topic Re: How can you setup SSH 2FA for switches and routers? in Network Security

How can you setup SSH 2FA for switches and routers?

SWtw — Sun, 13 Mar 2022 01:32:17 GMT

Helping on a project that has a simple requirement — to lock down our switches and routers to have 2FA for administrator access. But, we’re out of our element on implementing this – and could use advice.

We do not have any sort of directory right now … at all … but will shortly have everyone in the Office 365 Admin with assorted different 365 licenses. So, to an extent, Azure/AD is available if we wanted. But, there’s no on-premise directory, and we’d prefer not to have another item to manage.

We were thinking to use something simple like JumpCloud’s RADIUS in the Cloud service, but we’re open to other ideas. Was hoping to avoid a full Duo, etc… implementation as it’s only for about 50 switches/routers, and only for admins, not users in anyway.

We’ve been able to create an instance of a RADIUS server in the cloud on JumpCloud, and we see the name, secret key, and believe that we have the right Ips, but when messing around in the Cisco console, to see if we can make anything stick, we’re just not getting anywhere. We don’t see the device show up in the JumpCloud dashboard, and not sure if we’re doing the aaa setup right either (or what is necessary from it).

It just seems this shouldn’t be so hard. We seem to be missing the fundamental piece of understanding of what’s necessary to setup simple 2FA for these devices, even using a service like JumpCloud’s RADIUS.

Any ideas? Suggestions as to alternatives? Just looking for something inexpensive and not a pain in the ass for basic 2FA.

Things to note:

- Automated/scripted access doesn’t need 2FA.
- Network monitoring doesn’t have to be 2FA.
- We can have an admin user without 2FA if we lock it to physical access (e.g., console port)
- Can assume everything is Cisco.
- Most of the routers are actually ASAs.
- Most models of switches are Cisco Catalyst (3650 and 4500).

Re: How can you setup SSH 2FA for switches and routers?

Leo Laohoo — Sun, 13 Mar 2022 03:22:37 GMT

I really do not understand why anyone would want to make this process so complicated.

Get a RADIUS server and create several tiered "network" accounts and put them into a "special" group.

Only those who have the "needs" to log into are given access to log into network equipment (i.e, Finance and Shipping people do not need to have "admin" access nor a requirement to log into network equipment).

Passwords needs to be complicated and regularly changed.

If someone really wants to do 2FA/MFA, the RADIUS server is where 2FA/MFA needs to be enabled.

Re: How can you setup SSH 2FA for switches and routers?

Mike.Cifelli — Sun, 13 Mar 2022 14:20:25 GMT

Take a look at the following to see if this could be an option to meet your end goals: https://www.pragmasys.com/products/support/cisco-2-factor

NOTE: for the devices or tools that do not require 2FA you can enable both (x509 + password) via: ip ssh server algorithm authentication publickey password

HTH!