01-18-2012 10:35 AM
I have a FESX448 and FESX424 switch in my network. I have enabled SSH on these devices and wish to access them using SSH. When I SSH to the devices via putty I get a login prompt but when I add my user account and password it does not work. The account is local to the device not AAA. I also have a super-user password set up on the devices, so when I telnet to the device, I am logged right in. We have to disable telnet but before we do that, I need to make sure SSH is working. It seems it is not looking at the usernames I have created on the switch. Can someone help?
01-18-2012 11:35 AM
You must tell the switch you want to use the local database.
from config term level 'aaa authentication login default local'
Also may want to setup these too;
'aaa authentication snmp-server default local'
'aaa authentication web-server default local'
If you want a time out on the ssh session then use
'ip ssh idle-time 10'
idle-time is in minutes.
01-18-2012 12:30 PM
Thanks! I did perform those commands earlier and it work. One thing though, when I acces the device via the web, it let me straight into the device without asking for a username and password. Is this because I still have the enable super-user password configured in the cli. If I delete that command will the device use the local usernames and passwords?
01-18-2012 12:42 PM
Can you confirm that you entered the 'aaa authentication web-server default local' command? The fefault is to use the snmp read community with this command if should now ask for username and password.
Also you may want to lock it down a bit better with;
web-management enable vlan xx
01-19-2012 04:43 AM
Yes I did apply that command but when I access the switch via IE, it takes me right in with no prompting of a password. Do I have to take off take out the "enable super user passord" command so that it will use only the locall accounts that I created.
01-20-2012 06:43 PM
No there is no need to remove the enable super user password (this is only used when you type enable when SSH/telneting or console on the box) - in fact I would recommend that every switch should have the enable password set.
Can you post the config of the switch (hide what you need to hide)?
01-23-2012 09:43 AM
I got it to work! Thanks for your help, but now I have another problem. We are trying to gain access to our devices via SSH. I have created the keys (crypto key generate rsa), configured our domain name and created local user accounts on the switches. When I telnet to these devices, I get in with no problem using the local accounts. When I SSH to the devices via Putty, I get the login prompt, type username and password, and get a Putty Fatal error "Server sent disconnect message type 11 (by application): "To many password authentication attempts from user". I know the username and password is good because I can get in using telnet. Once we get SSH to work we will be disabling telnet all together.
01-23-2012 11:26 AM
Please try the following;
'crypto key zeroize' -- this iwill wipe the key you have generated
'crypto key generate' (dropping the RSA keyword) -- this should get you a key pair that works with putty
I have not used the RSA keyword in years (and it has disappeared in newer releases of code for the FastIrons)
Message was edited by: mschipp
01-23-2012 11:43 AM
Ok looking at further, I see you have the following code.
FESX448 SW: 03.0.01cT3e3 SSH2 only
FESX424 SW: 02.2.00Te1 SSH1/1.5 only
FES9604 SW: 03.6.00aTc1 SSH2 only - I think
I would recommanded that you get the FESX boxes to the same level of code - at least 03.0.01c. SSH version 1 and 1.5 used RSA SSHv2 used AES.
SSHv1/1.5 has a well known security issue (like Telnet)