Firstly create a local user for use with AAA:
conf t
username test privilage 15 secret $tr0ngPa$$w0rd!
Proceed by enabling AAA by issuing the following:
aaa new-model
If you wish to use remote TACACS+ servers - we can define them as follows:
tacacs-server host 10.99.99.253 key YourSecureKey
tacacs-server host 10.99.99.252 key YourSecureKey
and then creating a login authentication method list:
aaa authentication login default group tacacs+ local
or if you do have have any remote tacacs+ servers:
aaa authentication login default local
and then apply the login list to the relevent methods, for example:
line console 0
login authentication default
line vty 0
login authentication default
Define a domain for SSH:
ip domain-name yourdomain.local
and then generate the RSA key:
crypto key generate rsa modulus 2048
We can now proceed to setup SSH by enabling SSH v2:
ip ssh version 2
enable the line:
line vty 0
transport input ssh
We should also lock down the SSH access by creating an appropraite ACL:
ip access-list standard mgmt-ssh
10 permit <management-subnet> <management-wildcardmask>
20 deny any log
and then apply it to a vty line:
line vty 0
access-class mgmt-ssh in
No comments:
Post a Comment