[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Configuring
User Authentication
The router supports RADIUS for user authentication.
RADIUS authentication is enabled by default. You must have previously
configured a RADIUS server on a host machine and the RADIUS client
on your system.
You can specify timeout and retry limits to control
the SSH connection process. The limits apply only from the time the
user first tries to connect until the user has been successfully authenticated.
The timeout limits are independent of any limits configured for virtual
terminals (vtys). The following limits are supported:
- SSH timeout—Maximum time allowed for a user to be
authenticated, starting from the receipt of the first SSH protocol
packet.
- Authentication retry—Number of times a user can
try to correct incorrect information—such as a bad password—in
a given connection attempt.
- Sleep—Prevents a user that has exceeded the authentication
retry limit from connecting from the same host within the specified
period.
ip ssh authentication-retries
- Use to set the number of times that a user can retry a
failed authentication, such as trying to correct a wrong password.
The SSH server terminates the connection when the limit is exceeded.
- Specify an integer from 0–20.
- Example
- host1(config)#ip ssh authentication-retries
3
- Use the no version to restore
the default value, 20 retry attempts.
- See ip ssh authentication-retries.
ip ssh disable-user-authentication
- Use to disable RADIUS password authentication. If you
disable RADIUS authentication, all SSH clients that pass protocol
negotiation are accepted.
- RADIUS authentication is enabled by default.
- Example
- host1(config)#ip ssh disable-user-authentication
- Use the no version to restore
RADIUS authentication.
- See ip ssh disable-user-authentication.
ip ssh sleep
- Use to set a sleep period in seconds for users that have
exceeded the authentication retry limit. Connection attempts from
the user at the same host are denied until this period expires.
- Specify any nonnegative integer.
- Example
- host1(config)#ip ssh sleep 300
- Use the no version to restore
the default value, 600 seconds.
- See ip ssh sleep.
ip ssh timeout
- Use to set a timeout period in seconds. The SSH server
terminates the connection if protocol negotiation—including
user authentication—is not completed within this timeout.
- Specify an integer from 10–600.
- Example
- host1(config)#ip ssh timeout 480
- Use the no version to restore
the default value, 600 seconds.
- See ip ssh timeout.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
