2012年5月15日 星期二

Cisco Aironet 設定 SSH


Configure Secure Shell (SSH) on an Access Point

CLI Configuration
In this section, you are presented with the information to configure the features described in this document
with the use of CLI.Step−by−Step Instructions
In order to enable SSH−based access on the AP, you first must configure the AP as an SSH server. Follow
these steps in order to configure an SSH server on the AP from CLI:
Configure a host name and domain name for the AP.
AP#configure terminal

!−−− Enter global configuration mode on the AP.

AP<config>#hostname Test
!−−− This example uses "Test" as the AP host name.

Test<config>#ip domain name abc.com
!−−− This command configures the AP with the domain name "abc.com".
1.
Generate a Rivest, Shamir, and Adelman (RSA) key for your AP.
Generation of an RSA key enables SSH on the AP. Issue this command in global configuration mode:

Test<config>#crypto key generate rsa rsa_key_size
!−−− This generates an RSA key and enables the SSH server.
Note: The recommended minimum RSA key size is 1024.
2.
Configure user authentication on the AP.
On the AP, you can configure user authentication to use either the local list or an external
authentication, authorization, and accounting (AAA) server. This example uses a locally generated list
in order to authenticate the users:

Test<config>#aaa new−model


!−−− Enable AAA authentication.
Test<config>#aaa authentication login default local none
!−−− Use the local database in order to authenticate users.

Test<config>#username Test password Test123
!−−− Configure a user with the name "Test".

Test<config>#username ABC password xyz123
!−−− Configure a second user with the name "ABC".

This configuration configures the AP to perform user−based authentication with the use of a local
database that is configured on the AP. The example configures two users in the local database, "Test"
and "ABC".
3.
Configure the SSH parameters.
Test<config>#ip ssh {[timeout seconds] | [authentication−retries integer]}
!−−− Configure the SSH control variables on the AP.
4. Note: You can specify the timeout in seconds, but do not exceed 120 seconds. The default is 120.
This setting applies to the SSH negotiation phase. You can also specify the number of authentication
retries, but do not exceed five authentication retries. The default is three.
GUI Configuration
You can also use the GUI in order to enable SSH−based access on the AP.
Step−by−Step Instructions
Complete these steps:
Log in to the AP through the browser.
The Summary Status window displays.
1.
Click Services in the menu on the left.
The Services Summary window displays.
2. Click Telnet/SSH in order to enable and configure the Telnet/SSH parameters.
The Services: Telnet/SSH window displays. Scroll down to the Secure Shell Configuration area. Click
Enable beside Secure Shell, and enter the SSH parameters as this example shows:
This example uses these parameters: EXAMPLE
♦ System Name: Test
♦ Domain Name: abc.com
♦ RSA Key Size: 1024
♦ Authentication Timeout: 120
♦ Authentication Retries: 3
3. 4. Click Apply in order to save the changes.
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
show ip ssh Verifies if SSH is enabled on the AP and enables you to check the version of SSH that
runs on the AP. This output provides an example:

show ssh Enables you to view the status of your SSH server connections. This output provides an
example:

Now, initiate a connection through a PC that runs third−party SSH software and then make an attempt to log
in to the AP. This verification uses the AP IP address, 10.0.0.2. Because you have configured the user name
Test, use this name in order to access the AP through SSH:Troubleshoot
Use this section to troubleshoot your configuration.
If your SSH configuration commands are rejected as illegal commands, you have not successfully generated
an RSA key pair for your AP. Refer to the Troubleshooting Tips section of the document Configuring Secure
Shell for a list of possible reasons for this problem.Disable SSH
In order to disable SSH on an AP, you must delete the RSA pair that is generated on the AP. In order to delete
the RSA pair, issue the crypto key zeroize rsa command in global configuration mode. When you delete the
RSA key pair, you automatically disable the SSH server. This output provides an example:
Related Information
• Configuring Secure Shell
• Configuring the Access Point for the First Time
• Secure Shell (SSH) Support Page
• Wireless Support Page
• Technical Support & Documentation − Cisco Systems
Contacts & Feedback | Help | Site Map
© 2009 − 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Nov 05, 2008 Document ID: 68789

沒有留言:

張貼留言