Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2260
Views
5
Helpful
5
Replies

How to configure RSA Based User Authentication on XR?

Go to solution
Michael Alvarez Martinez
Level 1
Level 1

‎07-16-2014 11:13 AM

Hello,

I have been reading Cisco docs about how to configure RSA Based User Authentication on a ASR9K.

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.pdf

 

I have problems importing the public key to the router. No matter how i try i always get this output: 

RP/0/RSP1/CPU0:XXX#crypto key import authentication rsa  tftp://10.232.201.180/id_rsa.pub
Wed Jul 16 14:00:15.558
Cannot execute the command : Invalid argument

I have tried copying the file to Disk0: and using this path but get the same error.

Could anyone help me explaining step by step how to configure RSA Based User Authentication.

 

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee

‎07-17-2014 12:42 AM

Hi

1. Generate a key on your station
 ssh-keygen -t rsa -b 1024

2. Remove the key type and host, leaving only key and decrypt it using base64:
 cut -f2 -d\  id_rsa.pub | base64 -d > id_rsa2.pub

3. Import the key to the deivce
 (admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub

4. Create a username on the device matching the imported key
!
username USERTEST
 group root-system
!

 

Regards,

/A

View solution in original post

5 Replies 5

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee

‎07-17-2014 12:42 AM

Hi

1. Generate a key on your station
 ssh-keygen -t rsa -b 1024

2. Remove the key type and host, leaving only key and decrypt it using base64:
 cut -f2 -d\  id_rsa.pub | base64 -d > id_rsa2.pub

3. Import the key to the deivce
 (admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub

4. Create a username on the device matching the imported key
!
username USERTEST
 group root-system
!

 

Regards,

/A

Go to solution
Michael Alvarez Martinez
Level 1
Level 1
In response to Alexei Kiritchenko

‎07-17-2014 08:18 AM

Hello akiritch,

When i tried step 3(import key to the device), i had the following output after executing the command:

"Cannot execute the command : Operation not permitted"

What could be the cause? and how could i solve it?

Regards,

0 Helpful

Go to solution
Michael Alvarez Martinez
Level 1
Level 1
In response to Michael Alvarez Martinez

‎07-17-2014 08:53 AM

Forget it, i got the output because i was trying the ftp with the username and password in the link( ftp://username:password@xxxr/ak/id_rsa2.pub.

Thank you very much. It works following your steps.

 

Regards

0 Helpful

Go to solution
anmandru
Level 1
Level 1
In response to Michael Alvarez Martinez

‎01-20-2017 01:41 PM

Michael, Alexei, 

One followup question:

How does the XR know where the FTP server is? You have not provided the FTP server IP in Step 3. 

In my test, I configured ssh server on the XR and trying to ssh from a linux box connected to the Gig interface. The keys are generated in Step1 and Step2 are in the linux box. 

How does XR know the id_rsa2.pub is in the linux machine (which is the ssh client in this case) ?

-Anil.

0 Helpful

Go to solution
Aleksandar Vidakovic
Cisco Employee
Cisco Employee
In response to anmandru

‎01-23-2017 05:01 AM

in Alexei's example xxxr was the FTP server (i.e. xxxr.cisco.com)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents