12-19-2011 01:57 PM - edited 03-07-2019 03:58 AM
I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
Solved! Go to Solution.
12-19-2011 05:27 PM
12-19-2011 04:29 PM
Can you post "sh run" from one of your 3560s
12-19-2011 05:01 PM
3560G_CORE_24#sho run
Building configuration...
Current configuration : 14214 bytes
!
! Last configuration change at 19:00:10 pst Sun Feb 28 1993
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname 3560G_CORE_24
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51020
enable secret 5 ******
!
username admin privilege 15 password 7 *****
username mvhadmin privilege 15 password 7 *****
username cisco password 7 *****
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius
!
!
!
!
!
aaa session-id common
clock timezone pst -8 0
clock summer-time PDT recurring
system mtu routing 1500
ip routing
ip domain-name *****
ip name-server 172.27.158.23
!
ip dhcp excluded-address 172.28.178.129
!
ip dhcp pool Netscope
network 172.28.178.128 255.255.255.128
dns-server 126.11.10.1 208.67.222.222
default-router 172.28.178.129
domain-name *****
!
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint TP-self-signed-1561692544
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1561692544
revocation-check none
rsakeypair TP-self-signed-1561692544
!
!
crypto pki certificate chain TP-self-signed-1561692544
certificate self-signed 01
*****
quit
auto qos srnd4
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1-6,8-10 priority 8192
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/2
no switchport
ip address 172.25.5.125 255.255.255.252
no ip redirects
no ip proxy-arp
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/5
logging event trunk-status
logging event spanning-tree
spanning-tree portfast
!
interface GigabitEthernet0/6
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/8
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/9
logging event trunk-status
logging event spanning-tree
spanning-tree portfast
!
interface GigabitEthernet0/10
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/12
switchport trunk encapsulation dot1q
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/16
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/17
switchport trunk encapsulation dot1q
switchport mode trunk
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/18
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/19
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/20
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
logging event trunk-status
logging event spanning-tree
!
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/24
no switchport
ip address 172.25.6.62 255.255.255.252
no ip redirects
no ip proxy-arp
speed 100
duplex full
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
description OMAK-Networks
ip address 172.27.158.2 255.255.252.0 secondary
ip address 172.27.156.1 255.255.252.0 secondary
ip address 172.27.158.1 255.255.252.0
ip helper-address 172.27.158.23
!
interface Vlan2
description Server Segment
ip address 172.28.176.1 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan3
description BioMedical Device Segment
ip address 172.28.176.65 255.255.255.192
ip helper-address 172.27.158.23
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan4
description Radiology Segment
ip address 172.28.176.129 255.255.255.192
ip helper-address 172.27.158.23
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan5
description Printers
ip address 172.28.176.193 255.255.255.192
ip helper-address 172.27.158.23
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan6
description Meditech Only Segment
ip address 172.28.177.1 255.255.255.128
ip access-group NOWEB in
ip helper-address 172.27.158.23
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan7
no ip address
ip helper-address 172.27.158.23
!
interface Vlan8
description Admin segment
ip address 172.28.178.1 255.255.255.128
ip helper-address 172.27.158.23
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan9
description Web Only Segment
ip address 172.28.178.129 255.255.255.128
ip access-group WEBONLY in
ip helper-address 172.28.178.129
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
interface Vlan10
description Wireless Segment - unrestricted
ip address 172.28.179.1 255.255.255.192
ip helper-address 172.27.158.23
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 300
!
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 172.25.5.126
ip route 10.100.0.0 255.255.0.0 172.25.6.61 name *****
ip route 10.105.0.0 255.255.0.0 172.25.6.61 name *****
ip route 10.253.250.0 255.255.255.0 172.25.6.61 name *****
ip route 126.10.10.0 255.255.255.0 172.25.6.61 name *****
ip route 126.11.10.1 255.255.255.255 172.25.6.61 name *****
ip route 126.11.10.3 255.255.255.255 172.25.6.61 name *****
ip route 172.27.46.32 255.255.255.240 172.25.6.61 name *****
ip route 172.27.46.48 255.255.255.240 172.25.6.61 name *****
ip route 172.27.46.64 255.255.255.240 172.25.6.61 name *****
ip route 172.27.46.192 255.255.255.192 172.25.6.61 name *****
ip route 172.27.181.10 255.255.255.255 172.25.6.61 name *****
ip route 172.30.0.0 255.255.0.0 172.25.6.61 name *****
ip route 198.185.133.0 255.255.255.0 172.25.6.61 name *****
ip route 198.185.136.0 255.255.254.0 172.25.6.61 name *****
!
ip access-list extended BIOMED
permit tcp any host 172.27.156.23 eq domain
permit tcp any host 172.27.156.23 eq smtp
permit udp any host 172.27.156.23 eq bootps
deny ip any any
ip access-list extended MTONLY
deny tcp any any eq www
deny tcp any any eq 443
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit ip any 198.185.136.64 0.0.0.63
permit ip any host 172.27.158.11
permit ip any host 172.27.158.12
permit udp any any eq bootps
permit udp any any eq bootpc
deny ip any any
deny ip any any log-input
ip access-list extended NOWEB
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit ip any host 50.19.248.195
permit ip any host 65.74.18.8
permit ip any 10.100.8.0 0.0.0.255
permit ip any 10.100.9.0 0.0.0.255
permit ip any host 66.119.222.6
permit ip any host 209.3.41.156
permit udp any any eq bootps
permit ip any 172.27.156.0 0.0.3.255
permit ip any 172.28.176.0 0.0.3.255
permit ip any 198.185.136.64 0.0.0.63
deny tcp any any eq www
deny tcp any any eq 443
deny ip any any
ip access-list extended WEBONLY
permit tcp any any eq www
permit tcp any any eq 443
permit udp any any eq bootps
permit udp any any eq bootpc
deny ip any 172.27.156.0 0.0.3.255
deny ip any 172.27.172.0 0.0.0.255
deny ip any 172.28.176.0 0.0.3.255
permit ip any any
!
logging esm config
!
snmp-server community Public RO
snmp-server community ***** RO
snmp-server location Server Room
snmp-server contact IS *****
radius-server host 172.27.158.23 auth-port 1812 acct-port 1813 key 7 *****
!
!
!
!
line con 0
line vty 0 4
password 7 *****
length 0
transport input ssh
line vty 5 15
!
end
12-19-2011 05:27 PM
add this command:
line vty 5 15
transport input ssh
12-19-2011 05:38 PM
That was it, thanks.
12-19-2011 06:18 PM
awesome! you're welcome.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: