12-22
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 12 Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication

Limitations

These limitations apply to SSH:
The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
SSH supports only the execution-shell application.
The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data
encryption software.
The switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit
key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not
supported.

SSH Configuration Guidelines

Follow these guidelines when configuring the switch as an SSH server or SSH client:
An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
If you get CLI error messages after entering the crypto key generate rsa global configuration
command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then
enter the crypto key generate rsa command. For more information, see the “Setting Up the Switch
to Run SSH” section on page 12-40.
When generating the RSA key pair, the message No host name specified might appear. If it does,
you must configure a hostname by using the hostname global configuration command.
When generating the RSA key pair, the message No domain specified might appear. If it does, you
must configure an IP domain name by using the ip domain- name global configuration command.
When configuring the local authentication and authorization authentication method, make sure that
AAA is disabled on the console.
Switch for Secure Socket Layer HTTP
Secure Socket Layer (SSL) version 3.0 supports the HTTP 1.1 server and client. SSL provides server
authentication, encryption, and message integrity, as well as HTTP client authentication, to allow secure
HTTP communications. To use this feature, the cryptographic (encrypted) software image must be
installed on your switch. You must obtain authorization to use this feature and to download the
cryptographic software files from Cisco.com. For more information about the crypto image, see the
release notes for this release.

Secure HTTP Servers and Clients

On a secure HTTP connection, data to and from an HTTP server is encrypted bef ore being sent over the
Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring
a switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client
uses an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is
abbreviated as HTTPS; the URL of a secure connection begins with https:// instead of http://.
The primary role of the HTTP secure server (the switch) is to listen for HTTPS re quests on a designated
port (the default HTTPS port is 443) and pass the request to the H TTP 1.1 Web server. The HTTP 1.1
server processes requests and passes responses (pages) back to the HTTP secure server, which responds
to the original request.