Cisco 2950 Switch SSH

In the config, make these changes:


line con0
 login local
line vty 0 4
 login local
 transport input ssh

Alogn with " transport input ssh", to stop Telnet, I had to also "no transport input telnet" even though it is supposedly not needed.

Still having the issue of when I console in am getting the SWITCH0001> prompt and not being prompted to login until I go into enable mode.

Please advise.

Okay.  One thing at a time.

Are we trying to make the console or the VTY line work?  

Pick one and we'll get that working then we'll deal with the other.

I can SSH in fine, no problem.

Actually, I enter "no transport input telnet" and I get an "invalid input detected" at telnet

On which line?

line vty 0 4

Well I'm confused then. You just said "SSH works fine".

So what are we trying to do (or fix)?

1. SSH works

2. Telnet still works even though I have "transport input ssh"

3. When I add "no transport input telnet" at line vty 0 4, I get an "invalid input detected" at the "t" in telnet

4. When I have SSH working and I start a serial connection, it immediately goes to the SWITCH0001> prompt.  I do not get asked for a username or password until I go into enable mode then I am asked for a password.  When I do not have SSH configured at all, I then get prompted for a username and password.

5. Another issue that has arisen is when I enter ip ssh port 12345, I get an error

1) that's a start.
2) telnet should not work if there is no "telnet" anywhere on the VTY line that begins with "transport input..."
3) that because you don't remove telnet from the VTY line, you simply define ssh only.
4) That would indicate that local login is not enabled.
5) I wouldn't worry about that until you have SSH working correctly.

Please post the current running config of the switch.

I think I see what aprt of the problem is, we are going back and forth between this question and https://www.experts-exchange.com/questions/28691627/Cisco-2950-prompting-for-username-and-password.html

My config:

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GEMSWI0001
!
aaa new-model
enable secret 5 $1$fKwc$g2mYa/JlEATWJveO8nPQc0
!
username gem-admin privilege 15 secret 5 $1$BSZ3$.NINsGCRXKk2IudXOMb3n1
ip subnet-zero
!
ip domain-name gem-domain.local
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/47
 description GEMCON0000-1
 switchport access vlan 999
 switchport mode access
 switchport port-security maximum 4
 switchport port-security mac-address sticky
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan128
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan217
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan999
 ip address 192.168.255.251 255.255.255.248
 no ip route-cache
!
ip http server
ip http port 65410
!
line con 0
 password 7 123D550E535859107939
line vty 0 4
 password 7 123D550E535859107939
 transport input ssh
line vty 5 15
!
ntp server 192.168.217.10
!
end

Select allOpen in new window

If it's for the same problem then you should close one of the questions.

You are missing the "login local" on the VTY lines.

OK, I am going to try to make this clear.  When I use:

en
!
config t
username admin secret Pa55w0rd
en secret Pa55w0rd
!
line con 0
password Pa55w0rd
login local
!
line vty 0 4
password Pa55w0rd
transport input ssh
login local
!
hostname GEMSWI0001
ip domain-name domain.local
ntp server 192.168.217.10
!
service password-encryption
!
ip http server
ip http port 65410
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
shut
!
vlan 999
name GEM-Admin
int vlan999
ip address 192.168.255.251 255.255.255.248
no shut
!
int fa0/47
description GEMCON0000-1
switch access vlan 999
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
!
end
!
wr mem

Select allOpen in new window

Show Run displays:

Current configuration : 2568 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GEMSWI0001
!
enable secret 5 $1$ZEjN$yvniAxDkes6gA1f9ZjPCr0
!
username admin secret 5 $1$pkXE$EXQ/cC9.mE6GtHazZU39P.
ip subnet-zero
!
ip domain-name domain.local
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/47
 description GEMCON0000-1
 switchport access vlan 999
 switchport mode access
 switchport port-security maximum 4
 switchport port-security mac-address sticky
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan128
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan217
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan999
 ip address 192.168.255.251 255.255.255.248
 no ip route-cache
!
ip http server
ip http port 65410
!
line con 0
 password 7 112D491C56415E185738
 login local
line vty 0 4
 password 7 112D491C56415E185738
 login local
 transport input ssh
line vty 5 15
 login
!
ntp server 192.168.217.10
!
end

Select allOpen in new window

In this scenraio, logging in to console works fine, but I do not have SSH configured/enabled

When  I use:

en
!
config t
username admin secret Pa55w0rd
en secret Pa55w0rd
!
line con 0
password Pa55w0rd
login local
!
line vty 0 4
password Pa55w0rd
transport input ssh
login local
!
hostname GEMSWI0001
ip domain-name domain.local
ntp server 192.168.217.10
!
crypto key generate rsa
2048
username admin priv 15 secret Pa55w0rd
aaa new-model
!
service password-encryption
!
ip http server
ip http port 65410
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
shut
!
vlan 999
name GEM-Admin
int vlan999
ip address 192.168.255.251 255.255.255.248
no shut
!
int fa0/47
description GEMCON0000-1
switch access vlan 999
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
!
end
!
wr mem

Select allOpen in new window

Show Run displays

Current configuration : 2562 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GEMSWI0001
!
aaa new-model
enable secret 5 $1$Iym8$qEebD34IXzor79EK6Xs590
!
username admin privilege 15 secret 5 $1$j4An$cY0GnmV4bS6/dUmztVcdD1
ip subnet-zero
!
ip domain-name domain.local
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
interface FastEthernet0/47
 description GEMCON0000-1
 switchport access vlan 999
 switchport mode access
 switchport port-security maximum 4
 switchport port-security mac-address sticky
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan128
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan217
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan999
 ip address 192.168.255.251 255.255.255.248
 no ip route-cache
!
ip http server
ip http port 65410
!
line con 0
 password 7 052F5616601F1B1D4A17
line vty 0 4
 password 7 052F5616601F1B1D4A17
 transport input ssh
line vty 5 15
!
ntp server 192.168.217.10
!
end

Select allOpen in new window

In this scenraio, when I make a console connection, I do not get prompted for a username and password, I immediately get the prompt GEMSWI0001>

The difference between the 2 is:

crypto key generate rsa
2048
username admin priv 15 secret Pa55w0rd
aaa new-model

Please advise.

Don't enable AAA.  It is accomplishing nothing and will only confuse the issue.

If you do not have "login local" configured on the line, the switch will not authenticate against the local database.

If you only have "login" configured on the line, the switch will prompt for the password configured on the line. In your case "Pa55w0rd"

If there is no login configured on the line, the switch will not prompt for anything.  You will be allowed in without any prompt.

So to fix the lower config you posted issue the commands:

no aaa new-model
line con 0
 login local

Here's what I have:

enable secret 5 $1$6LbK$Y34hsdfUm7asdCL8iHbvz51
!
username ccna secret 5 $1$t1i1$rlJIcLMsldkjfdkpfFl1wx9.
no aaa new-model
!
...
!
line con 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 0 4
 exec-timeout 60 0
 logging synchronous
 login local
  transport input ssh

P1SW#logout


P1SW con0 is now available





Press RETURN to get started.


User Access Verification

Username: ccna
Password:
P1SW>

Select allOpen in new window

I regret to say I do not think you are looking at everything.  I clearly have the following:

line vty 0 4
password Pa55w0rd
transport input ssh
login local

You keep mentioning having "login local" which I entered both times.

When I take out "aaa new-model", now I get prompted for a username and password when I start a console conntection, but once I login, I am immediately go into enable mode (the prompt is GEMSWI0001#)

I regret to say I do not think you are looking at everything.  I clearly have the following:

line vty 0 4
password Pa55w0rd
transport input ssh
login local

You keep mentioning having "login local" which I entered both times.

Except I did not state to apply "login local" to your VTY lines.

If you read my previous post you will see:

The reason you're going straight to privileged mode is because your username statement contains:
username admin privilege 15 secret 5 $1$j4An$cY0GnmV4bS6/dUmztVcdD1

If you don't want go directly to privileged mode, delete that statement and replace it with:

username admin secret whatever-password-you-want

And if you read my previous posts I have:

line con 0
password Pa55w0rd
login local

And if you read my previous posts I have:

You have posted many many configs and made many statements.  All I can do is respond to your most recent configs and statements.

At 2015-06-28 at 09:59, you posted a config with:

!
line con 0
 password 7 052F5616601F1B1D4A17
line vty 0 4
 password 7 052F5616601F1B1D4A17
 transport input ssh
line vty 5 15
!

Select allOpen in new window

and stated:

In this scenraio, when I make a console connection, I do not get prompted for a username and password, I immediately get the prompt GEMSWI0001>

I responded 58 minutes later by explaining:


So once again: If there is no login statement on the console line, there will be no authentication.  You will immediately go to user mode without being prompted for a username or a password.

OK, that's enough.  We are both getting frustrated.  How do I close this question out?

Thank you.

Ask a mod to delete it.