12-16-2019 10:38 AM - edited 02-21-2020 11:12 AM
When implementing 2FA authentication to networking devices using CAC/Pin (from this guide: https://www.pragmasys.com/products/support/cisco-2-factor ) is it possible for the login attempt to fallback to a non-CAC TACACS user or a local user account?
For example: If I have a Cisco Prime or SolarWinds deployment that is configured to SSH into the switches to execute scripts/jobs, how would I go about keeping that same functionality since the network management software will not be able to provide the publickey/pin?
Solved! Go to Solution.
12-17-2019 10:37 AM
12-16-2019 01:28 PM
You can use an Identity Source Sequence in your authentication policy. It can check the internal database of ISE first and if the user is not found, it can then use 2FA, AD, or whatever else you put in the list to try.
12-17-2019 09:04 AM
Thanks for the reply Colby, but I'm not sure that will work, unless I'm misunderstanding something. With the following commands configured on the switch:
ip ssh server algorithm hostkey ssh-rsa
ip ssh server algorithm authentication publickey
ip ssh server algorithm publickey x509v3-ssh-rsa
Won't the switch reject any SSH attempt that doesn't provide a digital certificate that can't be verified by the pki trustpoint configured on the switch? I'm not sure if the authentication request will be sent to ISE until the switch can verify the the User certificate first... I don't have a way to lab this up right now to test it out.
12-17-2019 09:39 AM
That's a good point. My response was based on ISE being the authenticator for both the certificate and the user/password.
12-17-2019 09:44 AM
12-17-2019 10:37 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide