AAA not working for telnet or SSH, works for HTTP - Cat 3750G

OldGreyBeast · ‎06-15-2023

I know it's old, but I've got 2 48p Catalyst 3750Gs running IOS 15. I've setup SSH on cat switches before without issue but for some reason this one is just being super resistant. I can log in with my user account to the HTTP interface without any issues, but it says login failed for both SSH and telnet. I've generated the rsa keys and whatnot, putty connects just fine, it just always says that authentication failed. It does this with both accounts i've added. Both accounts work fine on HTTP.

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname house-cat3750G
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 [redacted]
!
username [redacted] secret 5 [redacted]
username [redacted] secret 5 [redacted]
aaa new-model
!
!
aaa authorization exec default local
!
!
aaa session-id common
clock timezone UTC -6 0
clock summer-time UTC recurring
switch 1 provision ws-c3750g-48ps
system mtu routing 1500
ip domain-name DOMAIN.com
!
!
!
[interface/crypto key configs removed to save space]

!
interface Vlan99
ip address 10.10.10.1 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.254
ip http server
ip http secure-server
!
!
!
!
!
vstack
!
line con 0
line vty 0 4
session-timeout 28800
password 7 [redacted]
transport input telnet ssh
transport output telnet ssh
line vty 5 15
session-timeout 28800
password 7 [redacted]
transport input telnet ssh
transport output telnet ssh
!
end

MHM Cisco World · ‎06-15-2023

aaa authentication login default local <<- this for telnet
for SSH
you need ip domain-name and RSA before you can access via SSH
https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

NOTE:- you need username xxx password xxx and enable password xxx before enable auth via aaa

OldGreyBeast · ‎06-15-2023

Hi, yes I've already done the ip domain-name and RSA.

MHM Cisco World · ‎06-15-2023

Aaa auth login is missing

OldGreyBeast · ‎06-15-2023

Ok, I added:
aaa authentication login default local

No change in behavior though.

MHM Cisco World · ‎06-15-2023

Same then try

Add under line vty

Login auth defualt

OldGreyBeast · ‎06-15-2023

Ok, added that. Still no change in behavior

MHM Cisco World · ‎06-15-2023

Username xxx previllige 15 password xxx << - add this

OldGreyBeast · ‎06-15-2023

so after adding the aaa authentication login default local I lost the ability to login via the serial cable (which is why I didn't have that line in the config initially). Switch is rebooting to undo the aaa auth at the moment.

MHM Cisco World · ‎06-15-2023

Sorry can you elaborate more' how aaa auth effect access via console ?

OldGreyBeast · ‎06-15-2023

It will prompt for a username and password at the serial connection.

Neither of the usernames/passwords specified will work. I'm not able to leave the username blank and use the enable password.

OldGreyBeast · ‎06-15-2023

Ok, switch rebooted. I added the aaa authentication line /only/ under vty 0 15. This still doesn't allow login.

I deleted the second user and added a new user:
username admin password 0 admin priv 15

Still unable to login.

MHM Cisco World · ‎06-15-2023

Just one second'

You can access via console and do config ?

But still can not access via telnet and ssh ?

OldGreyBeast · ‎06-15-2023

Sorry I missed this reply. Yes, after rebooting the switch (which reverted the aaa auth) I am able to access the console port without credentials and make config changes.

If I add the aaa authentication line back, username/password is required via the serial console and I'm unable to log in due to it not accepting the credentials.

MHM Cisco World · ‎06-15-2023

aaa need
aaa authentication login default local
NO aaa authorization exec default local
username mhm privilege 15 password mhm
enable password mhm

under the line of vty
login authenation default

NOTE:- please dont copy run to start, in case this config not work you can access via console