07-23-2019 08:01 AM
I have a Cisco ISR 4431 which i have enable SSH for and locked down to a only respond to single Subnet for SSH.
Weird part is when I try to ssh into the ISR from that subnet I am able to get to the login prompt. However it fails authentication for some reason, but that same user works over a serial connection. Is there maybe a setting for the user i missed or something.
pertainent config lines are as follows
username <redacted> access-class 15 ip access-list standard Limit_SSH permit 10.92.1.0 0.0.0.255 permit 10.91.3.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 deny any line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh line vty 5 15 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh
Solved! Go to Solution.
07-24-2019 08:55 AM
Yep that is it, aaa policy was messing it up you cannot do local authentication with that for what ever reason once i removed that i was able to authenticate.
07-23-2019 09:09 AM
07-23-2019 09:20 AM
Serial connection means, on console ?
if this is console you do not have any config on Console port.
what kind of authentication you using AAA with Local authentication ?
07-23-2019 09:21 AM
Correct it should be local authentication and i believe AAA is enabled.
07-23-2019 09:31 AM
Can you post that AAA config to look. also post the login error of possible.,
07-23-2019 09:35 AM
Basically blank
aaa new-model aaa authentication login default local enable aaa authorization exec default local
07-23-2019 10:23 AM
Whoops did one thing wrong, i am actually getting a refused connection from the device not a failed authentication.
I was connecting to the IP of a different device.
But still a similar issue
07-23-2019 11:25 AM
07-23-2019 11:29 AM
No prompt for authentication, i get a refused connection.
so i am accessing it from that 192.168.1.1/24 vlan which if i wrote the ACL right should be allowed.
But some how I am getting a connection refused error.
It is set to use aaa and they is an explicit deny all after the three allowed VLANs
07-23-2019 12:05 PM
07-23-2019 12:06 PM
It has been a while since i have tested that portion but if i remember correctly if i remove the ACL it starts working.
I will confirm that now
07-23-2019 12:18 PM - edited 07-23-2019 12:24 PM
Once i remove the ACL i am able to get to the login prompt however somehow it fails authentication so i probably have not configured SSH correctly.
This is the entire config with password and external IPs redacted
Current configuration : 5120 bytes ! ! Last configuration change at 18:58:09 UTC Tue Jul 23 2019 by <redact> ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! hostname ISR4431 ! boot-start-marker boot system bootflash:/isr4400-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! aaa new-model ! ! aaa authentication login default local enable aaa authorization exec default local aaa authorization network default local ! ! ! ! ! ! aaa session-id common ! ip vrf Internet rd 2:2 ! ip vrf MPLS rd 1:1 ! ! ! ip domain name LWGINC.com ! ! ! ! ! ! ! ! ! ! subscriber templating multilink bundle-name authenticated ! ! ! ! license udi pid ISR4431/K9 sn <redact> ! spanning-tree extend system-id ! username <redact> access-class 15 secret 8 <redact> username <redact> access-class 15 secret 8 <redact> ! redundancy mode none ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 description LAN-VRF-MPLS ip vrf forwarding MPLS ip address 10.92.1.254 255.255.255.0 negotiation auto ! interface GigabitEthernet0/0/1 description LAN-VRF-Internet ip vrf forwarding Internet ip address <redact> 255.255.255.224 negotiation auto ! interface GigabitEthernet0/0/2 description WAN-VRF-MPLS ip vrf forwarding MPLS ip address <redact> 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/3 description WAN-VRF-Internet ip vrf forwarding Internet ip address <redact> 255.255.255.252 negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.100.100.254 255.255.255.0 negotiation auto ! ip forward-protocol nd no ip http server no ip http secure-server ip tftp source-interface GigabitEthernet0/0/0 <redact>
ip ssh version 2 ! ! ip access-list standard Limit_SSH permit 10.92.1.0 0.0.0.255 permit 10.91.3.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 deny any ! access-list 1 permit 10.92.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh line vty 5 15 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh ! ! end
07-23-2019 12:19 PM - edited 07-23-2019 12:25 PM
accidentally double posted
07-23-2019 01:31 PM
07-24-2019 08:45 AM
that does not seem to help for some reason i am getting authorization failed which i think would be related to the AAA policy not being setup correctly. from my understanding this means it is passing authentication but the user for some reason is not authorized to connect via SSH. note i am not using tacacs+ i am just trying to authenticate with a local device user. is there maybe something i am missing here
aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network default local ! ! ! ! ! ! aaa session-id common !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide