This symbol is intended to alert the user to the presence of important operating and
maintenance (servicing) instructions in the literature accompanying the appliance.
DANGEROUS VOLTAGE
This symbol is intended to alert the user to the presence of uninsulated
dangerous voltage within the product’s enclosure that may be of sufficient
magnitude to constitute a risk of electric shock to persons.
POWER ON
This symbol indicates the principal on/off switch is in the on position.
POWER OFF
This symbol indicates the principal on/off switch is in the off position.
PROTECTIVE GROUNDING TERMINAL
This symbol indicates a terminal which must be connected to earth ground
prior to making any other connections to the equipment.
This document is written for use with the CCM840/1640 application version 2.0.
CCM840/1640
Installer/User Guide
Avocent, Equinox and AVWorks are trademarks or registered
trademarks of Avocent Corporation or its affiliates. All other
marks are the property of their respective owners.
Warning: Changes or modifications to this unit not expressly approved by the party
responsible for compliance could void the user's authority to operate the equipment.
Note: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated
in a commercial environment. This equipment generates, uses and can radiate radio
frequency energy and, if not installed and used in accordance with the instruction
manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the
user will be required to correct the interference at his own expense.
This digital apparatus does not exceed the Class A limits for radio noise emissions
from digital apparatus set out in the Radio Interference Regulations of the Canadian
Department of Communications.
Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les
limites applicables aux appareils numériques de la classe A prescrites dans le Règlement
sur le brouillage radioélectrique édicté par le Ministère des Communications du Canada.
FCC P 15 Class A, EN55022, EN61000-3-2, EN61000-3-3, EN60950, EN55024, ETL
(UL 1950), CSA 22.2 No. 950
The CCM840 and CCM1640 serial over IP network appliances provide nonblocked access and control for serial devices such as routers, power management
devices and firewalls.
You may connect up to 8 serial devices to a CCM840, and up to 16 serial
devices to a CCM1640. A single 10/100 Ethernet port provides network
connectivity on each CCM. Two CCM appliances may be mounted in 1U of
vertical space in a standard 19 inch rack.
Serial device access options
You may choose from among several available Telnet options to access the
CCM and its attached serial devices:
• The AVWorks™ multiplatform graphic management interface that offers a
built-in enhanced Telnet client and a Secure Shell (SSH) client
• Third-party Telnet clients
• Third-party SSH clients
Access to attached serial devices is also possible via a serial Command Line
Interface (CLI) connection, a PPP (Point to Point Protocol) dial-in connection to
a serial CLI modem or from a third-party SSH client.
User authentication and data security
The CCM user database supports up to 64 user accounts, which include
usernames, passwords and/or keys, plus specifications of access rights to CCM
ports and commands. User definitions may be changed at any time. You may
choose to have user access authenticated locally at the CCM user database or
at one or more RADIUS (Remote Access Dial-In User Service) servers. Data
security may be enhanced via industry-standard SSH encryption.
Extensive command set
The CCM offers a wide range of commands that allow administrators to
easily configure, control and display information about the CCM operating
environment, including its ports, user accounts and active sessions. The user
interface also offers descriptive error message data and built-in command help
information. On-board Trivial File Transfer Protocol (TFTP) support allows
administrators to upload new functionality to CCM units in the field.
4CCM840/1640 Installer/User Guide
Port history
Each CCM port has a buffer that holds the most recent 64K bytes of online and
offline serial data. A separate history command mode lets you navigate within
a port’s current history file and conduct tailored searches.
Safety Precautions
To avoid potential device problems, if the building has 3-phase AC power, ensure
that a computer and its monitor (if used) are on the same phase. For best results,
they should be on the same circuit.
To avoid potentially fatal shock hazard and possible damage to equipment,
please observe the following precautions:
•Do not use a 2-wire extension cord in any product confi guration.
• Test AC outlets at the computer and monitor (if used) for proper polarity
and grounding.
• Use only with grounded outlets at both the computer and monitor. When
using a backup Uninterruptible Power Supply (UPS), power the computer,
the monitor and the CCM unit off the supply.
NOTE: The AC inlet is the main disconnect.
Rack mount safety considerations
• Elevated Ambient Temperature: If installed in a closed rack assembly, the
operation temperature of the rack environment may be greater than room
ambient. Use care not to exceed the rated maximum ambient temperature
of the unit.
• Reduced Airfl ow: Installation of the equipment in a rack should be such
that the amount of airfl ow required for safe operation of the equipment is
not compromised.
• Mechanical Loading: Mounting of the equipment in the rack should be
such that a hazardous condition is not achieved due to uneven
mechanical loading.
• Circuit Overloading: Consideration should be given to the connection
of the equipment to the supply circuit and the effect that overloading of
circuits might have on overcurrent protection and supply wiring. Consider
equipment nameplate ratings for maximum current.
• Reliable Earthing: Reliable earthing of rack mounted equipment should
be maintained. Pay particular attention to supply connections other than
direct connections to the branch circuit (for example, use of power strips).
Chapter 1: Product Overview 5
Using AVWorks
The AVWorks graphical management interface may be used to manage
CCM840/1640 appliances and access attached devices. Using AVWorks, you may
perform most of the operations that are described in this manual. This manual
describes how to manage a CCM840/1640 by entering commands using the CLI.
The AVWorks Installer/User Guide describes how to manage a CCM840/1640
using the graphical interface.
The lower left area of the front panel contains the following LEDs and buttons:
• The POWER LED illuminates when the CCM is connected to a power source.
• The ON LIN E LED illuminates steadily (not blinking) when the CCM
self-test and initialization procedures complete successfully.
• The LIN K LED illuminates when the CCM establishes a connection to
the network.
• The TRA FFIC LED blinks when there is network traffi c.
• The 100MBps LED illuminates when the CCM is c onnected to a 100
MBps LAN.
• The RESET button, when pressed, reboots the CCM.
• The INIT button, when pressed, restores the CCM to factory defaults. See
Reinitializing the CCM in this chapter.
Figure 2.2 shows the back panel of a CCM1640.
Figure 2.2: CCM1640 Back Panel
The back panel contains:
• 8 (CCM840) or 16 (CCM1640) RJ-45 connectors for serial cabling
• A LAN connector for a 10BaseT or 100BaseT interface cable
• The AC line cord connector
10 CCM840/1640 Installer/User Guide
Installing the CCM
WARNING: The power outlet should be installed near the equipment and should be
easily accessible.
To install the CCM hardware:
1. Locate the CCM where you can connect cables between the serial devices
and the CCM serial ports, and where you can connect a LAN interface
cable between the Ethernet hub or switch and the CCM LAN connector.
If you are using a rack mount kit, follow the instructions inc luded with
the kit.
2. Connect serial devices to the CCM serial ports ; see Appendix B for
cabling information. Connect each serial device to it s appropriate power
source, following the device’s documentation.
3. Attach a 1 0BaseT or 100BaseT LAN interface cable to the LAN connector on
the back of the CCM. A CAT 5 cable is required for 100BaseT operation.
4. Insert the power cord into the back of the CCM. Insert the other end of the
power cord into a grounded electrical receptacle.
5. Check that the POWER LED on the front of the CCM is illuminated. If not,
check the power cable to ensure that it is inserted snugly into the back of
the unit. The ONLINE LED will illuminate within one minute to indicate
that the unit self-test is complete. If the ONLIN E LED blinks, contact
Equinox Technical Support for assistance.
6. Check that the LINK LED is illuminated. If not, check the Ethernet cable
to ensure that both ends are correctly inserted into their jacks. If the unit is
connected to a 1 00 MB Ethernet hub, the 100MBps LED will be illuminated.
7. Once the POWER, ONLINE and LINK LEDs are illuminated, remove
power from the CCM and proceed with the confi guration process.
WARNING: The CCM840/1640 and all attached devices should be powered down before
servicing the unit. Always disconnect the power cord from the wall outlet.
Configuring the CCM
To configure the CCM840/1640, you must enter a unique IP address and
the network’s subnet mask. This information will be stored in the unit’s
configuration database. During initial login, you will specify a password for the
Admin user.
Chapter 2: Installation and Configuration 11
Configuring the IP address and subnet mask
You may use any of four methods to configure the CCM IP address and subnet
mask: AVWorks, BootP, Telnet Command Line Interface (CLI) or the serial
CLI on port 1.
These methods work as documented on most Windows
®
and UNIX® systems;
however, the actual implementation on your system may differ from the
instructions provided. Refer to your system administrator guide, or use
AVWorks to simplify CCM configuration.
To confi gure the IP address and subnet mask using AVWorks:
Using the AVWorks installation wizard is the easiest method to configure the
CCM IP address and subnet mask. See the AVWorks Installer/User Guide for
instructions. After the IP address and subnet mask are configured, see Initial CCM login in this chapter.
To confi gure the IP address and subnet mask using BootP:
1. Ensure that there is a BootP server on your network that is confi gured t o
correctly respond to a BootP request from the CCM. BootP servers require
the Ethernet MAC address of network devices. The CCM Ethernet MAC
address is located on the back of the unit. See your BootP server’s system
administrator guide for information about confi guring the BootP server.
2. After you have confi gured your network’s BootP server with the CCM
Ethernet MAC address, IP address and subnet mask, restore power to the
CCM and wait for the ONLINE LED to illuminate. Once this occurs, the
CCM has completed the BootP protocol, obtained its IP address and subnet
mask and stored these in FLASH.
3. You may verify that the BootP process was successful with a ping command,
which tests network connectivity. The ping command is entered as:
ping <ip_address>
For example, the following command tests the network connectivity of a
CCM with the IP address 192.168.0.5.
ping 192.168.0.5
4. If the CCM completes the BootP successfully, you will see a display similar
to the following.
Pinging 192.168.0.5 with 32 bytes of data:
Reply from 192.168.0.5: bytes=32 time<10ms TTL=128
Reply from 192.168.0.5: bytes=32 time<10ms TTL=128
Reply from 192.168.0.5: bytes=32 time<10ms TTL=128
Reply from 192.168.0.5: bytes=32 time<10ms TTL=128
12CCM840/1640 Installer/User Guide
If the CCM did not successfully obtain its IP address with the BootP
protocol, you will see a display similar to the following.
Pinging 192.168.0.5 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
In this case, check the MAC address and IP address provided to the BootP
server to confi rm they are correct. Verify that the Ethernet LAN adaptor
cable is correctly installed on the CCM and the Ethernet hub.
After the IP address is configured successfully, launch a Telnet session to the
CCM IP address. Then, see Initial CCM login in this chapter.
To confi gure the IP address and subnet mask using a Telnet CLI:
1. Ensure that your server or workstation has a Telnet client and is located
on the same LAN segment as the CCM.
2. Use the arp command to update the server or workstation with the CCM
IP address and Ethernet MAC address. The CCM Ethernet MAC address is
located on the back panel above the LAN connector. The arp command is
entered as:
arp -s <ip_address> <mac_address>
For example, the following command assigns the IP address 192.168.0.5
and the Ethernet MAC address 00-80-7d-54-01-54 to the CCM.
arp -s 192.168.0.5 00-80-7d-54-01-54
On a UNIX platform, the MAC address may require colons (:) instead of
dashes (-), for example, 00:80:7d:54:01:54.
3. You may verify that you entered the information correctly by using an arp
command with the -a option.
arp -a
This command shows all arp entries for the server or workst ation. S ee
your system administrator guide if you need additional help with the
arp command.
4. After the above arp c ommand is ent ered c orrec t ly, launch a Telnet
client to the assigned IP address. Then, continue with Initial CCM login
in this chapter.
To confi gure the CCM using the serial CLI:
1. By factory default, port 1 of the CCM is confi gured for the serial CLI. To
access the serial CLI, attach a compatible device to port 1. The compatible
device types are: ASCII, VT52, VT100, VT102, VT220 and VT320.
Chapter 2: Installation and Configuration 13
Appendix B lists the required cables and adaptors. You may also use any
terminal emulation program that is available on your system.
