For two-way authentication between the switch and an SSH client, you must use the login (operator) level.
SSH options
Switch access level | Primary SSH authentication | Authenticate switch public key to SSH clients? | Authenticate client public key to the switch? | Primary switch password authentication | Secondary switch password authentication |
---|---|---|---|---|---|
operator (login) level |
ssh login rsa |
Yes | Yes[a] | No[a] | local or none |
ssh login Local | Yes | No | Yes | none | |
ssh login TACACS | Yes | No | Yes | local or none | |
ssh login RADIUS | Yes | No | Yes | local or none | |
manager (enable) level |
ssh enable local | Yes | No | Yes | none |
ssh enable tacacs | Yes | No | Yes | local or none | |
ssh enable radius | Yes | No | Yes | local or none | |
[a] For |
-
Install an SSH client application on a management station to be used for access to the switch. (See the documentation provided with your SSH client application.)
-
Optional–If you want the switch to authenticate a client public key on the client:
-
Either generate a public/private key pair on the client computer (if your client application allows) or import a client key pair generated using another SSH application.
-
Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public-key file to the switch. The client public-key file can hold up to 10 client keys. This topic is covered under Creating a client public-key text file.
-
-
Assign a login (operator) and enable (manager) password on the switch, see Assign a local login (operator) and enable (manager) password. for details.
-
Generate a public/private key pair on the switch, see Generate the switch public and private key pair. for details.
You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. You can remove or replace this key pair, if necessary.
-
Copy the switch public key to the SSH clients you want to access the switch, see Provide the switch public key to clients. for more details.
-
Enable SSH on the switch, see Enable SSH on the switch and anticipate SSH client contact behavior. for more details.
-
Configure the primary and secondary authentication methods for the switch to use. In all cases, the switch will use its host public key to authenticate itself when initiating an SSH session with a client.
-
-
Option A:
Primary: Local, TACACS+, or RADIUS password
Secondary: Local password or none.
If the primary option is local, the secondary option must be none.
-
Option B:
Primary: Client public-key authentication (SSH client public-key authentication notes)
Secondary: none
NOTE: If you want the switch to perform client public-key authentication, you must configure the switch with Option B.
-
-
-
Use your SSH client to access the switch using the switch IP address or DNS name (if allowed by your SSH client application). See the documentation provided with the client application.