Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

TACACS and SSH

Can I use ssh with TACACS? I would like the authentication to be fully encrypted and I believe Tacacs send the clear text as oppose to ssh. If someone can point me to the a doc or a sampe config for Cisco routers and switches I would appreciated it.

Thanks.

4 REPLIES
Hall of Fame Super Gold

Re: TACACS and SSH

Nawaz

You certainly can use TACACS to authenticate sessions with SSH. It works just exactly the same as authenticating sessions with telnet. There is no configuration difference in aaa configuration to authenticate sessions on the vty ports with either telnet or ssh.

And I believe that you have it backwards about sending in clear text. TACACS does encrypt the message while radius sends clear text.

HTH

Rick

Bronze

Re: TACACS and SSH

Hi , you can of course use SSH. More networks should use it, but not all can upgrade their IOS to IPSEC 3DES.

And like he said, TACACS+ uses TCP for its transport and with the shared key the packet body is encrypted.

To do a SSH config on a router:

1. Your IOS must have IPSec DES or 3DES encryption, typically the flash file will look something like this: c2600-ik9o3s3-mz.122-15.T9.bin.

2. Configure the router's Hostname

3. Configure a domain name , like this: ip domain-name Tech.com

4. Create an RSA encryption key pair like this:

a.TEST(config)# crypto key generate rsa

b.b. How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys ...[OK]

5. Enable ssh on your VTY Lines

Lastly, if you manually telnet to a router, remember it uses port 22.

Cheers

P

Community Member

Re: TACACS and SSH

Thanks guys, I appreciate all your help.

Bronze

Re: TACACS and SSH

You're welcome. Thanks for the vote.

:)

497
Views
15
Helpful
4
Replies
CreatePlease to create content