Solved: Re: SSH Login Question

scooter817 · ‎07-06-2018

Hi

I wanted to know if someone could look at my config and tell me what i'm missing from it in order for me to use AAA to login into my switch. What I've done so far is I've added it to the radius server and I've added the lines to my config and I can only log in using telnet.

Eric

michael.burke · ‎07-06-2018

There is definitely a discrepancy. But we don't know the local username as it shows xxxx, the login authentication list shows UCC?

username XXXX privilege 15 secret 5 $1$r2TU$sFqSmleCy4w7Zht/rFMpG.
14:14:07.727 § aaa new-model
14:14:07.727 § !
14:14:07.727 § !
14:14:07.727 § aaa authentication login UCC group radius local

View solution in original post

michael.burke · ‎07-06-2018

Not sure what switch it is but did you generate an rsa key?

Edit, I see it's a 2960x.

scooter817 · ‎07-06-2018

Thanks for the quick reply and what command would I use to generate the rsa key and thanks again.

michael.burke · ‎07-06-2018

crypto key generate rsa mod 1024
or some variant of that but ssh needs a key to work.

scooter817 · ‎07-06-2018

I just tried and it came up and said "You already have RSA keys defined named Southwest.com they will be replaced"

michael.burke · ‎07-06-2018

Is this a production switch or a lab?
Do you have physical access to it?
We have had to regenerate RSA's on much newer appliances and that got ssh to work, it merely overwrites the key forcing clients to accept a new key when attempting to connect.
If you have telnet working with Radius credentials then at least the non secure back door is open, allowing you to mess with ssh access until you get it working. Once it is working just restrict it on the VTY's (transport input ssh).
I would try regenerating the key.

What happens when you try to ssh the switch? Connection Refused?
Does a port scan of the switch show 22 open?

michael.burke · ‎07-06-2018

argh first try matching the vty login authentication to the aaa list.

one says USC the other says UCC.

scooter817 · ‎07-06-2018

I'm on my way home but when I get there I'll generate a new key and let you know what happens.

Seb Rupik · ‎07-06-2018

Hi there,

Your first 5 VTY lines are not using your AAA method 'UCS'. Try the following config:

!
line vty 0 4
  privilege level 15
  no password 7 00071A150754
  login authentication USC
  transport input all
!
line vty 5 15
  privilege level 15
  login authentication USC
  transport input all
!

cheers,

Seb.

michael.burke · ‎07-06-2018

There is definitely a discrepancy. But we don't know the local username as it shows xxxx, the login authentication list shows UCC?

username XXXX privilege 15 secret 5 $1$r2TU$sFqSmleCy4w7Zht/rFMpG.
14:14:07.727 § aaa new-model
14:14:07.727 § !
14:14:07.727 § !
14:14:07.727 § aaa authentication login UCC group radius local

scooter817 · ‎07-06-2018

Thank you so much for the help, I added the Login authentication USC and now SSH is working.