CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (2015)
Part IV. Troubleshooting Management
Chapter 20. Troubleshooting Management Access
This chapter covers the following topics:
Console and vty Access Troubleshooting: This section explains how to identify and troubleshoot issues relating to console and vty access, including Telnet and SSH.
Cisco IOS AAA Troubleshooting: This section examines the AAA authentication process and the issues that you might face when using local AAA to authenticate remote access.
Management Access Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem.
To troubleshoot issues with Cisco routers and switches, you need access to them. You can access them physically using the console port or remotely with the vty lines. If you attempt to access a device for management purposes, and access fails, you will need to troubleshoot why this failure is occurring before you can troubleshoot the other issues.
This chapter covers the different reasons why access to the console and vty lines might fail and how you can identify those reasons. In addition, you will learn the issues that may arise when using Cisco IOS AAA (authentication, authorization, and accounting) authentication.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 20-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 20-1 “Do I Know This Already?” Section-to-Question Mapping
Caution
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. Which of the following are the default serial terminal settings for a Cisco router or switch? (Choose two answers.)
a. 9600 baud
b. 16 data bits
c. 1 stop bit
d. Parity
2. What type of cable is used to connect to the console port?
a. Straight-through
b. Crossover
c. Rollover
d. Coaxial
3. Which command enables you to define which protocols will be used for remote access to the Cisco device via the vty lines?
a. transport input
b. login
c. login local
d. exec
4. Which command enables you to specify that SSH access will be authenticated using the local database?
a. login
b. login local
c. login authentication default
d. transport input ssh
5. Which command enables you to filter the users that are allowed to remotely access the device via the vty lines?
a. access-class {acl_name | acl_number} in
b. access-class {acl_name | acl_number} out
c. ip access-group {acl_name | acl_number} in
d. ip access-group {acl_name | acl_number} out
6. Which port is used by SSH?
a. 21
b. 22
c. 23
d. 25
7. What does an SSH version of 1.99 represent?
a. SSHv1 is only enabled.
b. SSHv1.99 is only enabled.
c. SSHv2 is only enabled.
d. SSHv1 and v2 are enabled.
8. Which encryption level uses SHA-256?
a. 0
b. 4
c. 5
d. 7
9. Which command successfully configures a user-defined method list on a Cisco IOS device that uses the database on the device if the external server is not available for authentication?
a. aaa authentication login default local group radius
b. aaa authentication login default group radius local
c. aaa authentication login REMOTE_ACCESS local group radius
d. aaa authentication login MANAGEMENT_ACCESS group radius local
10. Your Cisco router is configured with the following command: aaa authentication login default group radius local
What will occur during login if the local database does not contain any username and password when it is checked?
a. The RADIUS server will be used for authentication.
b. Authentication will fail.
c. The user will be granted access.
d. The line password will be used.
Foundation Topics
Console and vty Access Troubleshooting
You can access a Cisco IOS router or switch for management purposes in various ways. There is the console line, which is used when you have physical access to the device, or when you are using an access server. There are the vty lines, which provide remote connectivity using Telnet or Secure Shell (SSH), so device management can be done from a remote location. Regardless of the method you use for management purposes, at some point you will likely end up having to troubleshoot why you are not able to connect to a device so that you can troubleshoot another issue that has been presented to you. Therefore, you potentially have to solve one issue to get to the next issue.
This section explains the reasons why management access to a Cisco IOS router or switch may fail, how you can troubleshoot why it is occurring and how you can fix it. You will also learn how to troubleshoot issues related to Cisco IOS AAA authentication which can be used during the authentication process for validating management access.
Console Access Troubleshooting
The default out-of-the-box method of accessing Cisco routers and switches is via the console port. Here are some things you should look out for when troubleshooting console access:
Has the correct COM port been selected in the terminal program? Most times, multiple COM ports are displayed in the terminal program; however, the last one listed is usually the correct one to use. If it is not, try a different one. This is really a trial-and-error process.
Are the terminal programs settings configured correctly? Cisco devices use the following default values: 9600 baud, 8 data bits, 1 stop bit, no parity.
Is a line password used to authenticate to the console? If a line password is being used, the login command needs to be configured as well. The login command and a line password are not configured by default.
Is a local username and password used to authenticate to the console? If local authentication is being used, a username and password need to exist in the local database, and the login local command is required.
Is an AAA server used to authenticate to the console? If AAA authentication is being used, a method list needs to be defined with the login authentication {default | list_name} command in line console configuration mode.
Are the correct cable and drivers being used to connect to the console port? Check your device’s documentation to see what is needed. Newer devices are using a mini USB port as the console port (drivers required on PC), whereas older devices are using the serial to RJ-45 console (rollover) cable.
vty Access Troubleshooting
Most devices will be administered remotely via the vty lines, which support protocols such as Telnet and SSH for remote access. Telnet is not recommended because all traffic between the management station and the router/switch is sent in plain text. If a malicious user is able to capture the packets, that user will be able to see all the data that was transmitted back and forth. If you use SSH, the packets will be encrypted, ensuring that if they are captured, they will not be readable.
Telnet
Consider the following while troubleshooting Telnet access to a device:
Is the IP address of the remote router/switch reachable? You can test this with the ping command.
Are the correct transport protocols defined for the line? By default with IOS 15.0 and later, Telnet and SSH are allowed, and if other protocols are supported, they are typically allowed as well; however, with the transport input command, you can change which transport protocols are allowed. You can verify the allowed protocols with the command show line vty line_number | include Allowed, as shown in Example 20-1. In this example, Telnet and SSH are allowed for inbound and outbound connections.
Is the line configured to ask the user for credentials? By default, it is. The login command tells the line to prompt the user for a password, as shown in Example 20-2. However, if you need to authenticate the user via the local database, the login local command is required, and if you need to authenticate the user via AAA, the login authentication {default | list_name} command is required.
Is a password specified? Because the login command is enabled by default, a password is required. If it is not set, the error message Password required, but none set will appear. If you are using the login local command or AAA, you will be prompted for a username and password instead. However, if there is none stored in the database of either, your login will be invalid and fail.
Is there an ACL defining which management stations based on IP address can access the router/switch? Example 20-3 shows ACL 1 applied to the vty lines. It only allows access from the IP address 192.168.1.11. Notice the explicit deny that was added so that we could keep track of the number of denied remote access attempts that have occurred (7 in this case). To receive a log message indicating which IP address was denied, you need to add the log keyword to the end of the explicit deny entry in the ACL. A log message appears as follows if the logkeyword is added: %SEC-6-IPACCESSLOGS: list 1 denied 10.1.12.2 1 packet.
Are all vty lines busy? By default, there are five vty lines on Cisco routers and switches, numbered 0 to 4. Some devices have more. However, regardless of the number, if all the lines have established connections, a new connection will not be made, as shown in Example 20-4. In this case, the show users command on SW1 indicates there is one console connection and five vty connections on lines 0 to 4. The next device that tries to telnet will be refused and receive the message Password required, but none set, even though that is not technically the issue. If you need to manually clear the lines, use the clear line command followed by the line number specified before vty, as shown in Example 20-4, not the actual vty number listed after vty.
Is there an ACL in the path between the client and the device blocking port 23? Telnet uses TCP port 23. If there is an ACL configured on a router or firewall blocking port 23, you will be unable to make a successful Telnet connection.
Example 20-1 Verifying Transport Protocols for a Line
SW1#show line vty 0 | include Allowed
Allowed input transports are telnet ssh.
Allowed output transports are telnet ssh.
Example 20-2 Verifying the vty login Command
SW1#show run | section line vty
line vty 0 4
login
Example 20-3 Verifying ACLs Used to Secure Management Access
SW1#show run | section line vty
line vty 0 4
access-class 1 in
password cisco
login
DSW1#show ip access-lists 1
Standard IP access list 1
10 permit 192.168.1.11 (4 matches)
20 deny any (7 matches)
Example 20-4 Verifying Which Lines Are Being Used
SW1#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
1 vty 0 idle 00:00:42 10.1.1.2
2 vty 1 idle 00:00:48 10.1.10.1
3 vty 2 idle 00:00:55 10.1.20.1
4 vty 3 idle 00:00:47 10.1.23.3
5 vty 4 idle 00:00:41 10.1.43.4
SSH
With Secure Shell (SSH), you will experience the same issues as described with Telnet, in addition to the following:
Is the correct version of SSH specified? By default both version 1 and 2 are enabled. However, with the ip ssh version {1 | 2} command it can be changed to just 1 or 2. If clients are connecting with v2 and the device is configured for v1, the SSH connection will fail, and the same is true if clients are using v1 and the devices are configured for v2. To check the version of SSH running use the show ip ssh command, as shown in Example 20-5. If it states version 1.99 it means version 1 and 2 are running. If it states version 1 then SSHv1 is running, and if it states version 2 then SSHv2 is running.
Has the correct login command been specified? SSH uses a username and password for authentication. Therefore, the login command will not work in this case because it only requests a password. You need to use the login local command to authenticate with the local database or the login authentication {default | list_name} command to authenticate with an AAA server. As shown in Example 20-6, the login local command has been specified.
Has the correct size key been specified? SSHv2 uses an RSA key size of 768 or greater. If you were using a smaller key size with SSHv1 and then switched to SSHv2, you would need to create a new key with the correct size; otherwise, SSHv2 would not work. If you are using SSHv2 but accidentally specify a key size less than 768, SSHv2 connections will not be allowed.
Is there an ACL in the path between the client and the device blocking port 22? SSH uses TCP port 22. If an ACL blocking port 22 is configured on a router or firewall, you will be unable to make a successful SSH connection.
Example 20-5 Verifying the SSH Version
SW1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDtRqwdcEI+aGEXYmklh4G6pSJW1th6/Ivg4BCp19tO
BmdoW6NZahL2SxdzjKW8VIBjO1lVeaMfdmvKlpLjUlx7JDAkPs4Q39kzdPHY74MzD1/u+Fwvir8O5AQO
rUMkc5vuVEHFVc4WxQsxH4Q4Df10a6Q3UAOtnL4E0a7ez/imHw==
Example 20-6 Verifying the vty Line Configuration
SW1#show run | s line vty
line vty 0 4
password cisco
login local
To verify the current SSH connections, use the show ssh command. In Example 20-7, there is an SSHv2 inbound and outbound connection with the username cisco. The session is using aes128-cbc encryption and the hashed message authentication code (HMAC) hmac-sha1.
Example 20-7 Verifying SSH Connections
SW1#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started cisco
0 2.0 OUT aes128-cbc hmac-sha1 Session started cisco
%No SSHv1 server connections running.
Password Encryption Levels
By default, all passwords are stored in clear text within the IOS configuration. It is recommended that passwords either be encrypted or hashed in the configuration for security reasons. Example 20-8 displays a sample output of the passwords stored in the running configuration. A level of 0 indicates no encryption. A level of 4 indicates that SHA256 was used. A level of 5 indicates that message digest 5 (MD5) was used. A level of 7 indicates that Type-7 encryption was used. The levels from strongest to weakest are 4, 5, 7, and then 0. To implement Type-7 encryption, you issue the service password-encryption command. To implement level 4 encryption, you use the secret keyword when specifying a password. In IOS 15.0 and later, level 4 is the default for the secret keyword. If you need to use level 5 (default on 12.4 and earlier), you will have to use the secret 5keyword and specify the actual MD5 hash and not the clear-text password.
Example 20-8 Verifying Password Security Levels
SW1#show run | section username
username admin password 0 letmein
username administrator password 7 082D495A041C0C19
username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
username Raymond secret 5 $1$sHu.$sIjLazYcNOkRrgAjhyhxn0
Cisco IOS AAA Troubleshooting
AAA is a framework that provides authentication, authorization, and accounting to secure the management plane. The 300-135 TSHOOT exam objectives focus on AAA authentication using the local database; therefore, in this section, the troubleshooting focus centers on this. However, because most organizations use AAA servers, we include a RADIUS server in our example so that you can see what occurs when the RADIUS server is not accessible and the router or switch falls back to local authentication.
Example 20-9 provides a sample Cisco IOS AAA configuration for management access to the console and vty lines. As you review the output, consider the following items you should keep in mind while troubleshooting Cisco IOS AAA authentication:
AAA needs to be enabled: AAA is disabled by default on Cisco routers and switches. To enable AAA, use the aaa new-model command. Once you do this, local authentication is immediately applied to all lines except the console line. Therefore, you will not be able to access the device remotely if no username and password exists in the local database. Console access is still capable with no username or password.
AAA relies on the local username and password database or an AAA server such as RADIUS or TACACS+: By default, AAA uses the local username and password database for authentication. If no username and password exists that can be used for remote access, authentication will fail. Therefore, if you are using local authentication, a username and password needs to exist on the local device. However, if you are using an AAA server, you should still configure at least one username and password in the local database that can be used for fallback purposes in case the AAA server is not available. In Example 20-9, the username admin with a password of letmein exists.
A method list defines the authentication methods: When no method list exists, the vty lines use the local username and password database by default. However, with the method list, you can define what methods of authentication will be used and in what order. In Example 20-9, a user-defined method list for login authentication called MANAGEMENT_ACCESS will use RADIUS servers first, and if they are not accessible, local authentication will be used. If there is no username or password in the database, authentication fails.
AAA method lists are applied to the lines: The method list that will be used to define how authentication will occur for the vty lines or console line needs to be applied with the login authentication {default | list_name} command. In Example 20-9, the MANAGEMENT_ACCESS method list is attached to the vty lines.
Example 20-9 Verifying Cisco IOS AAA Configuration
R1#show run | section username|aaa|line vty
username admin password 0 letmein
aaa new-model
aaa authentication login MANAGEMENT_ACCESS group radius local
line vty 0 4
password cisco
login authentication MANAGEMENT_ACCESS
You can use the debug aaa authentication command to verify the authentication process in real time. You can use the debug radius authentication command to view the RADIUS authentication processes in real time. You can use the debug aaa protocol local command to view local authentication processes in real time.
In Example 20-10, all three debug commands have been enabled on R1. When a user attempts to telnet from SW1 to R1, R1 invokes the method list MANAGEMENT_ACCESS, which, based on the configuration in Example 20-9, will use RADIUS first and then local authentication if the RADIUS server is not accessible. R1 asks the user for his credentials, and then sends a RADIUS packet to the address 10.1.100.100 on port 1645. Notice how the request to the RADIUS server fails because there is no response from the RADIUS server in this example. Therefore, R1 resorts to local authentication and checks the username and password against the local database. However, the user provided the wrong username/password combination, and the process starts over again by choosing the method list MANAGEMENT_ACCESS and asking the user for his credentials again.
Example 20-10 Debugging Cisco IOS AAA Configuration
R1#debug aaa authentication
AAA Authentication debugging is on
R1#debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
R1#debug aaa protocol local
AAA Local debugs debugging is on
R1#
AAA/LOCAL: exec
AAA/BIND(0000004D): Bind i/f
AAA/LOCAL: new_ascii_login: tty 76EA4F4 idb 0
AAA/AUTHEN/LOGIN (0000004D): Pick method list 'MANAGEMENT_ACCESS'
RADIUS/ENCODE(0000004D): ask "Username: "
RADIUS/ENCODE(0000004D): send packet; GET_USER
R1#
RADIUS/ENCODE(0000004D): ask "Password: "
RADIUS/ENCODE(0000004D): send packet; GET_PASSWORD
...output omitted...
RADIUS(0000004D): Sending a IPv4 Radius Packet
RADIUS(0000004D): Send Access-Request to 10.1.100.100:1645 id 1645/11, len 69
RADIUS: authenticator 09 9E 3E A4 D9 F9 03 87 - 85 02 41 47 BD 72 8F ED
RADIUS: User-Name [1] 7 "admin"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 6 "tty1"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-IP-Address [4] 6 10.1.100.1
R1#
RADIUS(0000004D): Started 5 sec timeout
R1#
RADIUS(0000004D): Request timed out
RADIUS: Retransmit to (10.1.100.100:1645,1646) for id 1645/11
RADIUS(0000004D): Started 5 sec timeout
R1#
RADIUS(0000004D): Request timed out
RADIUS: Retransmit to (10.1.100.100:1645,1646) for id 1645/11
RADIUS(0000004D): Started 5 sec timeout
R1#
RADIUS(0000004D): Request timed out
RADIUS: Retransmit to (10.1.100.100:1645,1646) for id 1645/11
RADIUS(0000004D): Started 5 sec timeout
R1#
RADIUS(0000004D): Request timed out
RADIUS: No response from (10.1.100.100:1645,1646) for id 1645/11
RADIUS/DECODE: No response from radius-server; parse response; FAIL
RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
AAA/LOCAL/LOGIN(0000004D): check username/password
AAA/LOCAL/LOGIN(0000004D): invalid username/password
R1#
AAA/AUTHEN/LOGIN (0000004D): Pick method list 'MANAGEMENT_ACCESS'
RADIUS/ENCODE(0000004D): ask "Username: "
RADIUS/ENCODE(0000004D): send packet; GET_USER
R1#
By default, many Cisco IOS devices use ports 1645 and 1646 for RADIUS and port 49 for TACACS. In Example 20-10, you can see that R1 is attempting to communicate to the RADIUS server at 10.1.100.100 using ports 1645 and 1646. However, RADIUS ports were changed, and the current standard is to use ports 1812 and 1813. Therefore, you need to be aware of which ports are being used on the server and configure your IOS device appropriately. Also, if RADIUS or TACACS+ communication between the authenticator (Cisco IOS device) and the authentication server (RADIUS or TACACS+ server) is not successful, you should verify that any ACLs between these devices are permitting traffic for the RADIUS or TACACS+ ports being used.
Management Access Trouble Tickets
This section presents various trouble tickets relating to the topics discussed earlier in the chapter. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. All trouble tickets in this section are based on the topology depicted in Figure 20-1.
Figure 20-1 Management Access Trouble Tickets Topology
Trouble Ticket 20-1
Problem: A security audit has been done, and the report shows that R4 is accessible via Telnet and SSH when it should only be accessible via SSH.
You commence troubleshooting by verifying the problem. In Example 20-11, you telnet to R4’s IP address 192.0.2.1, and it is successful. You then use SSHv2, and it is successful as well.
Example 20-11 Verifying the Problem
SW2#telnet 192.0.2.1
Trying 192.0.2.1 ... Open
User Access Verification
Username: TSHOOT
Password:
R4>exit
[Connection to 192.0.2.1 closed by foreign host]
SW2#ssh -v 2 -l TSHOOT 192.0.2.1
Password:
R4>exit
[Connection to 192.0.2.1 closed by foreign host]
SW2#
You access R4 and issue the command show line vty 0 | i Allowed input transports to verify which protocols can be used to establish a remote connection with R4. According to the output in Example 20-12, LAT, PAD, Telnet, rlogin, mop, v120, SSH, and NASI are all allowed.
Example 20-12 Identifying Allowed Protocols
R4#show line vty 0 | i Allowed input transports
Allowed input transports are lat pad telnet rlogin mop v120 ssh nasi.
Next you issue the command show run | section line vty, as shown in Example 20-13, and notice that there is no transport input command controlling which protocols are permitted.
Example 20-13 Verifying the vty Configuration
R4#show run | section line vty
line vty 0 4
password cisco
login local
Because you only need to allow SSHv2, you issue the command transport input ssh in line vty configuration mode, as shown in Example 20-14, to prevent Telnet access.
Example 20-14 Modifying the vty Configuration
R4#config t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#line vty 0 4
R4(config-line)#transport input ssh
To verify that the problem is solved, you attempt to telnet from SW2 to R4 again, but this time the connection is refused by R4. However, SSHv2 still works as expected. The problem is solved, as shown in Example 20-15.
Example 20-15 Verifying That the Problem Is Solved
SW2#telnet 192.0.2.1
Trying 192.0.2.1 ...
% Connection refused by remote host
DSW2#ssh -v 2 -l TSHOOT 192.0.2.1
Password:
R4>exit
[Connection to 192.0.2.1 closed by foreign host]
SW2#
Trouble Ticket 20-2
Problem: For security reasons, when accessing R2 via Telnet, the user should be prompted for a username and password. However, users are only being prompted for a password.
You commence the troubleshooting process by verifying the problem. You attempt to Telnet from SW2 to R2 at the IP address 203.0.113.1. As you can see in the output of Example 20-16, you are only being asked for a password. You have a feeling that the login local command is missing.
Example 20-16 Verifying the Problem
SW2#telnet 203.0.113.1
Trying 203.0.113.1 ... Open
User Access Verification
Password:
R2>
On R2, you issue the command show run | section line vty, as shown in Example 20-17, to verify that the login local command is missing. According to the output, it is.
Example 20-17 Verifying the vty Configuration on R2
R2#show run | section line vty
line vty 0 4
password cisco
You enter live vty mode, as shown in Example 20-18, and issue the login local command, but it fails to execute. The error message indicates that local is not a valid option. You then use syntax help, and it indicates that authentication is the only valid option. This means that AAA is in use.
Example 20-18 Configuring Local Authentication on R2
R2#config t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#line vty 0 4
R2(config-line)#login local
^
% Invalid input detected at '^' marker.
R2(config-line)#
R2(config-line)#login ?
authentication Authentication parameters.
On R4, you issue the command show run | section aaa to verify the AAA configuration, as shown in Example 20-19. It appears that the AAA authentication method list was configured incorrectly. It is only using the line for authentication. If you want to use a username and password, you need to use the local database or an AAA server. In this case, you are using the local database; therefore, you need to specify local as a method instead of line.
Example 20-19 Verifying AAA Configuration
R2#show run | section aaa
aaa new-model
aaa authentication login default line
In Example 20-20, you enter the command no aaa authentication login default line and issue the command aaa authentication login default local.
Example 20-20 Modifying AAA Configuration
R2#config t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no aaa authentication login default line
R2(config)#aaa authentication login default local
R2(config)#end
You then attempt to telnet again, and this time, as shown in Example 20-21, you are prompted for a username and password.
Example 20-21 Verifying Issue Is Solved
SW2#telnet 203.0.113.1
Trying 203.0.113.1 ... Open
User Access Verification
Username: TSHOOT
Password:
R2>
Trouble Ticket 20-3
Problem: A user is trying to manage R4 via an SSHv2 connection, but the connection fails.
You begin by verifying the problem with an attempt to establish an SSHv2 connection to R4 from SW2. It fails, as shown in Example 20-22, confirming the problem. However, you are happy that you verified the problem because the error message is giving you more information. This error usually means that the remote device does not support SSHv2. However, you know without a doubt that R4 does support SSHv2. Therefore, you hypothesize that something is misconfigured on R4.
Example 20-22 Verifying the Problem
SW2#ssh -v 2 -l TSHOOT 192.0.2.1
[Connection to 192.0.2.1 aborted: error status 0]
You access R4 and issue the command show ip ssh and confirm that version 1.5 is being used, as shown in Example 20-23. You have a feeling that the SSH RSA key is not large enough for SSHv2. However, it does not list the key size. Therefore, you decide to spot the difference with R2. On R2, as shown in Example 20-24, you issue the show ip ssh command and notice that v2 is enabled and that the SSH RSA key is significantly larger.
Example 20-23 Verifying SSH Configuration on R4
R4#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAATADIEIKgD03hu48qw9Wy/K5JRB/Gf4YQ8mi0iEo/EKzT
VyR33bQSYBhIsgxo8AAOuU0m3wPlBSwPIdtVV1WHvN9EUDx6xlU6tL/+qEs=
Example 20-24 Verifying SSH Configuration on R5
R2#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtMAHQGeZaB/uWXiqF17KOWL+LvjsGOsJOCLFEkg7X
carueOLHbfsxhADkThmwFOKsN9Sq9jFbd5YVpiRoP4nM8He/yRJszNDmCQAbV47IjhTYVISoznsRFh0P
/rxN/bf5ZsEdk4LVdA1nGnBjLsWTPTMO64PGOf/eVllrCMVYcw==
You access your documentation, and it states that all SSHv2 sessions should use a key of 1024. Therefore, on R4 you issue the crypto key generate rsa modulus 1024 command to generate new cryptographic keys. As you can see in Example 20-25, the old keys are replaced with the new ones, and SSH 1.99 is enabled, which supports v1 and v2. As a result, you issue the ip ssh version 2 command to enable just SSHv2.
Example 20-25 Creating a Local Cryptographic Key
R4#config t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#crypto key generate rsa modulus 1024
% You already have RSA keys defined named R4.TSHOOT.local.
% They will be replaced.
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
R4(config)#
%SSH-5-DISABLED: SSH 1.5 has been disabled
R4(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
R4(config)#ip ssh version 2
You examine the output of show ip ssh on R4 again, as shown in Example 20-26. It shows that SSHv2 is now enabled; and if you compare the new SSH RSA key with the old one, it is much larger.
Example 20-26 Verifying That SSHv2 Is Enabled
R4#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCT6oQo7Ge64ky61+BPOJHOQwnaiUeJCPSbuDSjt610
DB6lRa0nhCjEMRG2W1OznJNtV5kHBdL7E/880ZOoQcSe3DEyh9TD88/CZI/Tr80OrLJYaN+5Y/7ZaZkp
5AUZCBVibtbkuC/z8FokE417607dI1KgP7VsjOgKIur8FkciNQ==
Back on SW2, you try to establish an SSHv2 session to R4, and it is successful, as shown in Example 20-27.
Example 20-27 Verify That the Issue Is Solved
SW2#ssh -v 2 -l TSHOOT 192.0.2.1
Password:
R4>
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here; Chapter 22, “Final Preparation;” and the exam simulation questions on the CD-ROM.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 20-2 lists a reference of these key topics and the page numbers on which each is found.
Table 20-2 Key Topics for Chapter 20
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
login
login local
AAA
method list
rollover cable
Telnet
SSH
line
console
port 23
port 22
level 4 encryption
level 5 encryption
level 7 encryption
RADIUS
TACACS+
Command Reference to Check Your Memory
This section includes the most important show and debug commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should be able to remember the basic keywords that are needed.
To test your memory of the commands, cover the right side of Table 20-3 with a piece of paper, read the description on the left side, and then see how much of the command you can remember.
Table 20-3 show and debug Commands
The 300-135 TSHOOT exam focuses on practical, hands-on skills that are used by a networking professional. Therefore, you should be able to identify the commands needed to successfully troubleshoot the topics and concepts covered in this chapter.