11-07-2011 12:19 PM - edited 03-07-2019 03:15 AM
Does SSH have some kind of issue with using passwords with special characters or something? I am working with an 891W. I have ony done the basic config on it using CCP Express so not much is done yet, but I do have enable and enable secret both set the same. An example password I haev is passwprd!PASS! with the only special characters being the ! . I can log into the router via CCP Express in a web browser, but when I ssh to the router and enter my creds it tells me Access Denied.
It is most likely that I have done nothing of consequence to cause this since if memory serves the only thing I did between when SSH worked and now when it doesn't, is edi vty 5 15 and vty 0 4 with "transport input ssh", (thus removing telnet). I certainly have not chnaged the password so the one that gets me into CP Express shoudl work on SSH too. It is the only username I have ever specificed.
Can anybody help?
Solved! Go to Solution.
11-07-2011 12:40 PM
Hi,
to connect with ssh to a router you need a user/password defined in the router with the username xxx password yyy command and you must have login local configured under the vty line.
Can you do show run | be line vty as well as show run | i user either directly into CLI or with the command window in CCP.
Regards.
Alain
11-07-2011 12:40 PM
Hi,
to connect with ssh to a router you need a user/password defined in the router with the username xxx password yyy command and you must have login local configured under the vty line.
Can you do show run | be line vty as well as show run | i user either directly into CLI or with the command window in CCP.
Regards.
Alain
11-07-2011 01:00 PM
I have much to learn. Much. I think I only added vty 0 4 because the Software Config Guide for the 890's sort of implied Ishould, but I later saw that vty 5 15 was already there by default. So I compared the two and noticed that "login local" thing. My vty 0 4 had only "login". The SCG did not mention this little fact (perhaps the documentation team needs to know?) I guess "local" means a password list local to the rotuer as opposed to some kind of external one or someting. Adding that fixed the problem though.
I've always known that I need to become CCNA to even unbox a Cisco router but this kind of stuff just proves it. That will take time of course but meanwhile I will need to use this forum frequently I think. Thank you Alain for your help!
11-07-2011 01:42 PM
Hi,
you're welcome.
Yes login local means use the user/password credentials configured locally on the router, if you want to use credentials stored on a radius/tacacs+ server you would need to configure AAA and either use a default method and then it will automaically applied to all lines or a named method which you can explicitly configure on a line to override the default method.
here is an example:
1) default method which uses radius server and defaults back to local if the server is not responding
aaa new-model
aaa authentication login default group radius local
radius-server host x.x.x.x key XXX
so nothing to configure under lines
2) named method MY_AUTH using radius and line password if the server is not responding
aaa new-model
aaa authentication login MY_AUTHt group radius line
radius-server host x.x.x.x key XXX
line vty 0 4
password cisco
login authentication MY_AUTH
Regards.
Alain.
11-02-2012 08:00 PM
I apologize for not replying sooner, sometimes I lose track. Will remember to review this thread soon. Thank you!
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: