Blog

Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback

  • Post category:Blog
  • Post comments:0 Comments
  • Reading time:6 mins read

Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback

In this tutorial, we will guide you through the process of configuring SSH v2 on a Cisco router using a Radius server for authentication. This setup is crucial for secure remote management and ensures that only authenticated users can access the router.

Network Topology

Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback Topology
Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback Topology
Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback _ Server Configuration
Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback _ Server Configuration

 

Before diving into the configuration, let’s understand the network topology:

  • Server:
    • IP: 192.168.20.10
    • Subnet Mask: 255.255.255.0
    • Gateway: 192.168.20.1
    • AAA Configuration:
      • Username: jame
      • Password: pwd123
  • Router R1:
    • Interface Gig0/0/0 connected to Server:
      • IP: 192.168.20.1
      • Subnet Mask: 255.255.255.0
    • Interface Gig0/0/1 connected to PC1:
      • IP: 192.168.10.1
      • Subnet Mask: 255.255.255.0
  • PC1:
    • IP: 192.168.10.10
    • Subnet Mask: 255.255.255.0
    • Gateway: 192.168.10.1

Type of SSH v2

  1. Configure SSH v2 on Cisco Switch
  2. Configure SSH v2 on Cisco Router
  3. Configure SSH v2 on a Cisco Router with Radius Server and Local as Fallback

Step-by-Step Configuration

  1. Configure the Router Hostname 
    Router#configure terminal
Router(config)#hostname R1

    Explanation: Setting the router’s hostname to easily identify it within the network.

  2. Configure Interfaces
    • Gig0/0/0 (Connected to Server): 
      R1(config)#interface gigabitEthernet 0/0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#exit

      Explanation: Configures the IP address for the interface connected to the server and ensures the interface is active.

    • Gig0/0/1 (Connected to PC1): 
      R1(config)#interface gigabitEthernet 0/0/1
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#exit

      Explanation: Configures the IP address for the interface connected to PC1 and ensures the interface is active.

  3. Enable SSH and Configure User Authentication 
    R1(config)#aaa new-model
R1(config)#aaa authentication login default group radius local

    Explanation: Enables AAA (Authentication, Authorization, and Accounting) on the router and sets the default authentication method to use a Radius server, with local authentication as a fallback.

  4. Configure SSH on the Router 
    R1(config)#ip domain-name dragonict.com
R1(config)#crypto key generate rsa general-keys modulus 1024
R1(config)#ip ssh version 2

    Explanation: Sets up SSH version 2 on the router, generates RSA keys, and configures a domain name required for SSH key generation.

  5. Create a Local User for Backup Authentication 
    R1(config)#username admin privilege 15 secret myPassword

    Explanation: Creates a local user named admin with a privileged level of 15, which is used as a backup in case the Radius server is unreachable.

  6. Configure VTY Lines for SSH Access 
    R1(config)#line vty 0 15
R1(config-line)#transport input ssh
R1(config-line)#login authentication default
R1(config-line)#privilege level 15
R1(config-line)#exit

    Explanation:

    • Configures all VTY lines to accept SSH connections only, using the AAA authentication method.
    • The command privilege level 15 is significant as it assigns the highest level of privileges to the user logging in through these lines. Privilege levels on Cisco devices range from 0 to 15, with level 15 being the most privileged, typically granting full access to all commands. By assigning this level, you ensure that users who authenticate successfully through these VTY lines have complete control over the router, allowing them to perform any necessary administrative tasks.
  7. Configure Radius Server on the Router 
    R1(config)#radius server RadiusServer
R1(config-radius-server)#address ipv4 192.168.20.10
R1(config-radius-server)#key KeyPwd
R1(config-radius-server)#exit

    Explanation: Defines the Radius server on the router, specifying the IP address and the shared key that matches the one configured on the Radius server.

  8. Save Configuration 
    R1(config)#do write

    Explanation: Saves the current configuration to the startup configuration file, ensuring it persists after a reboot.

Verification Steps

  • Primary/Active Authentication: 
    C:\>ssh -l jame 192.168.10.1

    Expected Outcome: The SSH connection should prompt for the username and password configured in the Radius server.

  • Secondary/Backup Authentication: 
    C:\>ssh -l admin 192.168.10.1

    Expected Outcome: The SSH connection should fall back to local authentication using the credentials jame/pwd123.

Use Case

This configuration is particularly useful in environments where centralized authentication is required for security and management purposes. By integrating the router with a Radius server, network administrators can ensure consistent authentication policies across multiple devices. The local authentication serves as a fail-safe, ensuring access is maintained even if the Radius server becomes unreachable.

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments