Cisco 2950 Switch SSH

Hello,

I am trying to setup SSH on a 2950 switch.  Here is my config:

en
!
config t
en password Pa55word
!
line con 0
password Pa550rd
login
!
line vty 0 4
password Pa550rd
login
!
hostname SWITCH0001
ip domain-name domain.local
ntp server 192.168.217.10
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
shut
!
vlan 999
name Admin
int vlan999
ip address 192.168.255.251 255.255.255.248
no shut
!
int fa0/47
description GEMCON0000-1
switch access vlan 999
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
!
crypto key generate rsa
2048
username gemin priv 15 secret Pa550rd
aaa new-model
transport input ssh
!
service password-encryption
!
exit

Open in new window


When I do this two things occur:

1. When I reload the switch, it does not prompt me for a password.  It automatically goes to SWITCH0001>
2. Telnet is still enabled even though I ran "transport input ssh"

What am I doing wrong?

Have a great day,

Don
GEMCCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
In the config, make these changes:


line con0
 login local
line vty 0 4
 login local
 transport input ssh
GEMCCAuthor Commented:
Alogn with " transport input ssh", to stop Telnet, I had to also "no transport input telnet" even though it is supposedly not needed.

Still having the issue of when I console in am getting the SWITCH0001> prompt and not being prompted to login until I go into enable mode.

Please advise.
Don JohnstonInstructorCommented:
Okay.  One thing at a time.

Are we trying to make the console or the VTY line work?  

Pick one and we'll get that working then we'll deal with the other.
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

GEMCCAuthor Commented:
I can SSH in fine, no problem.

Actually, I enter "no transport input telnet" and I get an "invalid input detected" at telnet
Don JohnstonInstructorCommented:
On which line?
GEMCCAuthor Commented:
line vty 0 4
Don JohnstonInstructorCommented:
Well I'm confused then. You just said "SSH works fine".

So what are we trying to do (or fix)?
GEMCCAuthor Commented:
1. SSH works

2. Telnet still works even though I have "transport input ssh"

3. When I add "no transport input telnet" at line vty 0 4, I get an "invalid input detected" at the "t" in telnet

4. When I have SSH working and I start a serial connection, it immediately goes to the SWITCH0001> prompt.  I do not get asked for a username or password until I go into enable mode then I am asked for a password.  When I do not have SSH configured at all, I then get prompted for a username and password.

5. Another issue that has arisen is when I enter ip ssh port 12345, I get an error
Don JohnstonInstructorCommented:
1) that's a start.
2) telnet should not work if there is no "telnet" anywhere on the VTY line that begins with "transport input..."
3) that because you don't remove telnet from the VTY line, you simply define ssh only.
4) That would indicate that local login is not enabled.
5) I wouldn't worry about that until you have SSH working correctly.

Please post the current running config of the switch.
GEMCCAuthor Commented:
I think I see what aprt of the problem is, we are going back and forth between this question and http://www.experts-exchange.com/questions/28691627/Cisco-2950-prompting-for-username-and-password.html

My config:

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GEMSWI0001
!
aaa new-model
enable secret 5 $1$fKwc$g2mYa/JlEATWJveO8nPQc0
!
username gem-admin privilege 15 secret 5 $1$BSZ3$.NINsGCRXKk2IudXOMb3n1
ip subnet-zero
!
ip domain-name gem-domain.local
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/47
 description GEMCON0000-1
 switchport access vlan 999
 switchport mode access
 switchport port-security maximum 4
 switchport port-security mac-address sticky
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan128
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan217
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan999
 ip address 192.168.255.251 255.255.255.248
 no ip route-cache
!
ip http server
ip http port 65410
!
line con 0
 password 7 123D550E535859107939
line vty 0 4
 password 7 123D550E535859107939
 transport input ssh
line vty 5 15
!
ntp server 192.168.217.10
!
end

Open in new window

Don JohnstonInstructorCommented:
If it's for the same problem then you should close one of the questions.

You are missing the "login local" on the VTY lines.
GEMCCAuthor Commented:
OK, I am going to try to make this clear.  When I use:

en
!
config t
username admin secret Pa55w0rd
en secret Pa55w0rd
!
line con 0
password Pa55w0rd
login local
!
line vty 0 4
password Pa55w0rd
transport input ssh
login local
!
hostname GEMSWI0001
ip domain-name domain.local
ntp server 192.168.217.10
!
service password-encryption
!
ip http server
ip http port 65410
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
shut
!
vlan 999
name GEM-Admin
int vlan999
ip address 192.168.255.251 255.255.255.248
no shut
!
int fa0/47
description GEMCON0000-1
switch access vlan 999
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
!
end
!
wr mem

Open in new window


Show Run displays:

Current configuration : 2568 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GEMSWI0001
!
enable secret 5 $1$ZEjN$yvniAxDkes6gA1f9ZjPCr0
!
username admin secret 5 $1$pkXE$EXQ/cC9.mE6GtHazZU39P.
ip subnet-zero
!
ip domain-name domain.local
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/47
 description GEMCON0000-1
 switchport access vlan 999
 switchport mode access
 switchport port-security maximum 4
 switchport port-security mac-address sticky
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan128
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan217
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan999
 ip address 192.168.255.251 255.255.255.248
 no ip route-cache
!
ip http server
ip http port 65410
!
line con 0
 password 7 112D491C56415E185738
 login local
line vty 0 4
 password 7 112D491C56415E185738
 login local
 transport input ssh
line vty 5 15
 login
!
ntp server 192.168.217.10
!
end

