04-12-2017 07:31 AM
Hello all
Question regarding authentication using a PIV credential (smartcard) and ISE. After reading through several docs linked from here I want to ensure I have the proper processes down in order to be able to use ISE to authenticate users who want to use their PIV smartcard as credentials for IOS SSH access.
1) Customer will be required to use a client that can pass/present the smartcard credentials to IOS.
2) Configure supported IOS for PKI (and this is where I am fuzzy)
a) When configuring IOS for PKI, your trustpoint is the CA server where the certificate needs to be presented. Let's say they have their own in house CA server, which points back to their trusted root server elsewhere. It looks as if, from what I am reading, you can bring this into IOS (up to 10 total in the chain). So in essence the terminal client reads the PIV and presents the credentials to IOS; IOS relays this to the trustpoint CA server, passes or fails the authentication, then IOS resumes the authorization side of AAA with your configured AAA server such as ISE or ACS?
b) What isn't clear at all is whether the above is the only method to do this. Can you import the CA chain into ISE, have the terminal client present the PIV credentials to IOS, configure IOS trustpoint CA as ISE, then ISE checks the certficate and authenticates or not, proceeds with authorization, etc? So no need to import the CA chain into IOS in this scenario. Is this doable?
Thanks!
Brandon
Solved! Go to Solution.
04-12-2017 09:41 AM
Yeah. In this case, ISE works the same as ACS. No protocol support for T+ authentication (or RADIUS auth to line access) to use PKI at the moment.
04-12-2017 08:08 AM
Yes theoretically will work.
04-12-2017 09:25 AM
There is some special software to work with such use cases. However, it's PKI authentication is local to the IOS devices with ISE to handle the authorizations.
04-12-2017 09:36 AM
You are referring to the Terminal Clients correct? Yes I have identified one that Cisco uses in their example white paper and another that appears to be getting the functionality to read smartcards in an updated release.
The case behind this solution is the current authentication is via ACS which cannot authenticate smartcards. A move to ISE would allow that, I just wanted to be clear on the method. No sense in importing an entire CA chain into IOS if IOS itself can just relay the credentials to ISE and have ISE do the authentication.
04-12-2017 09:40 AM
The credentials are the cert right? So this would need to be authenticated on ise and we would need to trust the chain
04-12-2017 09:41 AM
Yeah. In this case, ISE works the same as ACS. No protocol support for T+ authentication (or RADIUS auth to line access) to use PKI at the moment.
04-12-2017 09:44 AM
Ok thanks, that does clear it up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide