cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11620
Views
21
Helpful
13
Replies

Unable to login to Catalyst 9200 via SSH

HI,

 

I am setting up some Catalyst 9200 switches (my first time ever with Cisco kit from scratch), and am having issues with SSH.

 

It seems SSH is enabled by default using autoinstall, as I can get a connection and am prompted for login details, but the credentials I am using aren;t working. I get an access denied error.

 

I created a user with the below config line:

username admin privilege 15 secret 9 "some_secret"

Can anyone help me figure out why this username and password are not working?

 

Thanks

James 

2 Accepted Solutions

Accepted Solutions

Having the complete config was helpful. Thanks for that.

I also wonder about ssh being enabled by default. And wonder if perhaps something you did in autoinstall did enable SSH? The output of show ip ssh would be helpful in verifying that SSH is indeed running. (on the other hand if you are attempting SSH access and are getting a prompt for credentials then it sure sounds like SSH is running)

I believe that if you were to configure aaa new-model that it might, in fact, solve your issue. Here is what I believe is going on (and which determined by looking at parts of the complete config). 

- there is no aaa new-model so we are looking at very basic authentication behaviors.

- the vty are configured with login, so there is a prompt for credentials. But the configuration does not specify login local to tell it to check for locally configured user ID and password.

- and there is no password configured on the vty. Without aaa new-model the vty expect to authenticate with the password configured on the vty.

- so at present you attempt SSH, the connection request is accepted, the prompt for credentials is sent to you, but there is no password configured to match what you are entering.

- if you do configure aaa new-model (and nothing else for the moment) then the authentication behavior changes. Now the default authentication for vty is login local. And it would try to match what you enter with the locally configured ID and password.

HTH

Rick

View solution in original post

you need to configure this

aaa new-model

with local logins

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

13 Replies 13

balaji.bandi
Hall of Fame
Hall of Fame

can you post show run (if you have access to console ?)

 

username format :

username your_user_name privilege 15 password 7 secret567

 config guide for reference :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/configuration_guide/sec/b_169_sec_9200_cg/configuring_local_authentication_and_authorization.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Do you want the whole config?

I do wonder if I need to change;

no aaa new-model

to

aaa new-model

Should I try that first and retest?

 

Cheers

James

yes if you can post show run (easy for quick fix) - if not we need to go circle to fix.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Have attached.

Having the complete config was helpful. Thanks for that.

I also wonder about ssh being enabled by default. And wonder if perhaps something you did in autoinstall did enable SSH? The output of show ip ssh would be helpful in verifying that SSH is indeed running. (on the other hand if you are attempting SSH access and are getting a prompt for credentials then it sure sounds like SSH is running)

I believe that if you were to configure aaa new-model that it might, in fact, solve your issue. Here is what I believe is going on (and which determined by looking at parts of the complete config). 

- there is no aaa new-model so we are looking at very basic authentication behaviors.

- the vty are configured with login, so there is a prompt for credentials. But the configuration does not specify login local to tell it to check for locally configured user ID and password.

- and there is no password configured on the vty. Without aaa new-model the vty expect to authenticate with the password configured on the vty.

- so at present you attempt SSH, the connection request is accepted, the prompt for credentials is sent to you, but there is no password configured to match what you are entering.

- if you do configure aaa new-model (and nothing else for the moment) then the authentication behavior changes. Now the default authentication for vty is login local. And it would try to match what you enter with the locally configured ID and password.

HTH

Rick

Can confirm that after enabling

aaa new-model

I am able to login via SSH using the admin account I created!

 

Thanks for your advice, greatly appreciated.

 

James

you need to configure this

aaa new-model

with local logins

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for confirming that aaa new-model did resolve your issue. And thank you for marking this discussion as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

aaa new-model quickly resolved SSH issue on the Catalyst 9200. 

Thank you very much!!

Thanks for sharing your experience. I am glad that our discussion has been helpful for you.

HTH

Rick

Hello,

 

I am not sure that SSH works out of the box on the 9200 to be honest, either way, make sure that hostname, domain and crypto key have been configured properly, as detailed in the guide linked below:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/configuration_guide/sec/b_169_sec_9200_cg/configuring_secure_shell__ssh_.html#con_1318447

I had the same problem on a c9200L-48 running 16.12.4.  I could not ssh into the device even after clearing and re-adding the proper aaa and crypto parameters.  Applying 17.08.01 fixed the problem.

Thanks for sharing your experience with this issue and your solution.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: