Ssh/Scp Integration With Radius Authentication; Ssh/Scp Integration With Tacacs+ Authentication; Securid Support - IBM RackSwitch G8000 Application Manual

SSH/SCP Integration with Radius Authentication

SSH/SCP Integration with TACACS+ Authentication

SecurID Support

© Copyright IBM Corp. 2011
SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is
enabled on the switch, all subsequent SSH authentication requests will be
redirected to the specified RADIUS servers for authentication. The redirection is
transparent to the SSH clients.
SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is
enabled on the switch, all subsequent SSH authentication requests will be
redirected to the specified TACACS+ servers for authentication. The redirection is
transparent to the SSH clients.
SSH/SCP can also work with SecurID, a token card-based authentication method.
The use of SecurID requires the interactive mode during login, which is not provided
by the SSH connection.
Note: There is no SNMP or Browser-Based Interface (BBI) support for SecurID
because the SecurID server, ACE, is a one-time password authentication
and requires an interactive session.
Using SecurID with SSH
Using SecurID with SSH involves the following tasks.
• To log in using SSH, use a special username, "ace," to bypass the SSH
authentication.
• After an SSH connection is established, you are prompted to enter the username
and password (the SecurID authentication is being performed now).
• Provide your username and the token in your SecurID card as a regular Telnet
user.
Using SecurID with SCP
Using SecurID with SCP can be accomplished in two ways:
• Using a RADIUS server to store an administrator password.
You can configure a regular administrator with a fixed password in the RADIUS
server if it can be supported. A regular administrator with a fixed password in the
RADIUS server can perform both SSH and SCP with no additional
authentication required.
• Using an SCP-only administrator password.
Set the SCP-only administrator password (
checking SecurID.
An SCP-only administrator's password is typically used when SecurID is not
used. For example, it can be used in an automation program (in which the tokens
of SecurID are not available) to back up (download) the switch configurations
each day.
Note: The SCP-only administrator's password must be different from the regular
administrator's password. If the two passwords are the same, the
administrator using that password will not be allowed to log in as an SSH
user because the switch will recognize him as the SCP-only administrator.
The switch will only allow the administrator access to SCP commands.
) to bypass
ssh scp-password
Chapter 4. Securing Administration
59