cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2768
Views
0
Helpful
5
Replies

2960x ssh denied

Graham Murison
Level 1
Level 1

I have setup ssh on several switches, but I am about to be defeated by the 2960X series.

Previously I have set it up using aaa model as per documentation, but hasn't helped.  I am now also trying another method without aaa model and still coming up short.

If anyone is able to provide any direction that would be fantastic.  I have already had to recover the password once and I am copying and pasting so I know I am typing the passwords in correctly

Here are some details.

WS-C2960X-48FPS-L

15.0(2)EX5

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname switch03
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
!
username ssh privilege 15 secret 5 *****
username ssh-bu privilege 15 secret 5 *****
no aaa new-model
switch 1 provision ws-c2960x-48fps-l
!
crypto pki trustpoint TP-self-signed-2662087296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2662087296
revocation-check none
rsakeypair TP-self-signed-2662087296
!
!
crypto pki certificate chain TP-self-signed-2662087296
certificate self-signed 01
...
snippet
...
quit
!
line con 0
exec-timeout 120 0
logging synchronous
login local
line vty 0 4
exec-timeout 120 0
password 7 *****
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 120 0
password 7 *****
logging synchronous
login local
transport input ssh

1 Accepted Solution

Accepted Solutions

The switch must be configured with

- domain name
- Hostname
- Crypto key generate RSA (1024 or +)
- Authentication retries

Please keep me posted if changing the version it works. Could you please provide the error message?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

5 Replies 5

Hi,

Try to verify the ssh version: 

show ip ssh

to change  to ver 2:  

conf t
ip ssh version 2




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

The switch must be configured with

- domain name
- Hostname
- Crypto key generate RSA (1024 or +)
- Authentication retries

Please keep me posted if changing the version it works. Could you please provide the error message?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Thank Julio.  ip domain-name and then crypto commands are what fixed it.

I thing I must of done something out of order and generated the keys before setting the domain name.

You are welcome, Good to know that is working  

Have a great day  :-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

You don't need a domain name if you configure SSH correctly:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco