8-34
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 8 Configuring Switch-Based Authentication
Configuring the Switch for Secure Shell
SSH supports the Data Encryption Standard (DES) encryption algorithm, the Triple DES (3DES)
encryption algorithm, and password-based user authentication.
SSH also supports these user authentication methods:
•
(for more information, see the
“Controlling Switch Access with ” section on
•
RADIUS (for more information, see the
“Controlling Switch Access with RADIUS” section on
•
Local authentication and authorization (for more information, see the
Local Authentication and Authorization” section on page 8-32
Note
This software release does not support IP Security (IPSec).
Limitations
•
The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
•
SSH supports only the execution-shell application.
•
The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data
encryption software.
•
The switch does not support the Advanced Encryption Standard (AES) symmetric encryption
algorithm.
Configuring SSH
•
Configuration Guidelines, page 8-34
•
Setting Up the Switch to Run SSH, page 8-35
(required)
•
Configuring the SSH Server, page 8-36
(required only if you are configuring the switch as an SSH
server)
Configuration Guidelines
Follow these guidelines when configuring the switch as an SSH server or SSH client:
•
An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
•
If you get CLI error messages after entering the
crypto key generate rsa
global configuration
command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then
enter the
crypto key generate rsa
command. For more information, see the
to Run SSH” section on page 8-35
•
When generating the RSA key pair, the message
No host name specified
might appear. If it does,
you must configure a hostname by using the
hostname
global configuration command.
•
When generating the RSA key pair, the message
No domain specified
might appear. If it does, you
must configure an IP domain name by using the
ip domain-name
global configuration command.
•
When configuring the local authentication and authorization authentication method, make sure that
AAA is disabled on the console.