To Next Page

To Previous Page

EX2500 Ethernet Switch Configuration Guide

18  Securing Access to the Switch

When the SSH server is first enabled and applied, the switch automatically

generates the RSA host and server keys, which are stored in the Flash memory. To

configure RSA host and server keys, enter the following commands to generate

them manually:

ex2500(config)# ssh generate-host-key

ex2500(config)# ssh generate-server-key

When the switch reboots, it will retrieve the host and server keys from the Flash

memory. If these two keys are not available in the flash and if the SSH server

feature is enabled, the switch automatically generates them during the system

reboot. This process might take several minutes to complete.

The switch can automatically regenerate the RSA server key. To set the interval of

RSA server key autogeneration, use the following command:

ex2500(config)# ssh interval <number of hours (0-24)>

A value of 0 (zero) denotes that RSA server key autogeneration is disabled. When

the interval value is greater than 0, the switch will autogenerate the RSA server key

every specified interval. However, RSA server key generation is skipped if the

switch is busy doing other key or cipher generation when the timer expires.

SSH Integration with RADIUS and TACACS+ Authentication

SSH is integrated with RADIUS authentication. After the RADIUS server is enabled

on the switch, all subsequent SSH authentication requests will be redirected to the

specified RADIUS servers for authentication. The redirection is transparent to the

SSH clients.

SSH is integrated with TACACS+ authentication. After the TACACS+ server is

enabled on the switch, all subsequent SSH authentication requests will be

redirected to the specified TACACS+ servers for authentication. The redirection is

transparent to the SSH clients.

End User Access Control

The EX2500 switch allows an administrator to define end user accounts that permit

end users to perform operation tasks via the switch CLI commands. Once end user

accounts are configured and enabled, the switch requires username-password

authentication.

For example, an administrator can assign a user, who can then log in to the switch

and perform operational commands (effective only until the next switch reboot).

NOTE: The switch can perform only one session of key or cipher generation at a

time. Thus, an SSH client will not be able to log in if the switch is performing key

generation at that time, or if another client has logged in immediately prior. Also,

key generation will fail if an SSH client is logging in at that time.

Juniper EX2500 Configuration Guide

Other manuals for Juniper EX2500