https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/5166075#M1115385 <P>any one success to do this ?&nbsp;</P><P>&nbsp;</P><P>the BlastRadius will kill us those week</P> Mon, 26 Aug 2024 18:12:41 GMT Nenday 2024-08-26T18:12:41Z https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4283746#M1077954 <P>Hello,</P><P>&nbsp;</P><P>Very new to Cisco IOS devices and AAA configurations. We currently have a PKI infrastructure, and are using NPS for radius authentication/authorization.</P><P>I've been tasked to change our baseline IOS configuration so that it can validate user pki certificate for authentication and then validate the user with the NPS server for authorization.</P><P>Currently we have some basic configuration like this:</P><PRE>aaa authentication login default group radius-server1 aaa authentication login console group radius-server1 aaa authorization console aaa authorization exec default group radius-server1</PRE><P>I've successfully gotten the certificate authentication to work with the following:</P><PRE>crypto pki trustpoint domain.local enrollment terminal revocation-check crl none revocation-check ocsp none authorization list CERT authorization username subjectname commonname ip ssh server certificate profile user trustpoint verify domain.local ip ssh server algorithm hostkey x509v3-ssh-rsa ip ssh server algorithm authentication publickey ip ssh server algorithm publickey x509v3-ssh-rsa aaa authorization network CERT none</PRE><P>For the life of me I cannot find a good example for SSH cert authentication/radius authorization. I've read numerous forum posts from people saying you can do cert authentication and then be prompted for username and password for radius authorization, but not concrete examples.</P><P>&nbsp;</P><P>Any help with an example would be appreciated. Thank you</P> Mon, 01 Feb 2021 17:06:01 GMT https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4283746#M1077954 pakmon1722 2021-02-01T17:06:01Z https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4283761#M1077955 <P>Very good question and thinking - i have not deployed and tested. but looking at the document durable.</P> <P>&nbsp;</P> <P>Authorisation example with ISE-&nbsp; you can replace with NPS configuration here - ( appologies if i misguiding you here)</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html</A></P> Mon, 01 Feb 2021 17:29:48 GMT https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4283761#M1077955 balaji.bandi 2021-02-01T17:29:48Z https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4290089#M1078398 <P>Hello,</P><P>&nbsp;</P><P>Thanks for providing the article, it was helpful but only if I'm using TACACS+ and ISE. Unfortunately I'm trying to use radius.&nbsp;</P><P>&nbsp;</P><P>I read here:&nbsp;</P><P><A href="https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-16-11/sec-pki-xe-16-11-book/sec-cfg-auth-rev-cert.html.xml" target="_blank">Cisco Content Hub - Configuring Authorization and Revocation of Certificates in a PKI</A></P><P>&nbsp;</P><P>Under the section&nbsp;RADIUS or TACACS+ Choosing a AAA Server Protocol that if you create radius users with the default password cisco it might be possible.&nbsp;</P><P>&nbsp;</P><P>Will test and update this post.</P><P>&nbsp;</P><P>Thanks</P> Thu, 11 Feb 2021 13:42:53 GMT https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4290089#M1078398 pakmon1722 2021-02-11T13:42:53Z https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4290157#M1078405 <P>Thank you for the input, that give more information all members of community, feedback the results will help.</P> <P>&nbsp;</P> Thu, 11 Feb 2021 14:40:52 GMT https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4290157#M1078405 balaji.bandi 2021-02-11T14:40:52Z https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4550765#M1087329 <P>I am trying to accomplish this exact same procedure. Were you able to successfully authorize through your AAA server?</P> Fri, 11 Feb 2022 17:58:18 GMT https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/4550765#M1087329 hboesenberg 2022-02-11T17:58:18Z https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/5166075#M1115385 <P>any one success to do this ?&nbsp;</P><P>&nbsp;</P><P>the BlastRadius will kill us those week</P> Mon, 26 Aug 2024 18:12:41 GMT https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/m-p/5166075#M1115385 Nenday 2024-08-26T18:12:41Z