Support User Manuals

Blade ICE G8124 Personal Computer User Manual

Open as PDF

of 388

BLADEOS 6.5.2 Application Guide

BMD00220, October 2010 Chapter 3: Securing Administration  61

SSH/SCP Integration with TACACS+ Authentication

SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on

the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+

servers for authentication. The redirection is transparent to the SSH clients.

SecurID Support

SSH/SCP can also work with SecurID, a token card-based authentication method. The use of

SecurID requires the interactive mode during login, which is not provided by the SSH connection.

Note – There is no SNMP or Browser-Based Interface (BBI) support for SecurID because the

SecurID server, ACE, is a one-time password authentication and requires an interactive session.

Using SecurID with SSH

Using SecurID with SSH involves the following tasks.

 To log in using SSH, use a special username, “ace,” to bypass the SSH authentication.

 After an SSH connection is established, you are prompted to enter the username and password

(the SecurID authentication is being performed now).

 Provide your username and the token in your SecurID card as a regular Telnet user.

Using SecurID with SCP

Using SecurID with SCP can be accomplished in two ways:

 Using a RADIUS server to store an administrator password.

You can configure a regular administrator with a fixed password in the RADIUS server if it can

be supported. A regular administrator with a fixed password in the RADIUS server can

perform both SSH and SCP with no additional authentication required.

 Using an SCP-only administrator password.

Set the SCP-only administrator password (

ssh scp-password) to bypass checking SecurID.

An SCP-only administrator’s password is typically used when SecurID is not used. For

example, it can be used in an automation program (in which the tokens of SecurID are not

available) to back up (download) the switch configurations each day.

Note – The SCP-only administrator’s password must be different from the regular administrator’s

password. If the two passwords are the same, the administrator using that password will not be

allowed to log in as an SSH user because the switch will recognize him as the SCP-only

administrator. The switch will only allow the administrator access to SCP commands.

previous next