Cisco 3560 Sh run issue

Unanswered Question
Sep 20th, 2010
User Badges:

Hello dear members.  I have 2 switches 3560 and they both running on the same IOS <<c3560-ipserviceslmk9-tar.122-55.SE.tar>>


In one of the switches I am enabling ssh to use local AAA authentication using the below commands.



aaa new-model
aaa authentication login default local
aaa authentication enable default enable

ip domain-name xyz.com

crypto key generate rsa  ==> with a key of 2048 size
ip ssh time-out 120
ip ssh authentication-retries 3


line vty 0 4
transport input ssh
end
Both of the switches have the exact same config.

But in one of them when i type sh run
I get the bellow.

crypto pki trustpoint TP-self-signed- xxxxxxxxxxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxxxxxxxx


and on the OTHER switch I do not seem to be getting this output as I am shown above.

Anyone has any ideas?

Please keep in mind I am able to log in using SSH to both of the switches.  and ip ssh version 2 is enabled to both.

I would appreciate your response on that matter.

Thank you and have a great evening.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 09/20/2010 - 11:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The certificate as far as i know is not used for SSH. The key pair you generated for SSH does not create a certificate.


Does one of the switches have "ip http secure-server" configured ?


Jon

antonios.skoula... Mon, 09/20/2010 - 14:35
User Badges:

Jon thank you for the reply,


I guess I answered my own question, there is nothin ginconsistent between the 2 switch configs, simply I did not get a chance to https to the IP of the 2nd switch which means the switch was never given the opportunity to generate the certificate.


Thank you for the reply.

Jon Marshall Mon, 09/20/2010 - 14:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

antonios.skoulariotis wrote:


Jon thank you for the reply,


I guess I answered my own question, there is nothin ginconsistent between the 2 switch configs, simply I did not get a chance to https to the IP of the 2nd switch which means the switch was never given the opportunity to generate the certificate.


Thank you for the reply.


So just to clarify for me and others it was to do with using https to access the switch ? ie. ssh doens't need a cert but when you https to the switch it needs a cert ?


Jon

antonios.skoula... Tue, 09/21/2010 - 05:48
User Badges:

Jon you are correct.  When you first enable Ip http secure-server in simple terms when you enable https only access to the switch and you do a sh run you get nothing changed on the run config.


When you though try to access the switch for the very first time, and since it is a secure connection, the certificate is self generated on the actual switch.


Using ssh the way I have it configured with local authentication does not require certs.


You have the ability though to aaa the users using a tacacs or a radius server and the option to use certs.


I hope this clarifies it.


Thank you for your responses.

Actions

This Discussion