162
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
The switch supports an SSHv1 client.
SSH supports the Data Encryption Standard (DES) encryption algorithm, the Triple DES (3DES) encryption algorithm, and
password-based user authentication.
SSH also supports these user authentication methods:
TACACS+ (for more information, see Configuring TACACS+, page 169)
RADIUS (for more information, see Configuring Radius Server Communication, page 172)
Local authentication and authorization (for more information, see Configuring the Switch for Local Authentication and
Authorization, page 178)
Note: This software release does not support IP Security (IPSec).
Limitations
These limitations apply to SSH:
The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
SSH supports only the execution-shell application.
The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software.
The switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key,
or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
SSH Configuration Guidelines
Follow these guidelines when configuring the switch as an SSH server or SSH client:
An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key
pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa
command. For more information, see Setting Up the Switch to Run SSH, page 179.
When generating the RSA key pair, the message
No host name specified might appear. If it does, you must
configure a hostname by using the hostname global configuration command.
When generating the RSA key pair, the message
No domain specified might appear. If it does, you must configure
an IP domain name by using the ip domain-name global configuration command.
When configuring the local authentication and authorization authentication method, make sure that AAA is disabled
on the console.
Switch for Secure Socket Layer HTTP
Secure Socket Layer (SSL) version 3.0 supports the HTTP 1.1 server and client. SSL provides server authentication,
encryption, and message integrity, as well as HTTP client authentication, to allow secure HTTP communications. To use
this feature, the cryptographic (encrypted) software image must be installed on your switch. You must obtain
authorization to use this feature and to download the cryptographic software files from Cisco.com. For more information
about the crypto image, see the release notes for this release.
To Next Page
Loading...
Need help?
General