11-22-2006 07:20 AM - last edited on 03-25-2019 05:23 PM by ciscomoderator
Can I use ssh with TACACS? I would like the authentication to be fully encrypted and I believe Tacacs send the clear text as oppose to ssh. If someone can point me to the a doc or a sampe config for Cisco routers and switches I would appreciated it.
Thanks.
11-22-2006 08:36 AM
Nawaz
You certainly can use TACACS to authenticate sessions with SSH. It works just exactly the same as authenticating sessions with telnet. There is no configuration difference in aaa configuration to authenticate sessions on the vty ports with either telnet or ssh.
And I believe that you have it backwards about sending in clear text. TACACS does encrypt the message while radius sends clear text.
HTH
Rick
11-23-2006 07:06 AM
Hi , you can of course use SSH. More networks should use it, but not all can upgrade their IOS to IPSEC 3DES.
And like he said, TACACS+ uses TCP for its transport and with the shared key the packet body is encrypted.
To do a SSH config on a router:
1. Your IOS must have IPSec DES or 3DES encryption, typically the flash file will look something like this: c2600-ik9o3s3-mz.122-15.T9.bin.
2. Configure the router's Hostname
3. Configure a domain name , like this: ip domain-name Tech.com
4. Create an RSA encryption key pair like this:
a.TEST(config)# crypto key generate rsa
b.b. How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys ...[OK]
5. Enable ssh on your VTY Lines
Lastly, if you manually telnet to a router, remember it uses port 22.
Cheers
P
11-24-2006 08:06 AM
Thanks guys, I appreciate all your help.
11-28-2006 02:26 AM
You're welcome. Thanks for the vote.
:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide