configure local ssh login

Unanswered Question
Sep 10th, 2010

Trying to configure a local login on routers and switches running IOS. We currently have tacacs+ configured, but want to configure the local login with SSH v2 incase we loss connection with the ACS server. I followed the direction listed in the link below with no success. Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Federico Coto F... Fri, 09/10/2010 - 15:53

What do you have configured under line vty?

sh run | sec line vty

Does it show: login authentication ?

You can do:

aaa authentication login default local

(conf t)# line vty 0 4

               login authentication default

Assuming you already have a local username/pass with priv 15?


Richard Burts Sat, 09/11/2010 - 13:50


You have not given us much to work with in trying to solve your problem. You assert that you have followed the directions in the link that you give. But you do not provide any of your config details so that we can evaluate whether you omitted any steps. (perhaps you can post the relevant parts of your config) You say that you have no success but you do not tell us what kind of problem there might be. Is SSH really enabled on the router? (posting the output of show ip ssh would help to answer that) When you attempt to SSH to the router do you get any login prompt? (if no prompt perhaps there is a problem with SSH or perhaps access to the router vty is restricted) If you get a login prompt are you using the correct login ID and password? (did you test access to the router and authentication for that user ID and password before enabling SSH as the link directed?)

If you provide the information that I am requesting then perhaps we will be able to provide better suggestions about your problem.



DuaneKPetersen Tue, 09/21/2010 - 15:07


The RSA key, domain, login name is test. We have AAA configured and SSHv2 running. Listed below debug output from sh ssh. I have set the user name and password several times

1          2.0     IN   aes128-cbc  hmac-md5     Keys exchanged        test
1          2.0     OUT  aes128-cbc  hmac-md5     Keys exchanged        test

Richard Burts Tue, 09/21/2010 - 19:00


The screen shot that you attached provides some helpful information. It seems to indicate that it is not a problem in getting SSH to run (though it does not prove that point). And it indicates that there is an authentication problem.

You tell us that you have configured aaa but you do not provide any details about what is configured in aaa. This makes it impossible for us to identify the problem based on what we have so far. It would be a good start if you would provide the details of your configuration of aaa. It might be even better if you would use debug aaa authentication, attempt the SSH access, and post all the debug output.



DuaneKPetersen Wed, 09/22/2010 - 09:30

Listed below are the aaa configs.

username test privilege 15 password 7 0201087B180F0A33
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group radius
aaa accounting connection default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+

Richard Burts Sat, 09/25/2010 - 12:27


Thank you for posting the additional information. This moves us a step closer but still is not enough for us to identify the source of the problem. aaa is configured to attempt authentication with tacacs and with a backup method of line. We can not tell from the information so far whether tacacs was available or not and whether the authentication attempt went just to tacacs or attempted tacacs and then attempted line authentication.

So I have a couple of questions and suggestions:


- am I correct in assuming that the attempt to SSH used the username of test?

- is there an entry in tacacs for user test?

- can you login to the router (via telnet or on console port) using user name test?


- make sure that your attempt at SSH uses a name and password that work for telnet or console.

- to help determine what the router is doing for authentication use debug aaa authentication.

  * make sure that you have a logging level that includes debug (either or both of logging buffered and/or logging monitor)

  * debug aaa authentication

  * make the SSH attempt.

  * get the log output and post it.

  * be sure to turn debug off



Richard Burts Sat, 09/25/2010 - 12:42


I have re-read the entire thread and while I believe that my questions and approach to troubleshooting are valid, I realize that I have not been addressing your primary concern which is to configure a user and the functionality that allows you to SSH to the router when tacacs is not working. In that context my question whether the username of test is configured in tacacs does not matter.

And I would add another question to my list of questions:

- what are you doing in your test to prevent tacacs from attempting to authenticate the user when you attempt SSH to the router?

I still believe that my suggestions for troubleshooting are valid and suggest that you do them



Richard Burts Tue, 09/28/2010 - 13:39


I wonder if your method of testing is part of what is causing the problem. If you test by removing aaa new-model then the configured aaa authentication is not working. So what is the router doing for authentication when you test?

It might be helpful if you would post the configuration of the line vty from the router.

I think the best way to figure what is happening would be to use debug aaa authentication

- make sure that logging buffered is enabled, that the buffer is sufficient size to contain messages generated by the test and that it is operating at the debug level of severity.

- debug aaa authentication.

- no aaa new-model.

- attempt SSH to the router.

- access the router. show log, get the log messages from debug aaa authentication, post the log messages here.

- turn off debug aaa authentication.

- restore the aaa configuration.




This Discussion