Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
1
Helpful
6
Replies

2FA to SSH to supported IOS devices using tacacs+, ISE, PIV card and PKI

Go to solution
brmchenr
Cisco Employee
Cisco Employee

‎04-12-2017 07:31 AM

Hello all

Question regarding authentication using a PIV credential (smartcard) and ISE. After reading through several docs linked from here I want to ensure I have the proper processes down in order to be able to use ISE to authenticate users who want to use their PIV smartcard as credentials for IOS SSH access.

1) Customer will be required to use a client that can pass/present the smartcard credentials to IOS.

2) Configure supported IOS for PKI  (and this is where I am fuzzy)

     a) When configuring IOS for PKI, your trustpoint is the CA server where the certificate needs to be presented. Let's say they have their own in house CA server, which points back to their trusted root server elsewhere. It looks as if, from what I am reading, you can bring this into IOS (up to 10 total in the chain). So in essence the terminal client reads the PIV and presents the credentials to IOS; IOS relays this to the trustpoint CA server, passes or fails the authentication, then IOS resumes the authorization side of AAA with your configured AAA server such as ISE or ACS?

     b) What isn't clear at all is whether the above is the only method to do this. Can you import the CA chain into ISE, have the terminal client present the PIV credentials to IOS, configure IOS trustpoint CA as ISE, then ISE checks the certficate and authenticates or not, proceeds with authorization, etc? So no need to import the CA chain into IOS in this scenario. Is this doable?

Thanks!

Brandon

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to brmchenr

‎04-12-2017 09:41 AM

Yeah. In this case, ISE works the same as ACS. No protocol support for T+ authentication (or RADIUS auth to line access) to use PKI at the moment.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-12-2017 08:08 AM

Yes theoretically will work.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-12-2017 09:25 AM

There is some special software to work with such use cases. However, it's PKI authentication is local to the IOS devices with ISE to handle the authorizations.

0 Helpful

Go to solution
brmchenr
Cisco Employee
Cisco Employee
In response to hslai

‎04-12-2017 09:36 AM

You are referring to the Terminal Clients correct? Yes I have identified one that Cisco uses in their example white paper and another that appears to be getting the functionality to read smartcards in an updated release.

The case behind this solution is the current authentication is via ACS which cannot authenticate smartcards. A move to ISE would allow that, I just wanted to be clear on the method. No sense in importing an entire CA chain into IOS if IOS itself can just relay the credentials to ISE and have ISE do the authentication.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to brmchenr

‎04-12-2017 09:40 AM

The credentials are the cert right? So this would need to be authenticated on ise and we would need to trust the chain

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to brmchenr

‎04-12-2017 09:41 AM

Yeah. In this case, ISE works the same as ACS. No protocol support for T+ authentication (or RADIUS auth to line access) to use PKI at the moment.

0 Helpful

Go to solution
brmchenr
Cisco Employee
Cisco Employee
In response to hslai

‎04-12-2017 09:44 AM

Ok thanks, that does clear it up.

0 Helpful
Customers Also Viewed These Support Documents