[Router] public-key local create rsa
[Router] public-key local create dsa
# Enable the SSH service.
[Router] ssh server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
# Create a device management user.
[Router] local-user ssh class manage
# Assign the SSH service to the local user.
[Router-luser-manage-ssh] service-type ssh
# Set a password for the local user to 123456TESTplat&! in plain text. In FIPS mode, you must set the
password in interactive mode.
[Router-luser-manage-ssh] password simple 123456TESTplat&!
# Specify the user role for the user as network-admin.
[Router-luser-manage-ssh] authorization-attribute user-role network-admin
[Router-luser-manage-ssh] quit
# Create ISP domain bbb and configure the domain to use local authentication and authorization for
login users.
[Router] domain bbb
[Router-isp-bbb] authentication login local
[Router-isp-bbb] authorization login local
[Router-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the router, and enter the username ssh@bbb and the correct password.
(Details not shown.) The user logs in to the router.
# Verify that the user can use the commands permitted by the network-admin user role. (Details not
shown.)
AAA for SSH users by an HWTACACS server
Network requirements
As shown in
Use the HWTACACS server for SSH user authentication, authorization, and accounting.
•
Assign the default user role network-operator to SSH users after they pass authentication.
•
Send usernames without domain names to the HWTACACS server.
•
Use expert as the shared keys for secure HWTACACS communication.
•
Figure
15, configure the router to meet the following requirements:
55