11-07-2011 12:19 PM - edited 03-07-2019 03:15 AM
Does SSH have some kind of issue with using passwords with special characters or something? I am working with an 891W. I have ony done the basic config on it using CCP Express so not much is done yet, but I do have enable and enable secret both set the same. An example password I haev is passwprd!PASS! with the only special characters being the ! . I can log into the router via CCP Express in a web browser, but when I ssh to the router and enter my creds it tells me Access Denied.
It is most likely that I have done nothing of consequence to cause this since if memory serves the only thing I did between when SSH worked and now when it doesn't, is edi vty 5 15 and vty 0 4 with "transport input ssh", (thus removing telnet). I certainly have not chnaged the password so the one that gets me into CP Express shoudl work on SSH too. It is the only username I have ever specificed.
Can anybody help?
Solved! Go to Solution.
11-07-2011 12:40 PM
Hi,
to connect with ssh to a router you need a user/password defined in the router with the username xxx password yyy command and you must have login local configured under the vty line.
Can you do show run | be line vty as well as show run | i user either directly into CLI or with the command window in CCP.
Regards.
Alain
11-07-2011 12:40 PM
Hi,
to connect with ssh to a router you need a user/password defined in the router with the username xxx password yyy command and you must have login local configured under the vty line.
Can you do show run | be line vty as well as show run | i user either directly into CLI or with the command window in CCP.
Regards.
Alain
11-07-2011 01:00 PM
I have much to learn. Much. I think I only added vty 0 4 because the Software Config Guide for the 890's sort of implied Ishould, but I later saw that vty 5 15 was already there by default. So I compared the two and noticed that "login local" thing. My vty 0 4 had only "login". The SCG did not mention this little fact (perhaps the documentation team needs to know?) I guess "local" means a password list local to the rotuer as opposed to some kind of external one or someting. Adding that fixed the problem though.
I've always known that I need to become CCNA to even unbox a Cisco router but this kind of stuff just proves it. That will take time of course but meanwhile I will need to use this forum frequently I think. Thank you Alain for your help!
11-07-2011 01:42 PM
Hi,
you're welcome.
Yes login local means use the user/password credentials configured locally on the router, if you want to use credentials stored on a radius/tacacs+ server you would need to configure AAA and either use a default method and then it will automaically applied to all lines or a named method which you can explicitly configure on a line to override the default method.
here is an example:
1) default method which uses radius server and defaults back to local if the server is not responding
aaa new-model
aaa authentication login default group radius local
radius-server host x.x.x.x key XXX
so nothing to configure under lines
2) named method MY_AUTH using radius and line password if the server is not responding
aaa new-model
aaa authentication login MY_AUTHt group radius line
radius-server host x.x.x.x key XXX
line vty 0 4
password cisco
login authentication MY_AUTH
Regards.
Alain.
11-02-2012 08:00 PM
I apologize for not replying sooner, sometimes I lose track. Will remember to review this thread soon. Thank you!
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide