8-34
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 8 Configuring Switch-Based Authentication
Configuring the Switch for Secure Shell
TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on
page 8-10)
RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on
page 8-17)
Local authentication and authorization (for more information, see the “Configuring the Switch for
Local Authentication and Authorization” section on page 8-32)
Note This software release does not support IP Security (IPSec).

Limitations

These limitations apply to SSH:
The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
SSH supports only the execution-shell application.
The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data
encryption software.
The switch does not support the Advanced Encryption Standard (AES) symmetric encryption
algorithm.
Configuring SSH
This section has this configuration information:
Configuration Guidelines, page 8-34
Cryptographic Software Image Guidelines, page 8-35
Setting Up the Switch to Run SSH, page 8-35 (required)
Configuring the SSH Server, page 8-36 (required only if you are configuring the switch as an SSH
server)

Configuration Guidelines

Follow these guidelines when configuring the switch as an SSH server or SSH client:
An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
If you get CLI error messages after entering the crypto key generate rsa global configuration
command, an RSA key pair has not been generated. Reconfigure the host name and domain, and then
enter the crypto key generate rsa command. For more information, see the “Setting Up the Switch
to Run SSH” section on page 8-35.
When generating the RSA key pair, the message “No host name specified” might appear. If it does,
you must configure a host name by using the hostname global configuration command.
When generating the RSA key pair, the message “No domain specified” might appear. If it does, you
must configure an IP domain name by using the ip domain-name global configuration command.
When configuring the local authentication and authorization authentication method, make sure that
AAA is disabled on the console.