Open in new window


In this scenraio, logging in to console works fine, but I do not have SSH configured/enabled

When  I use:

en
!
config t
username admin secret Pa55w0rd
en secret Pa55w0rd
!
line con 0
password Pa55w0rd
login local
!
line vty 0 4
password Pa55w0rd
transport input ssh
login local
!
hostname GEMSWI0001
ip domain-name domain.local
ntp server 192.168.217.10
!
crypto key generate rsa
2048
username admin priv 15 secret Pa55w0rd
aaa new-model
!
service password-encryption
!
ip http server
ip http port 65410
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
shut
!
vlan 999
name GEM-Admin
int vlan999
ip address 192.168.255.251 255.255.255.248
no shut
!
int fa0/47
description GEMCON0000-1
switch access vlan 999
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
!
end
!
wr mem

Open in new window


Show Run displays

Current configuration : 2562 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GEMSWI0001
!
aaa new-model
enable secret 5 $1$Iym8$qEebD34IXzor79EK6Xs590
!
username admin privilege 15 secret 5 $1$j4An$cY0GnmV4bS6/dUmztVcdD1
ip subnet-zero
!
ip domain-name domain.local
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
interface FastEthernet0/47
 description GEMCON0000-1
 switchport access vlan 999
 switchport mode access
 switchport port-security maximum 4
 switchport port-security mac-address sticky
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan128
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan217
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan999
 ip address 192.168.255.251 255.255.255.248
 no ip route-cache
!
ip http server
ip http port 65410
!
line con 0
 password 7 052F5616601F1B1D4A17
line vty 0 4
 password 7 052F5616601F1B1D4A17
 transport input ssh
line vty 5 15
!
ntp server 192.168.217.10
!
end

Open in new window


In this scenraio, when I make a console connection, I do not get prompted for a username and password, I immediately get the prompt GEMSWI0001>

The difference between the 2 is:

crypto key generate rsa
2048
username admin priv 15 secret Pa55w0rd
aaa new-model

Please advise.
Don JohnstonInstructorCommented:
Don't enable AAA.  It is accomplishing nothing and will only confuse the issue.

If you do not have "login local" configured on the line, the switch will not authenticate against the local database.

If you only have "login" configured on the line, the switch will prompt for the password configured on the line. In your case "Pa55w0rd"

If there is no login configured on the line, the switch will not prompt for anything.  You will be allowed in without any prompt.

So to fix the lower config you posted issue the commands:

no aaa new-model
line con 0
 login local

Here's what I have:

enable secret 5 $1$6LbK$Y34hsdfUm7asdCL8iHbvz51
!
username ccna secret 5 $1$t1i1$rlJIcLMsldkjfdkpfFl1wx9.
no aaa new-model
!
...
!
line con 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 0 4
 exec-timeout 60 0
 logging synchronous
 login local
  transport input ssh

P1SW#logout


P1SW con0 is now available





Press RETURN to get started.


User Access Verification

Username: ccna
Password:
P1SW>

Open in new window

GEMCCAuthor Commented:
I regret to say I do not think you are looking at everything.  I clearly have the following:

line vty 0 4
password Pa55w0rd
transport input ssh
login local

You keep mentioning having "login local" which I entered both times.

When I take out "aaa new-model", now I get prompted for a username and password when I start a console conntection, but once I login, I am immediately go into enable mode (the prompt is GEMSWI0001#)
Don JohnstonInstructorCommented:
I regret to say I do not think you are looking at everything.  I clearly have the following:

line vty 0 4
password Pa55w0rd
transport input ssh
login local

You keep mentioning having "login local" which I entered both times.

Except I did not state to apply "login local" to your VTY lines.

If you read my previous post you will see:
So to fix the lower config you posted issue the commands:

no aaa new-model
line con 0
 login local

The reason you're going straight to privileged mode is because your username statement contains:
username admin privilege 15 secret 5 $1$j4An$cY0GnmV4bS6/dUmztVcdD1

If you don't want go directly to privileged mode, delete that statement and replace it with:

username admin secret whatever-password-you-want
GEMCCAuthor Commented:
And if you read my previous posts I have:

line con 0
password Pa55w0rd
login local
Don JohnstonInstructorCommented:
And if you read my previous posts I have:

You have posted many many configs and made many statements.  All I can do is respond to your most recent configs and statements.

At 2015-06-28 at 09:59, you posted a config with:

!
line con 0
 password 7 052F5616601F1B1D4A17
line vty 0 4
 password 7 052F5616601F1B1D4A17
 transport input ssh
line vty 5 15
!

Open in new window

and stated:
In this scenraio, when I make a console connection, I do not get prompted for a username and password, I immediately get the prompt GEMSWI0001>

I responded 58 minutes later by explaining:

If you do not have "login local" configured on the line, the switch will not authenticate against the local database.

If there is no login configured on the line, the switch will not prompt for anything.  You will be allowed in without any prompt.

So once again: If there is no login statement on the console line, there will be no authentication.  You will immediately go to user mode without being prompted for a username or a password.
GEMCCAuthor Commented:
OK, that's enough.  We are both getting frustrated.  How do I close this question out?

Thank you.
Don JohnstonInstructorCommented:
Ask a mod to delete it.
GEMCCAuthor Commented:
Found the solution a Spiceworks.  Needed to get rid of the password under line vty 0 4.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.