Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Enabling SSH on Router and at the same time enabling Authentication via lin

I want to enable SSH on virtual terminal line (Line vty ) and at the same time keep option of authentication via line password is there some way out

12 REPLIES

Re: Enabling SSH on Router and at the same time enabling Authent

yes you can enable ssh and telnet at the same router using the command "transport input telnet ssh".

Thanks

Prasad

Purple

Re: Enabling SSH on Router and at the same time enabling Authent

yes you can allow both telnet and ssh coming into the box. Kind of defeats the purpose of SSH if telnet is left on though.

New Member

Re: Enabling SSH on Router and at the same time enabling Authent

Hi Glen

what i want is that when i enable SSH on my routers steps involved lik

hostname

domain name

crypto key generate

ip ssh time out /authentication retries

and when TACACS server goes down , is there some way to authenticate using line passowrd as otherwise i have to making local username and passowrd hardcoded on each router whcih i dont want

Purple

Re: Enabling SSH on Router and at the same time enabling Authent

If you have the line password and the enable secret passwords defined it will failover to those if authentication like tacacs or radius is not available . Thats how our whole account is setup.

Hall of Fame Super Silver

Re: Enabling SSH on Router and at the same time enabling Authent

I believe that the issue is that SSH wants a user name and password to authenticate. I am not aware of a way to get SSH to authenticate with just a password.

HTH

Rick

Purple

Re: Enabling SSH on Router and at the same time enabling Authent

Rick if you have tacacs authentication as the primary login you don't need a username and password if you have the normal line and enable secret passwords defined . If you don't have a tacacs or radius setup then yes I believe you do need a username and password setup to authenticate against .

Hall of Fame Super Silver

Re: Enabling SSH on Router and at the same time enabling Authent

Glen

I am surprised at this statement:"if you have tacacs authentication as the primary login you don't need a username and password"

If you have TACACS set up, how do you authenticate without a user name? When I look at debug for TACACS I find that the TACACS prompts for the username before it prompts for the password. The whole point of TACACS is that you get individual passwords not a shared password.

Also this statement in one of Muneer's posts is clear that the concern is how to authenticate when TACACS is not available:"and when TACACS server goes down , is there some way to authenticate using line passowrd as otherwise i have to making local username and passowrd hardcoded on each router whcih i dont want".

and I do not know how to do the local authentication without a user name.

HTH

Rick

Hall of Fame Super Bronze

Re: Enabling SSH on Router and at the same time enabling Authent

Hall of Fame Super Silver

Re: Enabling SSH on Router and at the same time enabling Authent

Edison

Very interesting :)

I was not aware of this. (and learning this kind of thing is one of the reasons I keep active in the forum)

Thanks

Rick

New Member

Re: Enabling SSH on Router and at the same time enabling Authent

out of curiosity, what were you not aware of? Thanks.

Hall of Fame Super Silver

Re: Enabling SSH on Router and at the same time enabling Authent

Wil

I was not aware that while you must enter a user name to authenticate an SSH connection, that the IOS does not check the name if the device is configured to authenticate using the line password.

HTH

Rick

New Member

Re: Enabling SSH on Router and at the same time enabling Authent

aaa authentication login default group tacacs local

by adding the local to the end of that line you are saying, try tacacs first, and if thats down, then use locally set up username and password. Thats assuming you have aaa enabled on your router/switch and that you are using Tacacs. If you were using radius you can just substitue with

aaa authentication login default group radius local

This also assumes that you've already enabled ssh to the router. Otherwise telnet will work unless you've disabled it for some reason. SSH is safer to use than telnet also.

I hope i've understood your question correctly.

264
Views
0
Helpful
12
Replies
CreatePlease to create content