAN-VRF-Internet
 ip vrf forwarding Internet
 ip address <redact> 255.255.255.252
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.100.100.254 255.255.255.0
 negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
<redact>

ip ssh version 2
!
!
ip access-list standard Limit_SSH
 permit 10.92.1.0 0.0.0.255
 permit 10.91.3.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255
 deny   any
!
access-list 1 permit 10.92.1.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class Limit_SSH in
 access-class Limit_SSH out
 transport input ssh
 transport output ssh
line vty 5 15
 access-class Limit_SSH in
 access-class Limit_SSH out
 transport input ssh
 transport output ssh
!
!
end

Zygodactyl · ‎07-23-2019

accidentally double posted

GRANT3779 · ‎07-23-2019

Are you using VRFs?
If so, try adding the following

access-class Limit_SSH in vrf-also

Zygodactyl · ‎07-24-2019

that does not seem to help for some reason i am getting authorization failed which i think would be related to the AAA policy not being setup correctly. from my understanding this means it is passing authentication but the user for some reason is not authorized to connect via SSH. note i am not using tacacs+ i am just trying to authenticate with a local device user. is there maybe something i am missing here

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
!