topic Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI in Network Access Control

2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

brmchenr — Wed, 12 Apr 2017 14:31:25 GMT

Hello all

Question regarding authentication using a PIV credential (smartcard) and ISE. After reading through several docs linked from here I want to ensure I have the proper processes down in order to be able to use ISE to authenticate users who want to use their PIV smartcard as credentials for IOS SSH access.

1) Customer will be required to use a client that can pass/present the smartcard credentials to IOS.

2) Configure supported IOS for PKI (and this is where I am fuzzy)

a) When configuring IOS for PKI, your trustpoint is the CA server where the certificate needs to be presented. Let's say they have their own in house CA server, which points back to their trusted root server elsewhere. It looks as if, from what I am reading, you can bring this into IOS (up to 10 total in the chain). So in essence the terminal client reads the PIV and presents the credentials to IOS; IOS relays this to the trustpoint CA server, passes or fails the authentication, then IOS resumes the authorization side of AAA with your configured AAA server such as ISE or ACS?

b) What isn't clear at all is whether the above is the only method to do this. Can you import the CA chain into ISE, have the terminal client present the PIV credentials to IOS, configure IOS trustpoint CA as ISE, then ISE checks the certficate and authenticates or not, proceeds with authorization, etc? So no need to import the CA chain into IOS in this scenario. Is this doable?

Thanks!

Brandon

Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

Jason Kunst — Wed, 12 Apr 2017 15:08:42 GMT

Yes theoretically will work.

Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

hslai — Wed, 12 Apr 2017 16:25:56 GMT

There is some special software to work with such use cases. However, it's PKI authentication is local to the IOS devices with ISE to handle the authorizations.

Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

brmchenr — Wed, 12 Apr 2017 16:36:15 GMT

You are referring to the Terminal Clients correct? Yes I have identified one that Cisco uses in their example white paper and another that appears to be getting the functionality to read smartcards in an updated release.

The case behind this solution is the current authentication is via ACS which cannot authenticate smartcards. A move to ISE would allow that, I just wanted to be clear on the method. No sense in importing an entire CA chain into IOS if IOS itself can just relay the credentials to ISE and have ISE do the authentication.

Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

Jason Kunst — Wed, 12 Apr 2017 16:40:31 GMT

The credentials are the cert right? So this would need to be authenticated on ise and we would need to trust the chain

Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

hslai — Wed, 12 Apr 2017 16:41:00 GMT

Yeah. In this case, ISE works the same as ACS. No protocol support for T+ authentication (or RADIUS auth to line access) to use PKI at the moment.

Re: 2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

brmchenr — Wed, 12 Apr 2017 16:44:07 GMT

Ok thanks, that does clear it up.