Wireless Access

Hello,

We are implementing AOS8.4.0.2 and I am configuring the new MDs. If I want to look at the config from the CLI I believe I need to cd to the actual node, and then type 'mdconnect', but when I do that I get an error:

(master-8a) [00:1a:1e:xx:xx:xx] (config) #mdconnect

Redirecting to Managed Device Shell
Permission denied: wrong username or password

Exiting Managed Device Shell

Is there something else I need to configure to make this work?

Thanks

Can you SSH directly to the MD's with the same username and password?

I can SSH to all of the controllers. But when I issue the 'mdconnect' command it doesn't actually ask me for a password, it just instantly comes up with the error message, which makes me wonder if I am supposed to have activated/configured mdconnect somewhere?

You don't have to configure anything for mdconnect to work, not explicitly anyways.

Do your MDs show up on the MM? I think the mdconnect command uses locally configured mgmt-users and SSH keys. I have this configured on all of my MDs and MM:

mgmt-user ssh-pubkey client-cert master-ssh-pub-cert seamless-logon read-only node  
mgmt-user ssh-pubkey client-cert master-ssh-pub-cert seamless-logon-w standard node

(mmisbaruba1) *[00:1a:1e:02:39:d8] #show mgmt-user ssh-pubkey 

SSH Public Key Management User Table
------------------------------------
CLIENT-CERT           USER               ROLE        STATUS   REVOCATION CHECKPOINT  Max-concurrent-sessions
-----------           ----               ----        ------   ---------------------  -----------------------
master-ssh-pub-cert   seamless-logon     read-only   ACTIVE   none                   N/A
master-ssh-pub-cert   seamless-logon-w   standard    ACTIVE   none                   N/A

If that's missing I'm not sure how to configure it.

Thanks for looking. Hmmm, yes those are already configured

Did you ever get this working? I'm having the same issue.

It is working, but I'm afraid (unhelpfully) I don't remember what got it working. I'm not sure I (knowingly) did anything to fix it. What version of AOS are you running?

8.5.0.2

Is your cluster properly L2 connected?

---

@tmcclintic wrote:

8.5.0.2

---

Okay.  Just to see if this is your issue, please SSH into the MD and type this:

show running-config | include master-ssh-pub-cert

I don't have a cluster, I'm using L3 Redundancy for the MM. 

From a MD here is the output:

Building Configuration...
crypto-local pki PublicCert master-ssh-pub-cert
mgmt-user ssh-pubkey client-cert master-ssh-pub-cert seamless-logon read-only node
mgmt-user ssh-pubkey client-cert master-ssh-pub-cert seamless-logon-w standard node

I should note that the MDs are actually running 8.4.0.4 still.

That does not match a bug fixed in 8.3.x.

What are your symptoms?

If I do mdconnect from MM then I get the following:

Redirecting to Managed Device Shell
Permission denied: wrong username or password

Exiting Managed Device Shell

On the MD, what is the output of:

show mgmt-user ssh-pubkey

SSH Public Key Management User Table
------------------------------------
CLIENT-CERT USER ROLE STATUS REVOCATION CHECKPOINT Max-concurrent-sessions PATH
----------- ---- ---- ------ --------------------- ----------------------- ----
master-ssh-pub-cert seamless-logon read-only ACTIVE none N/A
master-ssh-pub-cert seamless-logon-w standard ACTIVE none N/A

When you type "show switches" on the MM, is this MD listed there?

Yes, we have 20 MDs on the MM all show up and all have the same issue. 

Okay, on the MD, type this:

show log all | include cert_dwnld

See if there are any cert_dwnld errors.

This is all that shows on the MD

Sep 29 13:11:45 cert_dwnld[4290]: PAPI_Send: To: 7f000001:8212 Type:0x4 Timed out.

I opened a TAC case and they were able to resolve the issue by changing SSH Authentication from User credentials to Both. 

This is found on the MD>Configuration>System - Admin Authentication Options.

Thanks everyone for your help!