Solved: You don't need a domain name

Graham Murison · ‎02-09-2017

I have setup ssh on several switches, but I am about to be defeated by the 2960X series.

Previously I have set it up using aaa model as per documentation, but hasn't helped. I am now also trying another method without aaa model and still coming up short.

If anyone is able to provide any direction that would be fantastic. I have already had to recover the password once and I am copying and pasting so I know I am typing the passwords in correctly

Here are some details.

WS-C2960X-48FPS-L

15.0(2)EX5

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname switch03
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
!
username ssh privilege 15 secret 5 *****
username ssh-bu privilege 15 secret 5 *****
no aaa new-model
switch 1 provision ws-c2960x-48fps-l
!
crypto pki trustpoint TP-self-signed-2662087296
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2662087296
 revocation-check none
 rsakeypair TP-self-signed-2662087296
!
!
crypto pki certificate chain TP-self-signed-2662087296
 certificate self-signed 01
...
snippet
...
 quit
!
line con 0
 exec-timeout 120 0
 logging synchronous
 login local
line vty 0 4
 exec-timeout 120 0
 password 7 *****
 logging synchronous
 login local
 transport input ssh
line vty 5 15
 exec-timeout 120 0
 password 7 *****
 logging synchronous
 login local
 transport input ssh

Julio E. Moisa · ‎02-09-2017

The switch must be configured with

- domain name
- Hostname
- Crypto key generate RSA (1024 or +)
- Authentication retries

Please keep me posted if changing the version it works. Could you please provide the error message?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎02-09-2017

Hi,

Try to verify the ssh version:

show ip ssh

to change to ver 2:

conf t
ip ssh version 2

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎02-09-2017

The switch must be configured with

- domain name
- Hostname
- Crypto key generate RSA (1024 or +)
- Authentication retries

Please keep me posted if changing the version it works. Could you please provide the error message?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Graham Murison · ‎02-09-2017

Thank Julio. ip domain-name and then crypto commands are what fixed it.

I thing I must of done something out of order and generated the keys before setting the domain name.

Julio E. Moisa · ‎02-09-2017

You are welcome, Good to know that is working

Have a great day :-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Karsten Iwen · ‎02-10-2017

You don't need a domain name if you configure SSH correctly:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

2960x ssh denied