01-03-2009 05:07 PM - edited 03-04-2019 03:19 AM
I have a server Acs 3.3, and authentic via tacacs, through telnet. This is the configuration that i have in the routers:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs
tacacs-server host s.s.s.s
tacacs-server directed-request
tacacs-server key 7 xxxxxxxxxxxxxxxx
Line vty 0 4
password 7 ppppppppppppppppp
What should i do to connect to all routers via ssh? And Continue authenticating through tacacs
Solved! Go to Solution.
01-04-2009 02:55 PM
Maria
As Mark has said, your commands are correct. And that the hostname and domain name must be configured before the crypto key generate command can be used.
By default the router will accept both telnet and SSH for remote access. If you configure this:
line vty 0 4
transport input SSH
it will disable telnet and will restrict remote access to only SSH. If that is what you intend then go ahead with these commands.
HTH
Rick
01-03-2009 06:45 PM
Maria
The configuration that you have shown us should process for SSH just as well as it does for telnet. No changes in authentication processing are requred in the aaa configuration to allow SSH as well as telnet.
You have not shown us the configuration of the vty lines, so we do not know what is there. If you have not changed the configuration of the vty lines (especially the transport inut parameter) then SSH should be processed similar to the processing of telnet.
To enable SSH you do need to do a few things in the configuration:
- you must be running an image (and feature set) that supports SSH (look for k9 in the image file name as an indicator that SSH is supported).
- you must generate encryption keys to enable SSH. Use the crypto key generate command to do this. For this command to work you must have configured a non-default hostname for the device and you must have configured a non-default domain name.
HTH
Rick
01-03-2009 07:28 PM
Hi Rick,
Thank You to respond.
According to what your wrote i must implement the following commands in all the router:
cry key generate rsa
hostname maria
ip domain-name forum.cisco.com
line vty 0 4
transport input SSH
If i use "putty" to connect to the different routers through ssh, i only need put the IP and select ssh in applying ? The application obtains automatically the key generated by each router?
01-04-2009 05:42 AM
Hi,
Any answer?
thanks
01-04-2009 02:41 PM
Maria,
The hostname, and IP domain name information will need to be configured before the SSH key can be generated on the router.
Yes, your statement about using putty is correct. The first time you connect to a router using putty will import the SSH key.
Here is a guide that has some detailed information about using SSH on your router.
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
HTH,
Mark
01-04-2009 02:55 PM
Maria
As Mark has said, your commands are correct. And that the hostname and domain name must be configured before the crypto key generate command can be used.
By default the router will accept both telnet and SSH for remote access. If you configure this:
line vty 0 4
transport input SSH
it will disable telnet and will restrict remote access to only SSH. If that is what you intend then go ahead with these commands.
HTH
Rick
01-05-2009 03:54 AM
This is a good recomendation.
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
01-05-2009 05:08 AM
Maria
I am glad that our responses were helpful to you. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that there were responses which did resolve the question.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: