TACACS and SSH

nawas · ‎11-22-2006

Can I use ssh with TACACS? I would like the authentication to be fully encrypted and I believe Tacacs send the clear text as oppose to ssh. If someone can point me to the a doc or a sampe config for Cisco routers and switches I would appreciated it.

Thanks.

Richard Burts · ‎11-22-2006

Nawaz

You certainly can use TACACS to authenticate sessions with SSH. It works just exactly the same as authenticating sessions with telnet. There is no configuration difference in aaa configuration to authenticate sessions on the vty ports with either telnet or ssh.

And I believe that you have it backwards about sending in clear text. TACACS does encrypt the message while radius sends clear text.

HTH

Rick

HTH

Rick

pvanvuuren · ‎11-23-2006

Hi , you can of course use SSH. More networks should use it, but not all can upgrade their IOS to IPSEC 3DES.

And like he said, TACACS+ uses TCP for its transport and with the shared key the packet body is encrypted.

To do a SSH config on a router:

1. Your IOS must have IPSec DES or 3DES encryption, typically the flash file will look something like this: c2600-ik9o3s3-mz.122-15.T9.bin.

2. Configure the router's Hostname

3. Configure a domain name , like this: ip domain-name Tech.com

4. Create an RSA encryption key pair like this:

a.TEST(config)# crypto key generate rsa

b.b. How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys ...[OK]

5. Enable ssh on your VTY Lines

Lastly, if you manually telnet to a router, remember it uses port 22.

Cheers

P

nawas · ‎11-24-2006

Thanks guys, I appreciate all your help.

pvanvuuren · ‎11-28-2006

You're welcome. Thanks for the vote.

:)