Question
Is there a way to configure multiple authentication mechanisms for SSH logins on an HPE switch? Either I did not find that in the manuals yet, or there is no information on that topic.
This is what I want to do:
1. Authenticate users in normal operation
users should be authenticated using a RADIUS server. This can be configured easily by specifying RADIUS server details and then enable the login
sw1(config)# aaa authentication ssh login peap-mschapv2
sw1(config)# aaa authentication ssh enable peap-mschapv2
This is working fine. I can also add local as an additional option, just in case the RADIUS server is not available.
2. Authenticate users in case of emergency
This can be done by specifying the extra argument local to the RADIUS authentication
sw1(config)# aaa authentication ssh login peap-mschapv2 local
sw1(config)# aaa authentication ssh enable peap-mschapv2 local
3. Authenticate users by their public SSH key
I know that this can be configured using the same command as above, just with different options:
sw1(config)# aaa authentication ssh login public-key
sw1(config)# aaa authentication ssh enable public-key
All the three options totally make sense.
But I would like not to choose between some of them but to use all of them.
This is my usage scenario:
a) administrators should only be able to log on with their user names using RADIUS as authentication services. They should not be able to log in using a local user.
b) if the RADIUS server is not available, there should be still a way to get access to the switch using a secret local user name which is locked away during normal operation
c) in order to periodically pull the switch's configuration, we would like to be able to login and to pull the running configuration using SFTP and a public-key based login.
Is there a way to configure all three authentication methods for the tasks mentioned above?
