All right. So in the next task, we want to configure the switch for manager authentication for ssh essentially allow our authenticate. Or we want to authenticate managers to an external attack ACS server when they're logging in on the 6300 or the 3810 instead of using a local admin log in or manager login, we want to forward those requests to clear paths. So clear past can authenticate them, just as it would with our regular users. Instead of authenticating the port with radius and going to clear pass, we're going to authenticate an admin, logging in with ssh and forward that using tack acts just for better change management and a stronger protocol over radius altogether. So to do this, we'll go ahead and we'll just jumping back to the 3800. We can jump over. We could use another putty session. We'll just jump over to the other switch. There we go and we are prompted for a password here. So we'll go ahead and put in that password, which I think you just press enter because we didn't put a local password on yet, and we're now logged in. I'm going to go ahead and enable the configuration for attack X server to 10.254 dot 1.23. And this is the address of clear pass in our labs. So what I'm doing is I'm using this connection from my wired machine to these, technically the 38 then SSH server on the command line of the 6300 saying, authenticate against clear pass. So from that configuration, we're going to say go to clear pass for any tack as attack X over host use the key as a shared key. So the 6300 can act as a tack act supplicant and then validate. If I do a show tack, ACS server detail should see that it's got the address in there. The correct port, a shared secret, and it's set up for attack acts. So everything looks pretty good. We can enable authentication for login attempts using ssh to first try the default tax group, which includes that host. And if that fails with the group tacacs, try the local login. Now I do a show. Ssh server should see the ssh server is in place. I've already gone in and enabled the certified algorithms only. So if I do like, ssh certified algorithms, only that add restricted this to just the more certified options that we are going to use. And this will include this ecdh sha and istp 56384 that we're going to be using here in just a second. So let's rewrite or recreate the keys. Host key R s A. Bits 4096 over. Right. What we got? Ssh! Host key. Oops, ECDSA sha2, and I STP 384. All right, so with that Mac and cipher in place, the keys are overwritten. We can now show the ssh host key. There it is. So here is the actual host key. I'm going to copy that and another option instead of just connecting with a client and getting the prompt to visually match this. What you can do is that literally copy the public key out and apply it as kind of a trusted key in your environment here. So let's see. I've got my tools folder. Let's delete the old key will put in a new key in note. Pad machines are a little bit slow, so there is the key. And then what I want to do is put in the address 10.1.140.6, which should be the IP address of my switch that I'm connecting to looking pretty good. We'll save this as whatever ssh file that we want to save it as and I think open the new file. Save it as Ssh host Key. I think this all needs to be without spaces. Here we go just to my tools folder on my desktop there so you can save it as whatever name you want. But I don't think it except spaces when you're importing this and the way that you import this into your desktop to be able to use on any client machine, for example with terror term is you want to indicate that you're going to look at this as your known hosts for ssh and territory. They have a way to do this, going to read only here, just point to that host key file and it okay. So theoretically, now, when I go to create a new connection and I point to my 6300. Okay, It should just prompt me without a secondary prompt asking you for the key. And this time it looks like it's working just fine, because I I excluded those spaces. So at this end, I can now log in as network admin, whatever. Instead of just regular admin with no password, I could use the secure, login, secure password. This should then authenticate from my machine. And look, we're in and previously saw where I was failing to log in. Now it's working. I'm logging in front of wired machine to my 6300 with terror term, and it's bouncing that against clear pass. And we could validate that would clear pass by checking our access tracker and seeing that, Yes, indeed. We are getting an authentication request that just came in from the 0.6 address using Ssh. Very good.
