Configure SSH Access

Cisco Documents:
Security>AAA>Secure Shell Configuration Guide
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-4t/sec-cfg-secure-shell.html

First step would be to make sure that all the devices within your network SUPPORT the Secure Shell. The you need to make sure HOW you want to implement it, as there are 2 options:
1. Configuring a Router for SSH Version 2 Using a Hostname and Domain Name
2. Configuring a Router for SSH Version 2 Using RSA Key Pairs

In the first configuration type, these are the steps to follow:

Step 1: Be sure to have the Hostname and the IP Domain Name configured:
(config)#ip domain name SNArchs

Step 2: Decide the key pair (in bits, by defaut its 512 bits) and generate the RSA key. This ENABLES SSHv2:
(config)#crypto key generate rsa usage-keys
The name for the keys will be: ES-MAT-AES-SR04.SNArchs
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:
Choose the size of the key modulus in the range of 360 to 2048 for your
  Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 512
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*Dec  5 12:58:48.123: %SSH-5-ENABLED: SSH 2.0 has been enabled

Then configure the VTY port for the user database to use (TACACS or LOCAL), and to use SSH:
(config)#line vty 0 4
(config-line)#login local <-WONT BE AVAILABLE AFTER SSH IS ENABLED
(config-line)#transport input ssh
*When testing the access via SSH don't forget to use the "-l" to define the username:
#ssh -l mat 10.1.12.2

You can also use AAA to define the AUTHENTICATION PROFILE (AAA_AUTH), that can later be applied to ALL VTY ports:
(config)#aaa new-model
(config)#aaa authentication login AAA_AUTH local

Now apply it to the VTY port:
(config)#line vty 0 4
(config-line)#transport input ssh
(config-line)#login authentication AAA_AUTH
*"rotary" command under the VTY changes the telnet port to that line. "rotary 5" sets the port on that line to 3005

AAA Authentication

Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html

This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the "aaa new-model" is configured.

Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.

Define the TACACS+ as a server, and set the Shared Secret:
(config)#tacacs-server host 10.1.1.10 key cisco

Define the source interface from which you will authenticate:
(config)#ip tacacs source-interface Loopback0

Apply the authentication settings to the VTY line:
(config-line)#login authentication MYTACACS

Test the access USERNAME/PASSWORD via TACACS:
#test aaa group tacacs+ USERNAME PASSWORD legacy

Most Popular Posts