Solved: Not able to SSH C9800-L, getting permission denied

BhushanRam99337 · ‎04-07-2021

I am trying to SSH C9800-L but it shows permission denied. The same credentials work for Web GUI login.

WLC#show ip int br
Interface IP-Address OK? Method Status Protocol
Tw0/0/0 unassigned YES unset up up
Tw0/0/1 unassigned YES unset down down
Tw0/0/2 unassigned YES unset down down
Tw0/0/3 unassigned YES unset down down
Te0/1/0 unassigned YES unset down down
Te0/1/1 unassigned YES unset down down
GigabitEthernet0 192.168.100.10 YES TFTP up up
Vlan1 10.10.10.11 YES NVRAM up up
WLC#

admin@192.168.100.10's password:

Permission denied, please try again later

I have enabled SSH using below commands :

WLC#config t

Enter configuration commands, one per line. End with CNTL/Z.

WLC(config)#ip ssh version 2

WLC(config)#ip ssh time-out 90

WLC(config)#ip ssh authentication-retries 2

WLC(config)#line vty 1 10

WLC(config-line)#transport input ssh

Would really appreciate any help!

Thanks

craig.beck · ‎04-07-2021

Try adding:

aaa authentication login default local
aaa authorization exec default local

View solution in original post

Rasika Nayanajith · ‎04-07-2021

Pls post "show ip ssh" output.

I assume you have the below command and generate required key for SSH

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/secure-shell.html

crypto key generate rsa

HTH

Rasika

*** Pls rate all useful responses ***

BhushanRam99337 · ‎04-07-2021

hello Rasika,

Thanks for your response. Yes I have generated key using 'Crypto key generate rsa' command.

WLC#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 90 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2860499199
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWCzY7X6J2NkLc/1lW66CKpJHxMn5EclND8NKswiiN
peV5DYkwrefeUr34Z3LG50FDkXh1TwxW2GeLaKcTerCgOd8hMIds02mzFb6c+gDUYgC7I4IZXmq4zs01
PAGkwPV+bkGAaerazNLlfvh0f18lQeWSOk3qXz1O7P/zVx9lilOUf3WRxG3FBTkBbz+bfIjok49HnooH
yViedkl9AHcVL+JWsHjMccihRjAkaiEqi9A1/nZ2+7UdIIYR3CZmj85CSpnKz2/ppbQyvtI5rrD6CYjz
+96v+7rTlDFLmMwD42Q74TUEIfF6clxR/bphhqe38a0WZYJSUTf4cW2tgZzT
WLC#
WLC#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha2-256 Keys exchanged admin
0 2.0 OUT aes256-ctr hmac-sha2-256 Keys exchanged admin

BhushanRam99337 · ‎04-07-2021

WLC#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha2-256 Keys exchanged admin
0 2.0 OUT aes256-ctr hmac-sha2-256 Keys exchanged admin

Rasika Nayanajith · ‎04-07-2021

what version of the software is it on your 9800 ?

Do you use priviledge15 local user for SSH?

For testing create a privilege 15 user like below and give it a try

username <username> privilege 15 secret <password>

HTH

Rasika

craig.beck · ‎04-07-2021

Try adding:

aaa authentication login default local
aaa authorization exec default local

BhushanRam99337 · ‎04-20-2021

Thanks Craig. This resolved the issue.

MrMike · ‎10-11-2021

Before you run those two commands, you may need to run "aaa new-model" if you have not already done so.

patoberli · ‎08-04-2022

Just needed this too after setting up a fresh 9800-CL with 17.9.1. Did the initial setup wizard.