Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

[ACS 5.2] Switch administration using SSH

Hi,

I want to use LDAP accounts to administrate switches.

It works fine when I use telnet.

I just need to push RADIUS attribute Login-Service (ID 15) with Telnet value (ID 0)

Now, I want to use SSH (for security reasons )

RADIUS have to push RADIUS attribute Login-Service (ID 15) with SSH value (ID 50)

(For example with Steel-belt RADIUS http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4174801&prodTypeId=12883&objectID=c02602225 )

SSH value doesn't exist in RADIUS IETF dictionary for Login-Service attribute.

I can't create SSH value because this dictionary is protected...

Is there a workaround?

Thanks,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

[ACS 5.2] Switch administration using SSH

Hello Patrick,

The ACS 5.x will not allow us to edit/remove/add Attribute Values to the RADIUS IETF dictionary as it is standard and reserved.

If you check the RADIUS RFC at http://www.ietf.org/rfc/rfc2865.txt under the Login-Service description the SSH service is not listed there:

5.15.  Login-Service

   Value

      The Value field is four octets.

       0   Telnet
       1   Rlogin
       2   TCP Clear
       3   PortMaster (proprietary)
       4   LAT
       5   X25-PAD
       6   X25-T3POS
       8   TCP Clear Quiet (suppresses any NAS-generated connect string)

The Access Control System 5.x will not allow us to modify such dictionaries as RADIUS IETF in order to comply with the documented standards.

The best approach at this point would be to contact the switches vendor in order to determine how to enable SSH on those devices.

Hope this helps. Regards.

2 REPLIES
Silver

[ACS 5.2] Switch administration using SSH

Hello Patrick,

The ACS 5.x will not allow us to edit/remove/add Attribute Values to the RADIUS IETF dictionary as it is standard and reserved.

If you check the RADIUS RFC at http://www.ietf.org/rfc/rfc2865.txt under the Login-Service description the SSH service is not listed there:

5.15.  Login-Service

   Value

      The Value field is four octets.

       0   Telnet
       1   Rlogin
       2   TCP Clear
       3   PortMaster (proprietary)
       4   LAT
       5   X25-PAD
       6   X25-T3POS
       8   TCP Clear Quiet (suppresses any NAS-generated connect string)

The Access Control System 5.x will not allow us to modify such dictionaries as RADIUS IETF in order to comply with the documented standards.

The best approach at this point would be to contact the switches vendor in order to determine how to enable SSH on those devices.

Hope this helps. Regards.

New Member

[ACS 5.2] Switch administration using SSH

Hello Carlos,

Thanks for your answer!

I will contact switches vendor but I don't think they have other solutions

Other RADIUS solutions allow us to modify RADIUS IETF dictionaries.

Best regards,

Patrick

691
Views
0
Helpful
2
Replies
CreatePlease to create content