Steps for configuring and using SSH for switch and client authentication

For two-way authentication between the switch and an SSH client, you must use the login (operator) level.

SSH options

Switch access level	Primary SSH authentication	Authenticate switch public key to SSH clients?	Authenticate client public key to the switch?	Primary switch password authentication	Secondary switch password authentication
operator (login) level	ssh login rsa	Yes	Yes^[a]	No^[a]	local or none
	ssh login Local	Yes	No	Yes	none
	ssh login TACACS	Yes	No	Yes	local or none
	ssh login RADIUS	Yes	No	Yes	local or none
manager (enable) level	ssh enable local	Yes	No	Yes	none
	ssh enable tacacs	Yes	No	Yes	local or none
	ssh enable radius	Yes	No	Yes	local or none
^[a] For `ssh login public key`, the switch uses client public-key authentication instead of the switch password options for primary authentication.

To configure SSH:

A. Client preparation

Install an SSH client application on a management station to be used for access to the switch. (See the documentation provided with your SSH client application.)
Optional–If you want the switch to authenticate a client public key on the client:
1. Either generate a public/private key pair on the client computer (if your client application allows) or import a client key pair generated using another SSH application.
2. Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public-key file to the switch. The client public-key file can hold up to 10 client keys. This topic is covered under Creating a client public-key text file.

B. Switch preparation

Assign a login (operator) and enable (manager) password on the switch, see Assign a local login (operator) and enable (manager) password. for details.
Generate a public/private key pair on the switch, see Generate the switch public and private key pair. for details.

You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. You can remove or replace this key pair, if necessary.
Copy the switch public key to the SSH clients you want to access the switch, see Provide the switch public key to clients. for more details.
Enable SSH on the switch, see Enable SSH on the switch and anticipate SSH client contact behavior. for more details.
Configure the primary and secondary authentication methods for the switch to use. In all cases, the switch will use its host public key to authenticate itself when initiating an SSH session with a client.
- SSH Login (operator) options:
  - Option A:
    
    Primary: Local, TACACS+, or RADIUS password
    
    Secondary: Local password or none.
    
    If the primary option is local, the secondary option must be none.
  - Option B:
    
    Primary: Client public-key authentication (SSH client public-key authentication notes)
    
    Secondary: none
    
    NOTE: If you want the switch to perform client public-key authentication, you must configure the switch with Option B.
- SSH Enable (manager) options:
  
  Primary: Local, TACACS+, or RADIUS
  
  Secondary: Local password or none. If the primary option is local, the secondary option must be none.
Use your SSH client to access the switch using the switch IP address or DNS name (if allowed by your SSH client application). See the documentation provided with the client application.

prev	up	next
Public key formats	home	General operating rules and notes


	NOTE: If you want the switch to perform client public-key authentication, you must configure the switch with Option B.