Blade ICE G8124 Personal Computer User Manual


 
BLADEOS 6.5.2 Application Guide
BMD00220, October 2010 Chapter 3: Securing Administration 61
SSH/SCP Integration with TACACS+ Authentication
SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on
the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+
servers for authentication. The redirection is transparent to the SSH clients.
SecurID Support
SSH/SCP can also work with SecurID, a token card-based authentication method. The use of
SecurID requires the interactive mode during login, which is not provided by the SSH connection.
Note – There is no SNMP or Browser-Based Interface (BBI) support for SecurID because the
SecurID server, ACE, is a one-time password authentication and requires an interactive session.
Using SecurID with SSH
Using SecurID with SSH involves the following tasks.
To log in using SSH, use a special username, “ace,” to bypass the SSH authentication.
After an SSH connection is established, you are prompted to enter the username and password
(the SecurID authentication is being performed now).
Provide your username and the token in your SecurID card as a regular Telnet user.
Using SecurID with SCP
Using SecurID with SCP can be accomplished in two ways:
Using a RADIUS server to store an administrator password.
You can configure a regular administrator with a fixed password in the RADIUS server if it can
be supported. A regular administrator with a fixed password in the RADIUS server can
perform both SSH and SCP with no additional authentication required.
Using an SCP-only administrator password.
Set the SCP-only administrator password (
ssh scp-password) to bypass checking SecurID.
An SCP-only administrator’s password is typically used when SecurID is not used. For
example, it can be used in an automation program (in which the tokens of SecurID are not
available) to back up (download) the switch configurations each day.
Note – The SCP-only administrator’s password must be different from the regular administrator’s
password. If the two passwords are the same, the administrator using that password will not be
allowed to log in as an SSH user because the switch will recognize him as the SCP-only
administrator. The switch will only allow the administrator access to SCP commands.