I want to enable SSH on virtual terminal line (Line vty ) and at the same time keep option of authentication via line password is there some way out
yes you can enable ssh and telnet at the same router using the command "transport input telnet ssh".
yes you can allow both telnet and ssh coming into the box. Kind of defeats the purpose of SSH if telnet is left on though.
what i want is that when i enable SSH on my routers steps involved lik
crypto key generate
ip ssh time out /authentication retries
and when TACACS server goes down , is there some way to authenticate using line passowrd as otherwise i have to making local username and passowrd hardcoded on each router whcih i dont want
If you have the line password and the enable secret passwords defined it will failover to those if authentication like tacacs or radius is not available . Thats how our whole account is setup.
I believe that the issue is that SSH wants a user name and password to authenticate. I am not aware of a way to get SSH to authenticate with just a password.
Rick if you have tacacs authentication as the primary login you don't need a username and password if you have the normal line and enable secret passwords defined . If you don't have a tacacs or radius setup then yes I believe you do need a username and password setup to authenticate against .
I am surprised at this statement:"if you have tacacs authentication as the primary login you don't need a username and password"
If you have TACACS set up, how do you authenticate without a user name? When I look at debug for TACACS I find that the TACACS prompts for the username before it prompts for the password. The whole point of TACACS is that you get individual passwords not a shared password.
Also this statement in one of Muneer's posts is clear that the concern is how to authenticate when TACACS is not available:"and when TACACS server goes down , is there some way to authenticate using line passowrd as otherwise i have to making local username and passowrd hardcoded on each router whcih i dont want".
and I do not know how to do the local authentication without a user name.
Very interesting :)
I was not aware of this. (and learning this kind of thing is one of the reasons I keep active in the forum)
I was not aware that while you must enter a user name to authenticate an SSH connection, that the IOS does not check the name if the device is configured to authenticate using the line password.
aaa authentication login default group tacacs local
by adding the local to the end of that line you are saying, try tacacs first, and if thats down, then use locally set up username and password. Thats assuming you have aaa enabled on your router/switch and that you are using Tacacs. If you were using radius you can just substitue with
aaa authentication login default group radius local
This also assumes that you've already enabled ssh to the router. Otherwise telnet will work unless you've disabled it for some reason. SSH is safer to use than telnet also.
I hope i've understood your question correctly.