•
•
•
•
•
•
esr(config)# username admin
esr(config-user)# privilege 1
esr(config-user)# exit
Configure the connection to the two RADIUS servers, the primary 192.168.1.11 and the backup 192.168.2.12:
esr(config)# radius-server host 192.168.1.11
esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF
esr(config-radius-server)# priority 100 esr(config-radius-server)# exit
esr(config)# radius-server host 192.168.2.12
esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF
esr(config-radius-server)# priority 150
esr(config-radius-server)# exit
Configure AAA policy:
esr(config)# aaa authentication login CONSOLE radius local
esr(config)# aaa authentication login SSH radius
esr(config)# aaa authentication enable default radius enable
esr(config)# aaa authentication mode break
esr(config)# line console
esr(config-line-console)# login authentication CONSOLE
esr(config-line-console)# exit esr(config)# line ssh
esr(config-line-ssh)# login authentication SSH
esr(config-line-ssh)# exit
Configure logging:
esr(config)# logging userinfo
esr(config)# logging aaa
esr(config)#syslog cli-commands
7.5 Remote management configuration
For more information on remote access configuration commands, see SSH, Telnet access configuration in the
CLI command reference.
7.5.1 Recommendations
It is recommended to disable remote control via telnet.
It is recommended to generate new cryptographic keys.
It is recommended to use crypto-resistant sha2-256, sha2-512 authentication algorithms and disable all
others.
It is recommended to use crypto-resistant aes256, aes256ctr encryption algorithms and disable all
others.
It is recommended to use dh-group-exchange-sha256 crypto-proof encryption key exchange algorithm
and disable all others.
It is recommended to allow access to remote control of the device only from certain IP addresses.
7.5.2 Configuration example
Objective: