cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1920
Views
0
Helpful
12
Replies

Enabling SSH on Router and at the same time enabling Authentication via lin

jkbnetwork
Level 1
Level 1

I want to enable SSH on virtual terminal line (Line vty ) and at the same time keep option of authentication via line password is there some way out

12 Replies 12

Manish Prasad
Level 5
Level 5

yes you can enable ssh and telnet at the same router using the command "transport input telnet ssh".

Thanks

Prasad

glen.grant
VIP Alumni
VIP Alumni

yes you can allow both telnet and ssh coming into the box. Kind of defeats the purpose of SSH if telnet is left on though.

Hi Glen

what i want is that when i enable SSH on my routers steps involved lik

hostname

domain name

crypto key generate

ip ssh time out /authentication retries

and when TACACS server goes down , is there some way to authenticate using line passowrd as otherwise i have to making local username and passowrd hardcoded on each router whcih i dont want

If you have the line password and the enable secret passwords defined it will failover to those if authentication like tacacs or radius is not available . Thats how our whole account is setup.

I believe that the issue is that SSH wants a user name and password to authenticate. I am not aware of a way to get SSH to authenticate with just a password.

HTH

Rick

HTH

Rick

Rick if you have tacacs authentication as the primary login you don't need a username and password if you have the normal line and enable secret passwords defined . If you don't have a tacacs or radius setup then yes I believe you do need a username and password setup to authenticate against .

Glen

I am surprised at this statement:"if you have tacacs authentication as the primary login you don't need a username and password"

If you have TACACS set up, how do you authenticate without a user name? When I look at debug for TACACS I find that the TACACS prompts for the username before it prompts for the password. The whole point of TACACS is that you get individual passwords not a shared password.

Also this statement in one of Muneer's posts is clear that the concern is how to authenticate when TACACS is not available:"and when TACACS server goes down , is there some way to authenticate using line passowrd as otherwise i have to making local username and passowrd hardcoded on each router whcih i dont want".

and I do not know how to do the local authentication without a user name.

HTH

Rick

HTH

Rick

Edison

Very interesting :)

I was not aware of this. (and learning this kind of thing is one of the reasons I keep active in the forum)

Thanks

Rick

HTH

Rick

out of curiosity, what were you not aware of? Thanks.

Wil

I was not aware that while you must enter a user name to authenticate an SSH connection, that the IOS does not check the name if the device is configured to authenticate using the line password.

HTH

Rick

HTH

Rick

wil_amaya
Level 1
Level 1

aaa authentication login default group tacacs local

by adding the local to the end of that line you are saying, try tacacs first, and if thats down, then use locally set up username and password. Thats assuming you have aaa enabled on your router/switch and that you are using Tacacs. If you were using radius you can just substitue with

aaa authentication login default group radius local

This also assumes that you've already enabled ssh to the router. Otherwise telnet will work unless you've disabled it for some reason. SSH is safer to use than telnet also.

I hope i've understood your question correctly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: