05-20-2009 11:30 AM - edited 03-06-2019 05:50 AM
Imagine that I have the following setup on my 2960 switch:
!
enable secret pass1
!
username magoo password pass2
!
line vty 0 4
password pass3
login
transport input ssh
!
Then I launch putty.exe and reach the 2960, I get username and password prompt OK.
I input username = magoo".
I input password "pass2" and that get a message "access is denied".
What am I missing here?
My intention is to force people to logon via ssh and get prompted to input
username = magoo and password = pass2 to access user exec mode.
Solved! Go to Solution.
05-20-2009 11:34 AM
Change your login to "login local" under your line:
line vty 0 4
login local
I'm not sure if your switch supports it, as I don't have one to test, but you generally need an ssh key configured on a router (but since this is a switch, I'm not sure). You would do this by:
1.) Having a domain name configured
2.) Generating the key "crypto key generate rsa general-keys mod 1024"
See if your switch supports it because mine doesn't. (Now I need to figure out why I can't ssh into mine!) :)
HTH,
John
05-20-2009 11:34 AM
Change your login to "login local" under your line:
line vty 0 4
login local
I'm not sure if your switch supports it, as I don't have one to test, but you generally need an ssh key configured on a router (but since this is a switch, I'm not sure). You would do this by:
1.) Having a domain name configured
2.) Generating the key "crypto key generate rsa general-keys mod 1024"
See if your switch supports it because mine doesn't. (Now I need to figure out why I can't ssh into mine!) :)
HTH,
John
05-20-2009 11:59 AM
Yes, I generated the key - OK.
I did as you said with 'login local' and it works.
Just a confirmation:
If I do 'login local' under vty 0 15, this does not block me from logging on users via AAA in the future, right?
I will read more the docs to understand this...
05-20-2009 12:02 PM
Marlon
The reason that it is not taking the username and password is that the vty default to authenticating with the line password that is configured. And you have not done anything to change the default behavior. John's suggestion to specify login local is certainly one way to fix it. You could also get the result that you want by configuring aaa authentication to do local authentication.
[edit] I just saw your post asking about the relationship between login local and aaa authentication. When you start aaa authentication it will over ride the login local. So you can do login local until you are ready to start aaa. When you start aaa then it will take precedence over login local.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: