topic Re: 2FA with ISE and CAC - Is it possible for the login to fallback? in Network Access Control

2FA with ISE and CAC - Is it possible for the login to fallback?

shane.vickers — Fri, 21 Feb 2020 19:12:33 GMT

When implementing 2FA authentication to networking devices using CAC/Pin (from this guide: https://www.pragmasys.com/products/support/cisco-2-factor ) is it possible for the login attempt to fallback to a non-CAC TACACS user or a local user account?

For example: If I have a Cisco Prime or SolarWinds deployment that is configured to SSH into the switches to execute scripts/jobs, how would I go about keeping that same functionality since the network management software will not be able to provide the publickey/pin?

Re: 2FA with ISE and CAC - Is it possible for the login to fallback?

Colby LeMaire — Mon, 16 Dec 2019 21:28:29 GMT

You can use an Identity Source Sequence in your authentication policy. It can check the internal database of ISE first and if the user is not found, it can then use 2FA, AD, or whatever else you put in the list to try.

Re: 2FA with ISE and CAC - Is it possible for the login to fallback?

shane.vickers — Tue, 17 Dec 2019 17:04:11 GMT

Thanks for the reply Colby, but I'm not sure that will work, unless I'm misunderstanding something. With the following commands configured on the switch:

ip ssh server algorithm hostkey ssh-rsa
ip ssh server algorithm authentication publickey
ip ssh server algorithm publickey x509v3-ssh-rsa

Won't the switch reject any SSH attempt that doesn't provide a digital certificate that can't be verified by the pki trustpoint configured on the switch? I'm not sure if the authentication request will be sent to ISE until the switch can verify the the User certificate first... I don't have a way to lab this up right now to test it out.

Re: 2FA with ISE and CAC - Is it possible for the login to fallback?

Colby LeMaire — Tue, 17 Dec 2019 17:39:25 GMT

That's a good point. My response was based on ISE being the authenticator for both the certificate and the user/password.

Re: 2FA with ISE and CAC - Is it possible for the login to fallback?

shane.vickers — Tue, 17 Dec 2019 17:44:22 GMT

I probably wasn't clear enough in my original question, sorry about that.

Re: 2FA with ISE and CAC - Is it possible for the login to fallback?

Mike.Cifelli — Tue, 17 Dec 2019 18:37:19 GMT

In order to accomplish what you are searching for you need to append 'password' as shown below:
ip ssh server algorithm authentication publickey password
This will allow cac auth and/or user/pass. It will also allow you to be able to use either a local or ISE t+ user account. HTH!