aaa authentication to a router/switch

cisco_kid2008

I would like to turn on AAA for all of my switches/routers. I am planning on using radius through IAS. All of the guides i have read state for authentication on the IAS side use pap which is clear text. Obviously if I use telnet it will be clear text anyways. What happens if i want to use ssh will that still be clear text.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

CCIEWANNABE

um, no. ssh will be encrypted and the key encryption is 1024 i think by default on cisco routers unless otherwise specified. to enable ssh you must:

1) configure router with hostname
2) configure router with domain name
3) configure router with crypto key generate-rsa (at this time you will be able to specify size of key encryption)
4) enable the specified vty ports on your router to use ssh with the command: transport input ssh.
NOW TO ADD AAA AUTHENTICATION WITH SSH YOU MUST:
5) enable aaa with aaa new-model command (at this time forward all other authentication methods will not work, only those specified by aaa)
6) figure out what kind of aaa authentication you would like to perform (i.e. radius, tacacs, or local) and enable aaa authentication default group radius/tacacs/local
7) then set the appropriate aaa authentication command under the vty line configuration.

hope this helps :]
anybody want to help me out as well. i may have missed something, i am kinda buzzed.

cisco_kid2008

Problem using putty and SSH. I have my AAA setup as radius then local. if i disable radius server and try to login i will get the initial logon as and i would enter my windows username and password and authentication will fail. Now how do i get putty to change username so i can use local credentials.

Also why is cisco network assistant really slow if my radius is down and i have to use local authentication. It takes like 10 minutes to load. If i logon when radius is up it goes through fine

cisco_trooper

kzeitler1 wrote:

Problem using putty and SSH. I have my AAA setup as radius then local. if i disable radius server and try to login i will get the initial logon as and i would enter my windows username and password and authentication will fail. Now how do i get putty to change username so i can use local credentials.

Also why is cisco network assistant really slow if my radius is down and i have to use local authentication. It takes like 10 minutes to load. If i logon when radius is up it goes through fine

I recommend you disable the auto-login username in Putty..... It is under the connection settings...

ilcram19-2

example of simple ias authentication, this configuration will use the radius authen first, the only time that it would use the local database is when the radius server is down otherwhise if wrong password and username access will be denied

*** enable AAA ***

aaa new-model

*** AAA using RADIUS first if not RADIUS up LOCAL router's database***

aaa authentication login IAS group radius local

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key **********************

line vty 0 4
privilege level 15
login authentication IAS

which is the name of the radius group