Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6120
Views
9
Helpful
7
Replies

Access To router via ssh authenticating through tacacs

Go to solution
griffith2009
Level 1
Level 1

‎01-03-2009 05:07 PM - edited ‎03-04-2019 03:19 AM

I have a server Acs 3.3, and authentic via tacacs, through telnet. This is the configuration that i have in the routers:

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default if-needed group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs

tacacs-server host s.s.s.s

tacacs-server directed-request

tacacs-server key 7 xxxxxxxxxxxxxxxx

Line vty 0 4

password 7 ppppppppppppppppp

What should i do to connect to all routers via ssh? And Continue authenticating through tacacs

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Yeates

‎01-04-2009 02:55 PM

Maria

As Mark has said, your commands are correct. And that the hostname and domain name must be configured before the crypto key generate command can be used.

By default the router will accept both telnet and SSH for remote access. If you configure this:

line vty 0 4

transport input SSH

it will disable telnet and will restrict remote access to only SSH. If that is what you intend then go ahead with these commands.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-03-2009 06:45 PM

Maria

The configuration that you have shown us should process for SSH just as well as it does for telnet. No changes in authentication processing are requred in the aaa configuration to allow SSH as well as telnet.

You have not shown us the configuration of the vty lines, so we do not know what is there. If you have not changed the configuration of the vty lines (especially the transport inut parameter) then SSH should be processed similar to the processing of telnet.

To enable SSH you do need to do a few things in the configuration:

- you must be running an image (and feature set) that supports SSH (look for k9 in the image file name as an indicator that SSH is supported).

- you must generate encryption keys to enable SSH. Use the crypto key generate command to do this. For this command to work you must have configured a non-default hostname for the device and you must have configured a non-default domain name.

HTH

Rick

HTH

Rick

Go to solution
griffith2009
Level 1
Level 1
In response to Richard Burts

‎01-03-2009 07:28 PM

Hi Rick,

Thank You to respond.

According to what your wrote i must implement the following commands in all the router:

cry key generate rsa

hostname maria

ip domain-name forum.cisco.com

line vty 0 4

transport input SSH

If i use "putty" to connect to the different routers through ssh, i only need put the IP and select ssh in applying ? The application obtains automatically the key generated by each router?

0 Helpful

Go to solution
griffith2009
Level 1
Level 1
In response to griffith2009

‎01-04-2009 05:42 AM

Hi,

Any answer?

thanks

0 Helpful

Go to solution
Mark Yeates
Level 7
Level 7
In response to griffith2009

‎01-04-2009 02:41 PM

Maria,

The hostname, and IP domain name information will need to be configured before the SSH key can be generated on the router.

Yes, your statement about using putty is correct. The first time you connect to a router using putty will import the SSH key.

Here is a guide that has some detailed information about using SSH on your router.

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

HTH,

Mark

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Yeates

‎01-04-2009 02:55 PM

Maria

As Mark has said, your commands are correct. And that the hostname and domain name must be configured before the crypto key generate command can be used.

By default the router will accept both telnet and SSH for remote access. If you configure this:

line vty 0 4

transport input SSH

it will disable telnet and will restrict remote access to only SSH. If that is what you intend then go ahead with these commands.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tapas_rc123

‎01-05-2009 05:08 AM

Maria

I am glad that our responses were helpful to you. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that there were responses which did resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card