Support User Manuals

Cisco Systems 2955 Switch User Manual

Open as PDF

of 674

8-34

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

OL-10101-02

Chapter 8 Configuring Switch-Based Authentication

Configuring the Switch for Secure Shell

• TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on

page 8-10)

• RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on

page 8-17)

• Local authentication and authorization (for more information, see the “Configuring the Switch for

Local Authentication and Authorization” section on page 8-32)

Note This software release does not support IP Security (IPSec).

Limitations

These limitations apply to SSH:

• The switch supports Rivest, Shamir, and Adelman (RSA) authentication.

• SSH supports only the execution-shell application.

• The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data

encryption software.

• The switch does not support the Advanced Encryption Standard (AES) symmetric encryption

algorithm.

Configuring SSH

This section has this configuration information:

• Configuration Guidelines, page 8-34

• Cryptographic Software Image Guidelines, page 8-35

• Setting Up the Switch to Run SSH, page 8-35 (required)

• Configuring the SSH Server, page 8-36 (required only if you are configuring the switch as an SSH

server)

Configuration Guidelines

Follow these guidelines when configuring the switch as an SSH server or SSH client:

• An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.

• If you get CLI error messages after entering the crypto key generate rsa global configuration

command, an RSA key pair has not been generated. Reconfigure the host name and domain, and then

enter the crypto key generate rsa command. For more information, see the

“Setting Up the Switch

to Run SSH” section on page 8-35.

• When generating the RSA key pair, the message “No host name specified” might appear. If it does,

you must configure a host name by using the hostname global configuration command.

• When generating the RSA key pair, the message “No domain specified” might appear. If it does, you

must configure an IP domain name by using the ip domain-name global configuration command.

• When configuring the local authentication and authorization authentication method, make sure that

AAA is disabled on the console.

previous next