07-23-2019 08:01 AM
I have a Cisco ISR 4431 which i have enable SSH for and locked down to a only respond to single Subnet for SSH.
Weird part is when I try to ssh into the ISR from that subnet I am able to get to the login prompt. However it fails authentication for some reason, but that same user works over a serial connection. Is there maybe a setting for the user i missed or something.
pertainent config lines are as follows
username <redacted> access-class 15 ip access-list standard Limit_SSH permit 10.92.1.0 0.0.0.255 permit 10.91.3.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 deny any line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh line vty 5 15 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh
Solved! Go to Solution.
07-24-2019 08:55 AM
Yep that is it, aaa policy was messing it up you cannot do local authentication with that for what ever reason once i removed that i was able to authenticate.
07-23-2019 12:07 PM
It has been a while since i have tested that portion but if i remember correctly if i remove the ACL it starts working.
I will confirm that now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide