Solved: Can't disable telnet to switches - using radius authentication

midvalleyhospital810 · ‎12-19-2011

I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).

Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.

I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?

allen.hecker · ‎12-19-2011

add this command:

line vty 5 15

transport input ssh

View solution in original post

Reza Sharifi · ‎12-19-2011

Can you post "sh run" from one of your 3560s

midvalleyhospital810 · ‎12-19-2011

3560G_CORE_24#sho run

Building configuration...

Current configuration : 14214 bytes

!

! Last configuration change at 19:00:10 pst Sun Feb 28 1993

!

version 15.0

no service pad

service timestamps debug uptime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname 3560G_CORE_24

!

boot-start-marker

boot-end-marker

!

logging buffered 51020

enable secret 5 ******

!

username admin privilege 15 password 7 *****

username mvhadmin privilege 15 password 7 *****

username cisco password 7 *****

aaa new-model

!

aaa authentication login default group radius local

aaa authorization exec default group radius

!

aaa session-id common

clock timezone pst -8 0

clock summer-time PDT recurring

system mtu routing 1500

ip routing

ip domain-name *****

ip name-server 172.27.158.23

!

ip dhcp excluded-address 172.28.178.129

!

ip dhcp pool Netscope

network 172.28.178.128 255.255.255.128

dns-server 126.11.10.1 208.67.222.222

default-router 172.28.178.129

domain-name *****

!

mls qos map cos-dscp 0 8 16 24 32 46 48 56

mls qos srr-queue input bandwidth 70 30

mls qos srr-queue input threshold 1 80 90

mls qos srr-queue input priority-queue 2 bandwidth 30

mls qos srr-queue input cos-map queue 1 threshold 2 3

mls qos srr-queue input cos-map queue 1 threshold 3 6 7

mls qos srr-queue input cos-map queue 2 threshold 1 4

mls qos srr-queue input dscp-map queue 1 threshold 2 24

mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue input dscp-map queue 2 threshold 3 46 47

mls qos srr-queue output cos-map queue 1 threshold 3 4 5

mls qos srr-queue output cos-map queue 2 threshold 1 2

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output cos-map queue 2 threshold 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 0

mls qos srr-queue output cos-map queue 4 threshold 3 1

mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue output dscp-map queue 1 threshold 3 46 47

mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35

mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39

mls qos srr-queue output dscp-map queue 2 threshold 2 24

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15

mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14

mls qos queue-set output 1 threshold 1 100 100 50 200

mls qos queue-set output 1 threshold 2 125 125 100 400

mls qos queue-set output 1 threshold 3 100 100 100 400

mls qos queue-set output 1 threshold 4 60 150 50 200

mls qos queue-set output 1 buffers 15 25 40 20

mls qos

!

crypto pki trustpoint TP-self-signed-1561692544

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1561692544

revocation-check none

rsakeypair TP-self-signed-1561692544

!

crypto pki certificate chain TP-self-signed-1561692544

certificate self-signed 01

*****

quit

auto qos srnd4

!

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan 1-6,8-10 priority 8192

!

vlan internal allocation policy ascending

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust cos

auto qos trust

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet0/2

no switchport

ip address 172.25.5.125 255.255.255.252

no ip redirects

no ip proxy-arp

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/3

switchport trunk encapsulation dot1q

switchport mode trunk

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust cos

auto qos trust

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet0/4

switchport trunk encapsulation dot1q

switchport mode trunk

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust cos

auto qos trust

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet0/5

logging event trunk-status

logging event spanning-tree

spanning-tree portfast

!

interface GigabitEthernet0/6

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/7

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/8

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/9

logging event trunk-status

logging event spanning-tree

spanning-tree portfast

!

interface GigabitEthernet0/10

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/11

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/12

switchport trunk encapsulation dot1q

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/13

switchport trunk encapsulation dot1q

switchport mode trunk

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/14

switchport trunk encapsulation dot1q

switchport mode trunk

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/15

switchport trunk encapsulation dot1q

switchport mode trunk

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/16

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/17

switchport trunk encapsulation dot1q

switchport mode trunk

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/18

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/19

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/20

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/21

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/22

switchport trunk encapsulation dot1q

switchport mode trunk

logging event trunk-status

logging event spanning-tree

!

interface GigabitEthernet0/23

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet0/24

no switchport

ip address 172.25.6.62 255.255.255.252

no ip redirects

no ip proxy-arp

speed 100

duplex full

!

interface GigabitEthernet0/25

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

!

interface GigabitEthernet0/28

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

description OMAK-Networks

ip address 172.27.158.2 255.255.252.0 secondary

ip address 172.27.156.1 255.255.252.0 secondary

ip address 172.27.158.1 255.255.252.0

ip helper-address 172.27.158.23

!

interface Vlan2

description Server Segment

ip address 172.28.176.1 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan3

description BioMedical Device Segment

ip address 172.28.176.65 255.255.255.192

ip helper-address 172.27.158.23

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan4

description Radiology Segment

ip address 172.28.176.129 255.255.255.192

ip helper-address 172.27.158.23

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan5

description Printers

ip address 172.28.176.193 255.255.255.192

ip helper-address 172.27.158.23

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan6

description Meditech Only Segment

ip address 172.28.177.1 255.255.255.128

ip access-group NOWEB in

ip helper-address 172.27.158.23

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan7

no ip address

ip helper-address 172.27.158.23

!

interface Vlan8

description Admin segment

ip address 172.28.178.1 255.255.255.128

ip helper-address 172.27.158.23

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan9

description Web Only Segment

ip address 172.28.178.129 255.255.255.128

ip access-group WEBONLY in

ip helper-address 172.28.178.129

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

interface Vlan10

description Wireless Segment - unrestricted

ip address 172.28.179.1 255.255.255.192

ip helper-address 172.27.158.23

no ip redirects

no ip unreachables

no ip proxy-arp

arp timeout 300

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.25.5.126

ip route 10.100.0.0 255.255.0.0 172.25.6.61 name *****

ip route 10.105.0.0 255.255.0.0 172.25.6.61 name *****

ip route 10.253.250.0 255.255.255.0 172.25.6.61 name *****

ip route 126.10.10.0 255.255.255.0 172.25.6.61 name *****

ip route 126.11.10.1 255.255.255.255 172.25.6.61 name *****

ip route 126.11.10.3 255.255.255.255 172.25.6.61 name *****

ip route 172.27.46.32 255.255.255.240 172.25.6.61 name *****

ip route 172.27.46.48 255.255.255.240 172.25.6.61 name *****

ip route 172.27.46.64 255.255.255.240 172.25.6.61 name *****

ip route 172.27.46.192 255.255.255.192 172.25.6.61 name *****

ip route 172.27.181.10 255.255.255.255 172.25.6.61 name *****

ip route 172.30.0.0 255.255.0.0 172.25.6.61 name *****

ip route 198.185.133.0 255.255.255.0 172.25.6.61 name *****

ip route 198.185.136.0 255.255.254.0 172.25.6.61 name *****

!

ip access-list extended BIOMED

permit tcp any host 172.27.156.23 eq domain

permit tcp any host 172.27.156.23 eq smtp

permit udp any host 172.27.156.23 eq bootps

deny ip any any

ip access-list extended MTONLY

deny tcp any any eq www

deny tcp any any eq 443

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit ip any 198.185.136.64 0.0.0.63

permit ip any host 172.27.158.11

permit ip any host 172.27.158.12

permit udp any any eq bootps

permit udp any any eq bootpc

deny ip any any

deny ip any any log-input

ip access-list extended NOWEB

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit ip any host 50.19.248.195

permit ip any host 65.74.18.8

permit ip any 10.100.8.0 0.0.0.255

permit ip any 10.100.9.0 0.0.0.255

permit ip any host 66.119.222.6

permit ip any host 209.3.41.156

permit udp any any eq bootps

permit ip any 172.27.156.0 0.0.3.255

permit ip any 172.28.176.0 0.0.3.255

permit ip any 198.185.136.64 0.0.0.63

deny tcp any any eq www

deny tcp any any eq 443

deny ip any any

ip access-list extended WEBONLY

permit tcp any any eq www

permit tcp any any eq 443

permit udp any any eq bootps

permit udp any any eq bootpc

deny ip any 172.27.156.0 0.0.3.255

deny ip any 172.27.172.0 0.0.0.255

deny ip any 172.28.176.0 0.0.3.255

permit ip any any

!

logging esm config

!

snmp-server community Public RO

snmp-server community ***** RO

snmp-server location Server Room

snmp-server contact IS *****

radius-server host 172.27.158.23 auth-port 1812 acct-port 1813 key 7 *****

!

line con 0

line vty 0 4

password 7 *****

length 0

transport input ssh

line vty 5 15

!

end

allen.hecker · ‎12-19-2011

add this command:

line vty 5 15

transport input ssh

midvalleyhospital810 · ‎12-19-2011

That was it, thanks.

allen.hecker · ‎12-19-2011

awesome! you're welcome.