2. Confi gure your terminal or terminal emulation program as follows.Baud rate 9600
Bits per character 8
Parity None
Stop bits 1
Flow control None
3. Press the Return or Enter key until a prompt appears, requesting your
username. If you do not receive a prompt after pressing the key fi ve t imes,
check your cable and serial settings to be sure that they are correct.
4. Proceed to Initial CCM login in this chapter.
After you complete the CCM configuration, you may reconfigure the CLI on
another port or disable it completely and use port 1 with an attached device.
For more information, see Connecting to devices from the serial CLI port in
Chapter 3.
Initial CCM login
The CCM ships with a single user defined in its user database. The first time you
connect to the CCM via Telnet or serial CLI, you are prompted for a username.
To log in to the CCM for the fi rst time:
1. At the Username prompt, type Admin. There is no factory default
password for the Admin user. At the Password prompt, press Return.
Username: Admin
Password:
Authentication Complete
CCM configuration is required.
2. Once authentication completes, the CCM prompts for any missing
confi guration values that are required for operation.
If you already provided the IP address and subnet mask, you will not be
prompted for those values again.
If you have not already provided the IP address and subnet mask, you will
be prompted for them. Enter the CCM IP address and subnet mask using
standard dot notation.
CCM configuration is required
Enter CCM IP address > 192.168.0.5
Enter CCM Subnet mask > 255.255.255.0
14CCM840/1640 Installer/User Guide
3. You are prompted for a new Admin password. Passwords are case
sensitive and must contain 3-16 alphanumeric characters. You must enter
the new password twice to confi rm that you entered it correctly.
Enter CCM New Admin Password > *****
Confirm New Admin Password > *****
After you have provided the required configuration information, a
confirmation message appears while the CCM stores the values in its
configuration database.
You have now completed the initial login, and you may enter additional
commands at the CLI prompt (>). To configure CCM ports, see Configuring Serial Port Settings in Chapter 3.
Reinitializing the CCM
Reinitializing the CCM removes configured information. This may be useful
when reinstalling the CCM at another location in your network.
The CCM stores configuration information in FLASH databases. During
reinitialization, the FLASH erase has two phases. The first phase erases the
CCM configuration database, which contains all nonvolatile data except the IP
address. The second phase erases the IP address and restores the CCM to its
factory default settings.
To reinitialize the CCM:
1. Locate the recessed INIT button on the front of the CCM. You will need a
tool that fi ts inside the recess, such as an opened paper clip.
2. Insert the tool in the recess, then depress and hold the button. The
ONLINE LED will blink, indicating a CCM initialization has been
requested. You have approximately seven seconds to release the button
before any action is taken.
After seven seconds, the ONLINE LED will blink more rapidly to confi rm
that the CCM confi guration database has been erased. Continuing to hold
the INIT button for a few more seconds will erase the IP address as well.
The ON LIN E LED will blink faster to confi rm the deletion.
If any portion of FLASH is erased, the CCM reboots when the INIT button
is released.
Managing the Port History Buffer . . . . . . . . . . . . . 34
Managing the CCM Using SNMP . . . . . . . . . . . . . 37
Chapter 3: Operations 17
Chapter 3: Operations
Overview
The CCM and its ports may be easily configured and managed to meet your
requirements for device connection, user authentication, access control, power
status monitoring, port history information display and SNMP compliance for
use with third-party network management products.
Configuring Serial Port Settings
By default, CCM ports are configured with the following settings.
Target device Console
Name xx-xx-xx Pn (last 3 octets of MAC address
plus the port number)
Baud rate 9600
Bits per character 8
Parity None
Stop bits 1
Flow control None
Time-out 15 minutes
CLI access character Use Server CLI setting (^D)
Power None
Most of these settings are standard serial port operating characteristics.
The CLI access character parameter specifies how you access the CLI. For
more information, see CLI mode in this chapter.
The Power parameter instructs the CCM to monitor the state of a specified
control signal. Signal transitions may be configured to trigger SNMP alerts. The
parameter value indicates an inbound control signal (CTS, DCD or DSR) and
the state of that signal (low or high). When the defined signal is true, the CCM
interprets it as a power on condition for the attached device; when the signal is
false, a power off condition for the device is assumed. The signal specified for
flow control cannot be used for power control, and vice versa.
To confi gure serial console port settings:
Issue a Port Set command. You may specify settings for one or all ports.
PORT [<port>|ALL] SET [NAME=<name>] [BAUD=<baud>]
For more information and descriptions of all valid parameters, see Port Set command in Chapter 5.
To display serial port settings:
Issue a Show Port command.
SHOW PORT [<port>|ALL|NAMES]
When you request information about a port, the display includes configuration
information, current power status (if power status monitoring has been
enabled), plus transmit, receive and error counts. When you request
information about a single port and a user is currently accessing that port, the
display also includes the username, access rights and other information about
the current session.
When you request information about port names, the display includes the port
numbers and names. If a port’s name has not been changed with a Port Set
command, the logical name is displayed.
For more information, see Show Port command in Chapter 5.
Connecting to Serial Devices
The CCM offers several methods for connecting to attached serial devices:
Telnet, serial CLI, PPP and SSH.
Preemption
Depending on configured access levels, a user who is connecting to a port (the
connecting user) may disconnect another user of equal or lower access (the
current user).
If the connecting user’s access level is lower than the current user’s access
level, the connecting user will receive an In Use message and the connection
will be dropped.
If the connecting user’s access level is equal to or higher than the owning
user’s access level, an In Use by owning user message will be displayed. The
connecting user may then choose to preempt the current user’s session. If the
current user’s session is preempted, an appropriate message is displayed.
For more information about access levels, see Access rights and levels in
this chapter.
Chapter 3: Operations 19
Connecting to devices using Telnet
Each CCM serial port is directly addressable via a unique TCP port number
that provides a connection to the attached serial device.
Plain text (non-encrypted) Telnet connections are enabled by default. For
information about enabling both plain text Telnet and SSH connections, see
Enabling plain text Telnet and SSH connections in this chapter.
To connect to a device using Telnet:
Type telnet, followed by the CCM IP address and the appropriate TCP port
number, which by default is 3000 plus the physical port number, in decimal
format. (The TCP port number may be changed for any CCM port.)
For example, the following Telnet command connects to the serial device
attached to physical port 14 of a CCM1640.
telnet 192.168.0.5 3014
If an authentication method other than None has been configured for the
CCM, you will be prompted for credentials (username and password). Once
authentication completes, your connection is confirmed. When you successfully
connect to the serial device, you will see a display similar to the following.
If the authentication method is configured as None, you may Telnet and
connect to a serial device without entering credentials; however, credentials
are always required when connecting to the CCM CLI.
Data entered at the Telnet client is written to the attached serial device. Any
data received by the CCM from the serial device is output to your Telnet client.
You may access the CCM and its ports using Equinox-provided or third-party
Telnet client applications. A cross-platform Telnet client is bundled with the
AVWorks application. Third-party Telnet client applications may be used in
combination with AVWorks or standalone.
You may connect using either SSH (AVWorks provides built-in support for SSH2)
or plain text.
AVWorks Telnet
AVWorks is a cross-platform client application provided with each CCM.
AVWorks provides a convenient way to select a CCM or attached device and
launch a Telnet session to manage it.
20CCM840/1640 Installer/User Guide
AVWorks includes a built-in Serial Console Viewer Telnet application that
offers several features not found in other Telnet clients. For maximum
flexibility, AVWorks allows you to associate a unique Telnet client with each
CCM port.
You may specify the built-in Telnet client or a third-party Telnet client. For
more information, see the AVWorks Installer/User Guide.
Standalone third-party Telnet clients
You may use third-party Telnet clients to access the CCM directly without
AVWorks management software.
Connecting to devices from the serial CLI port
By factory default, port 1 of the CCM is configured with the serial CLI, which
prohibits the use of port 1 with an attached serial device. You may configure
the CLI on a different port, but only one port may be configured as the serial
CLI port at one time. For example, when you enable the CLI interface on port
n, and it is already active on port p, then the CLI will automatically be disabled
on port p.
You may connect to one serial device at a time through the serial CLI port
using a local terminal or a local PC using a terminal emulation program. If you
connect an external modem to the serial CLI port, you may also access devices
through a remote terminal or PC that can dial into the CCM external modem.
For information about modem connections, see Configuring and using dial-in connections in this chapter and Server CLI command in Chapter 5.
To confi gure a port for the serial CLI:
1. Issue a Server CLI command, using the Port parameter to specify the CLI
port and the Type parameter to specify the terminal type.
SERVER CLI PORT=<port> TYPE=<type>
2. To disable the CLI that was previously confi gured on a port, issue a Server
CLI command, indicating Type=Off.
For more information, see Server CLI command in Chapter 5.
To display CLI port information:
Issue a Show Server CLI command.
SHOW SERVER CLI
The display includes the CLI port number and terminal type, plus the CLI
access character. For more information, see Show Server CLI command in
Chapter 5.
Chapter 3: Operations 21
To connect to a device from the serial CLI port:
1. Issue a Server CLI command, using the Connect parameter to enable the
use of the Connect command from the serial CLI port.
SERVER CLI CONNECT=ON
2. Issue a Connect command to the desired port.
CONNECT <port>
3. To end a device session that was initiated with a Connect command, issue
a Disconnect command.
DISCONNECT
For more information, see Server CLI command, Connect Command and
Disconnect Command in Chapter 5.
Configuring and using dial-in connections
You may attach an external modem to the serial CLI port for dial-in serial CLI
access to the CCM. This may be used as a backup connection if the unit is not
accessible from the network. It may also be used as a primary connection at
remote sites that do not have Ethernet network capability. The modem must
be Hayes compatible.
To specify a modem initialization string:
1. Issue a Show Server CLI command to ensure that the port where the
modem is connected has been defi ned as the serial CLI port.
SHOW SERVER CLI
2. Issue a Server CLI command, using the Modeminit parameter to specify
the modem initialization string.
SERVER CLI MODEMINIT=“<string>”The string must be enclosed in quotes and must include at least the
command settings ATV1 and SO=1, which cause the modem to issue
verbose response strings and auto-answer the phone on the fi rst ring. For
more information, see Server CLI command in Chapter 5.
The modem initialization string is sent to the cabled modem when any of
the following conditions occur:
• CCM initialization
• Detection of a transition of DSR from low to high
• Completion of a call when DCD changes from high to low
3. Upon successful modem connection, press the Enter key until the login
prompt appears.
22CCM840/1640 Installer/User Guide
To display modem confi guration information:
Issue a Show Server CLI command.
SHOW SERVER CLI
For more information, see Show Server CLI command in Chapter 5.
Connecting to devices using PPP
The CCM supports remote PPP access using an auto-answer modem that
answers calls. A dial-in client and the CCM establish the PPP protocol.
The PPP dial-in may be used to access a remote CCM that does not warrant a
WAN (Wide Area Network) link to the Ethernet interface. In this case, the PPP
connection allows a remote PC with Telnet capability to dial the CCM and then
establish a Telnet connection to a CCM port.
The PPP dial-in may also be used to access a subnet containing remote CCM
devices in the event of a WAN link failure. In this case, the PPP provides an
alternate path to one or more remote CCM devices.
Once the PPP connection is established, you must launch an application
that connects to the CCM or to one of its ports. The PPP connection is only a
communications interface to the CCM.
The CCM implements a PPP server that uses CHAP (Challenge Authentication
Protocol). Passwords are not accepted in the clear on PPP connections.
PPP is disabled by default.
To enable or disable a PPP server on the serial CLI port:
1. To enable a PPP server on the serial CLI port, issue a Show Server CLI
command to ensure that a serial CLI port has been defi ned.
SHOW SERVER CLI
2. Issue a Server PPP command with the Enable parameter.
SERVER PPP ENABLE LOCALIP=<local_ip> REMOTEIP=<rem_ip>
[MASK=<subnet>]
You must specify local and remote IP addresses to be used for the CCM
and client ends of the PPP connection respectively. You are prompted to
confi rm or cancel the changes. Enter Y to confi rm or N to cancel.
3. To disable a PPP server, issue a S erver PPP command with the
Disable parameter.
SERVER PPP DISABLE
Chapter 3: Operations 23
For more information, see Show Server CLI command and Server PPP command in Chapter 5.
To display PPP confi guration information:
Issue a Show Server PPP command.
SHOW SERVER PPP
For more information, see Show Server PPP command in Chapter 5.
Connecting to devices using SSH
The CCM supports version 2 of the SSH protocol (SSH2). The CCM SSH server
operates on the standard SSH port 22. The shell for this connection provides a
CLI prompt as if you had established a Telnet connection on port 23. The shell
request for this connection is for CLI access.
Additional CCM SSH servers operate on TCP ports that are numbered with
values 100 greater than the standard 30xx Telnet ports for the CCM. For
example, if port 7 is configured for Telnet access on port 3007, then port
3107 will be a direct SSH connection for port 7. When SSH is enabled, Telnet
port 23 connections will be accepted from other clients if the Server Security
command includes Encrypt=SSH,None. Connecting to Telnet port 23 may be
tunneled via a connection to SSH port 22.
SSH server keys
When SSH is enabled for the first time, the CCM generates an SSH server key.
The key generation process may take up to ten minutes. The key is computed
at random and is stored in the CCM configuration database.
In most cases, the SSH server key should not be modified because most SSH
clients will associate the key with the IP address of the CCM. During the first
connection to a new SSH server, the client will display the fingerprint of the
SSH server key and prompt you to indicate if you wish to store it on the SSH
client. After the first connection, most SSH clients will validate the key when
connecting to the CCM. This provides an extra layer of security because the
SSH client can verify the key sent by the server each time it connects.
If you disable SSH and later reenable it, you may either use the existing server
key or compute a new one. If you are reenabling the same server at the same
IP address, it is recommended that you use the existing key, as SSH clients may
be using it for verification. If you are moving the CCM to another location and
changing the IP address, you may wish to generate a new SSH server key.
24CCM840/1640 Installer/User Guide
Authenticating an SSH user
SSH is enabled and disabled with the Server SSH command. When you enable
SSH, you may specify the authentication method(s) that will be used for SSH
connections. The method may be a password, an SSH key or both. A user’s
password and SSH key are specified with a User Add or User Set command. All
SSH keys must be RSA keys. DSA keys are not supported.
The following table lists and describes the valid SSH authentication methods
that may be specified with a Server SSH command.
SSH Authentication Methods
Method Description
PW (default) SSH connections will be authenticated with a username/
KEY SSH connections will be authenticated with an SSH key. With this
PW|KEY or KEY|PW SSH connections will be authenticated with either a username/
password. With this method, a user’s defi nition must include
a valid password in order for that user to authenticate an SSH
session. A password may authenticate to a RADIUS server or to
the local user database.
method, a user’s defi nition must include valid SSH key information
in order for that user to authenticate an SSH session. Key
authentication is always local; RADIUS is not supported. For more
information, see SSH user keys in this chapter.
password or an SSH key. If a user has only a password defi ned, that
user must authenticate an SSH session with a username/password.
If a user has only an SSH key defi ned, that user must authenticate
an SSH session using the key. If a user has both a password and an
SSH key defi ned, that user may use either a username/password or
the SSH key to authenticate an SSH session. This method allows the
CCM administrator to defi ne how each user will authenticate an SSH
session based on information provided in the User Add/Set command.
PW authentication will be local or RADIUS as specifi ed in the Auth
parameter of the Server Security command. Key authentication is
always local.
PW&KEY or KEY&PW SSH connections will be authenticated using both a username/
password and an SSH key. With this method, a user’s defi nition
must include a password and SSH key information for that user to
authenticate an SSH session.
PW authentication will be local or RADIUS as specifi ed in the Auth
parameter of the Server Security command. Key authentication is
always local.
A user’s access rights are determined from the authentication method used.
SSH key authentication always uses the access rights from the local user
database. Depending on the server authentication mode specified with the
Loading...
+ 70 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.