An application that the company I work for relies on SSH to poll configurations - it's essentially an added feature of this app. It hadn't been polling configs in about a month, and so I thought there may be something wrong with the SSH creds it uses. So here's what I did:
First off, we use AAA radius set up on a Windows box.
- I tried to log in from a local jump box using Putty with those creds to no avail - so I thought..I'll re-enter the exact same SSH creds into the configuration: username: example secret example2
- I'm an idiot, so I generated a new RSA key pair as well
- I could no longer SSH into this device
- It's a core switch in production (3850)
The problem here (I think) is that we use AAA and a radius server, so I'm thinking I may have broken a trust between the switch and the radius server (windows box) but I'm not really sure. I raced down to the data center to try and console in, but could not - if you see the below configs..it appears even console access is tied into AAA..
If I didn't save the configuration, would a reboot help at all? I've read that crypto keys generated are stored in the private NVRAM section immediately, but I'm unsure if it's hard saved. I'm a relatively new/young professional and this is probably my first big screw up - I could really use some suggestions/advice here.
Here are some notable configurations from the last running config before I screwed around:
aaa new-model
aaa group server radius RADIUS_SERVER3
server name X.X.X.X
server name Y.Y.Y.Y
ip radius source-interface VlanXX
aaa authentication login VTY_AAA group RADIUS_SERVER local
aaa authentication login CONSOLE_AAA group RADIUS_SERVER local
aaa authentication enable default group RADIUS_SERVER enable
aaa authorization exec default local if-authenticated
aaa authorization network default local
ip domain name XXXX.ca
crypto pki trustpoint TP-self-signed-3017148022
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3017148022
revocation-check none
rsakeypair TP-self-signed-3017148022
crypto pki certificate chain TP-self-signed-3017148022
certificate self-signed 01
username XXX privilege 15 password 7
username XXX privilege 15 secret 5
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh rsa keypair-name 3850.companydomain.ca
ip ssh version 2
radius server Y.Y.Y.Y
address ipv4 Y.Y.Y.Y auth-port 1645 acct-port 1646
key 7
radius server X.X.X.X
address ipv4 X.X.X.X auth-port 1645 acct-port 1646
key 7
line con 0
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication CONSOLE_AAA
exec prompt timestamp
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication VTY_AAA
exec prompt timestamp
transport preferred none
transport input ssh
line vty 5 15
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication VTY_AAA
transport preferred none
transport input ssh
Thanks in advance all
EDIT: Password recovery is disabled on this device...*le sigh*
No comments:
Post a Comment