AAA on new Stack with VRF

benolyndav · ‎04-01-2020

Hi

See attached diagram.

So I have set up a 2 Switch 9300 Stack with and x4 9300 access switches connecting to the stack

I have subnetted a /23 in x4 subnets and created an SVI for each subnet on the stack, I have also created VRF between Stack and Provider routers and have also added the x4 subnets into the VRF and all works fine Data/Phones/Wireless etc all traversing the VRF as expected,

Now heres the thing I can SSH to the access switches no issues but I cant SSH onto the Stack I have tried SSH ing to the Data SVI's and the SVI connecting to provider as any one got any idea why this is happening please.??

Thanks in advance

Richard Burts · ‎04-01-2020

A couple of things come to mind.

- first and most obvious, can you verify IP connectivity from whatever device you originate the SSH from to the SVIs on the switches? (simple test is can you ping the SVIs)

- second and probably fairly obvious, can you verify that SSH is enabled on the switches? (show ip ssh)

- another thing to look into is whether there is any security policy or access list on the switches which would impact SSH?

- and if SSH does not work, can you telnet to the switches?

HTH

Rick

Cristian Matei · ‎04-02-2020

Hi,

Regards,

Cristian Matei.

benolyndav · ‎04-02-2020

Hi as requested

Is this INE cristian Matei ???

DSW1#show ip ssh

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa

Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr

MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96

KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Authentication timeout: 60 secs; Authentication retries: 2

Minimum expected Diffie Hellman key size : 2048 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed- (key not included)

DSW1#sh run | i ssh

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

transport input ssh

DSW1#sh run | s aaa|radius|tacas

aaa new-model

aaa authentication login default group radius local

aaa authorization console

aaa authorization exec default group radius local

aaa session-id common

radius server ip

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

radius server IP

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

DSW1#show ip int brief | e unass

Interface IP-Address OK? Method Status Protocol

Vlanx x.x.x.x YES NVRAM up up

DSW.#show ip vrf brief

Name Default RD Interfaces

DATA <not set> Vlx

Vlx

Mgmt-vrf <not set> Gi0/0

Cristian Matei · ‎04-02-2020

Hi,

Nice meeting you here, as well. Yes, this is Cristian Matei from INE. This year you'll see my trainings on my own platform.

As for the subject matter. You don't even get the authentication prompt, or you fail authentication? I understand that the RADIUS server and the SVI's of the stack are running in VRF DATA, correct? In this case do the required changes to end up with a config as follows and try again:

radius server FIRST

address ipv4 1.1.1.1 auth-port 1645 acct-port 1646

key cisco

!

radius server SECOND

address ipv4 2.2.2.2 auth-port 1645 acct-port 1646

key cisco

!

aaa group server radius RADIUS_SERVERS

server name FIRST

server name SECOND

ip vrf forwarding DATA

ip radius source-interface xxxxx (needs to be in the same VRF of DATA)

!

no aaa authentication login default group radius local

no aaa authorization exec default group radius local

aaa authentication login default group RADIUS_SERVERS local

aaa authorization exec default group RADIUS_SERVERS local

aaa session-id common

Regards,

Cristian Matei.