Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
10
Helpful
7
Replies

Ubuntu Freeradius "Unable to negotiate...no matching cipher"

hfakoor222
Spotlight
Spotlight

‎06-11-2022 06:50 PM

Home router I cannot SSH

 

can telnet in fine so now I am wondering what is wrong with my set up

 

using ubntu freeradius

under /etc/freeradius/3.0/clients.conf I have defined

 

 

client 10.2.2.5{

                       secret=Fak1

                       nastype=cisco

}

 

 

under /etc/init.d/freeradius users

engineer Cleartext-Password := "cisco12345"

                  Service-Type = NAS-Prompt-User

     

 

 

I restart the radius server 

 

 

and telnet in from R2  -->  Home   OK

telnet  Ubuntu  -->    Home    OK

SSH  -1 engineer 10.2.2.5

Password:  cisco12345 

Password:  cisco12345

connection to 10.2.2.5 closed by foreing host

 

ubuntu 

Telnet   --> Ok

 

SSh -l engineer 10.2.2.5 

unable to negotiate with 10.2.2.5 port 22:   no matching cipher found 

Their offer : aes128-cbd,3des-cbc, aes192-cbc, aes256-cbc

 

 

 

on home router:*Jun 12 01:45:47.967: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,

 

 

Show   Run:

 

 


*Jun 12 01:34:59.631: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
*Jun 12 01:45:47.967: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
R2-DHCP-NTP#$m,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,[~
*Jun 12 01:45:47.967: SSH2 0: no matching cipher found: client chacha20-poly1305^@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,[~

% Invalid input detected at '^' marker.Building configuration...

Current configuration : 1555 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-DHCP-NTP
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$0XA1$BklW97j85luhkZLb3d.jB0    (Fak1)
!
aaa new-model
!
!
!
!
aaa session-id common
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip domain name Fak1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username Fak1 secret 5 $1$dHtw$U6C7nGCDPm/H.Z4AC0Su2/
username Fak1password 0 Fak1
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
ip ssh time-out 2
ip ssh authentication-retries 2
!
!
!
!
interface FastEthernet0/0
ip address 10.2.2.5 255.255.255.0
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
radius-server configure-nas
radius-server host 10.2.2.6 auth-port 1645 acct-port 1646 key Fakoor
radius-server host 10.2.2.6 auth-port 1812 acct-port 1813
radius-server key Fakoor
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password Fakoor
login authentication Fakoor
transport input all
!

 

 

 

 

 

Labels:
0 Helpful
7 Replies 7

hfakoor222
Spotlight
Spotlight

‎06-11-2022 07:11 PM - edited ‎06-11-2022 07:54 PM

Update

 

 

 

SSH works fine except when SSH from Ubuntu so I believe it is some type of authentication mismatch but I am not sure

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to hfakoor222

‎06-12-2022 01:53 AM

 

It will probably be because your router only supports a set of ciphers that your Ubuntu client thinks are insecure. 

 

On the Ubuntu client "ssh -Q cipher" will show you which ciphers it supports and if any of them match the router ones then just specify the cipher when you connect ie. 

 

ssh -c <cipher>

 

Jon

hfakoor222
Spotlight
Spotlight
In response to Jon Marshall

‎06-12-2022 12:35 PM

I didn't see this b4 thank you I will try it

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to hfakoor222

‎06-12-2022 12:51 PM

Hello @hfakoor222 ,

the message no common cypher found means that the Ubuntu box  does not accept any of the proposed cypher algorythms

 

so @Jon Marshall is right.

I can add that from windows 10 when using Bitwise SSH client I see similar results and with Putty 0.67 64 bit for older boxes I need to use as a workaround to abe able to access them the following:

instead of SSH I use other then I select bare ssh-session I select TCP port 22 and that point I am able to connect.

 

Hope to help

Giuseppe

 

 

0 Helpful

hfakoor222
Spotlight
Spotlight

‎06-11-2022 10:44 PM

Bump

0 Helpful

marce1000
VIP
VIP

‎06-11-2022 11:16 PM

 

 - Means (SSH) client and server can not agree upon a common cipher to secure the connection.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Georg Pauwen
VIP
VIP

‎06-12-2022 12:50 PM

Hello,

 

--> *Jun 12 01:45:47.967: SSH2 0

 

Looks like your router is configured for version 2 only. Try and set it to version 1/2 (no ssh version 2), so when you do a 'show ip ssh' it should show version 1.99 (which means it supports bothe version 1 and 2)...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card