Wednesday, 22 June 2016

Setup AAA and SSH on a Cisco 2960

Firstly create a local user for use with AAA:

conf t
username test privilage 15 secret $tr0ngPa$$w0rd!

Proceed by enabling AAA by issuing the following:

aaa new-model

If you wish to use remote TACACS+ servers - we can define them as follows:

tacacs-server host 10.99.99.253 key YourSecureKey
tacacs-server host 10.99.99.252 key YourSecureKey

and then creating a login authentication method list:

aaa authentication login default group tacacs+ local

or if you do have have any remote tacacs+ servers:

aaa authentication login default local

and then apply the login list to the relevent methods, for example:

line console 0
login authentication default

line vty 0
login authentication default

Define a domain for SSH:

ip domain-name yourdomain.local

and then generate the RSA key:

crypto key generate rsa modulus 2048

We can now proceed to setup SSH by enabling SSH v2:

ip ssh version 2

enable the line:

line vty 0
transport input ssh

We should also lock down the SSH access by creating an appropraite ACL:

ip access-list standard mgmt-ssh
10 permit <management-subnet> <management-wildcardmask>
20 deny any log

and then apply it to a vty line:

line vty 0
access-class mgmt-ssh in

0 comments:

Post a comment