Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 10
Registered: ‎01-20-2014
Accepted Solution

Logging in SSH only to Mgmt for Turbo Iron switch

Hello, I'm new to Brocade as we run a lot of Cisco, but I am liking that its very simular to Cisco.  The one thing I am hung up on is how to make it so I can manage a Turbo Iron 24x switch with SSH only.  I don't want telnet at all, just SSH.  It seems that with telnet I can log in with a password I set, but with SSH it just keeps re-asking for the password, like I'm entering it in wrong.

 

So two fold things..

 

1.  SSH is currently not accepting my password

2.  Telnet is still open and I want to disable it without taking down SSH.  Last time I tried disabling it it also appeard SSH shut down as well.

 

Here is the config.  I want to use the user name admin and then my password via Putty on SSH to manage the switch.

 

Current configuration:
!
ver 08.0.01aT201
!
!
!
!
!
!
!
enable telnet authentication
enable telnet password .....
enable super-user-password .....
enable port-config-password .....
hostname 10gbe-du1
ip address 10.1.0.101 255.255.0.0
ip default-gateway 10.1.0.254
username admin password .....
snmp-server contact IT Department
snmp-server location PA HQ
sntp server 10.1.1.1 4

!
!
!
!
ip ssh key-authentication no
!
!
end

Broadcom
Posts: 2
Registered: ‎02-28-2014

Re: Logging in SSH only to Mgmt for Turbo Iron switch

Hi,

 

1)For SSH to accept your password a lcoal aaa login policy need to be set.

 

In config mode, pelase use the following command

 

aaa authentication login default local 

 

[use "aaa authentication login default local none" so that you will not lose access when the local username and password get deleted by mistake]

 

2)Please issue the following command when in config mode .

 

"no telnet server" and it will disable telnet access

Occasional Contributor
Posts: 10
Registered: ‎01-20-2014

Re: Logging in SSH only to Mgmt for Turbo Iron switch

Hello,

 

We did this and while that seems to only allow SSH, in a vulnerability scan these came up with high risk.

 

successfully logged in with username: root, password: calvin
successfully logged in with username: cisco, password: domain
successfully logged in with username: admin, password: admin

 

Sure enough I ssh to one and tried the first one above, root / calvin.

 

Got right in to the > prompt.  Can show the config.  Now If I go to "enable" and try those usernames and passwords, I do get an error - incorrect password.

 

How can I prevent those random / common username and password combinations from logging in at all?  I don't even see them in my config.

 

 

aaa authentication login default local none
jumbo
enable telnet password .....
enable super-user-password .....
enable port-config-password .....

 

no telnet server

 

ip ssh key-authentication no

Contributor
Posts: 28
Registered: ‎07-25-2013

Re: Logging in SSH only to Mgmt for Turbo Iron switch

have you tried 'aaa authentication enable default local' ?

Contributor
Posts: 69
Registered: ‎10-14-2011

Re: Logging in SSH only to Mgmt for Turbo Iron switch

You may also want to restrict inbound ssh connections via "ip ssh client x.x.x.x.x" Good Luck
Occasional Contributor
Posts: 10
Registered: ‎01-20-2014

Re: Logging in SSH only to Mgmt for Turbo Iron switch


tmasuda1 wrote:

have you tried 'aaa authentication enable default local' ?


 

I tried that and it says

Warning - no local username, please configure

 

 

How do you configure it?

Occasional Contributor
Posts: 10
Registered: ‎01-20-2014

Re: Logging in SSH only to Mgmt for Turbo Iron switch

[ Edited ]

It just NEVER accepts the password.  I even copy and paste it.

 

(config)# username admin password something-something!4!

end

 

Ok so I go into another session and I copy and paste that and in SSH it keeps saying access denied.

 

I even tried making a second user name brocade.  Nothing....  SSH says access denied.  Even with copy and paste.  I know I'm utting the password in right with copy and paste.

 

Username Password Encrypt Priv Status Expire Time
======================================================================================================================

brocade $1$q/5..Y75$h5LombnzlXuP/n6/ZNJS3/ enabled 0 enabled Never

Frequent Contributor
Posts: 105
Registered: ‎07-12-2011

Re: Logging in SSH only to Mgmt for Turbo Iron switch

For the random login, those passwords aren't stored, you need to add this line in your config

 

enable telnet authentication

 

That will force a Telnet session to authenticate to be able to do anything at all.

 

For your SSH issues, that's odd.

 

Lets start at the beginning,

 

From a console connection, erase all usernames and passwords or authentication settings

 

Next have you generated a key for SSH?

 

Command should be

 

crypto key generate rsa

 

Then create a local user

 

username kjstech password letmein

 

Then create the aaa policy

 

aaa authentication login default local

 

That should get SSH working

 

Then you can add security such as super-user and port-level, ACL's or different passwords/users

 

 

 

 

Occasional Contributor
Posts: 10
Registered: ‎01-20-2014

Re: Logging in SSH only to Mgmt for Turbo Iron switch

Thank you.  This fixed my problem.  I did those steps except I did not do enable telnet authentication.  We only allow SSH (encrypted) traffic across our network for managing devices where possible.

 

SSH now correctly denies invalid username and passwords while allowing correct ones.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook