Steps for configuring and using SSH for switch and client authentication

For two-way authentication between the switch and an SSH client, you must use the login (operator) level.

Procedure

A. Client preparation

  1. Install an SSH client application on a management station to be used for access to the switch. (See the documentation provided with your SSH client application.)
  2. Optional–If you want the switch to authenticate a client public key on the client:

    1. Either generate a public/private key pair on the client computer (if your client application allows) or import a client key pair generated using another SSH application.

    2. Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public-key file to the switch. The client public-key file can hold up to 10 client keys. This topic is covered under Creating a client public-key text file.

B Switch preparation

  1. Assign a login (operator) and enable (manager) password on the switch, see Configuring the switch for SSH operation for details.
  2. Generate a public/private key pair on the switch, see Configuring the switch for SSH operation for details.

    You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. You can remove or replace this key pair, if necessary.

  3. Copy the switch public key to the SSH clients you want to access the switch, see for more details.
  4. Enable SSH on the switch, see Configuring the switch for SSH operation for more details.
  5. Configure the primary and secondary authentication methods for the switch to use. In all cases, the switch will use its host public key to authenticate itself when initiating an SSH session with a client.

    • SSH Login (operator) options:

      NOTE:

      If you want the switch to perform client public-key authentication, you must configure the switch with Option B.

      • Option A:

        Primary: Local, TACACS+, or RADIUS password

        Secondary: Local password or none.If the primary option is local, the secondary option must be none.

      • Option B:

        Primary: Client public-key authentication (SSH client public-key authentication notes)

        Secondary: none

    • SSH Enable (manager) options:

      Primary: Local, TACACS+, or RADIUS

      Secondary: Local password or none. If the primary option is local, the secondary option must be none.

  6. Use your SSH client to access the switch using the switch IP address or DNS name (if allowed by your SSH client application). See the documentation provided with the client application.