cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
5
Helpful
5
Replies

2FA with ISE and CAC - Is it possible for the login to fallback?

shane.vickers
Level 1
Level 1

When implementing 2FA authentication to networking devices using CAC/Pin (from this guide: https://www.pragmasys.com/products/support/cisco-2-factor ) is it possible for the login attempt to fallback to a non-CAC TACACS user or a local user account?

 

For example: If I have a Cisco Prime or SolarWinds deployment that is configured to SSH into the switches to execute scripts/jobs, how would I go about keeping that same functionality since the network management software will not be able to provide the publickey/pin? 

1 Accepted Solution

Accepted Solutions

In order to accomplish what you are searching for you need to append 'password' as shown below:
ip ssh server algorithm authentication publickey password
This will allow cac auth and/or user/pass. It will also allow you to be able to use either a local or ISE t+ user account. HTH!

View solution in original post

5 Replies 5

Colby LeMaire
VIP Alumni
VIP Alumni

You can use an Identity Source Sequence in your authentication policy.  It can check the internal database of ISE first and if the user is not found, it can then use 2FA, AD, or whatever else you put in the list to try.

Thanks for the reply Colby, but I'm not sure that will work, unless I'm misunderstanding something. With the following commands configured on the switch:

 

ip ssh server algorithm hostkey ssh-rsa
ip ssh server algorithm authentication publickey
ip ssh server algorithm publickey x509v3-ssh-rsa

 

Won't the switch reject any SSH attempt that doesn't provide a digital certificate that can't be verified by the pki trustpoint configured on the switch? I'm not sure if the authentication request will be sent to ISE until the switch can verify the the User certificate first... I don't have a way to lab this up right now to test it out. 

That's a good point.  My response was based on ISE being the authenticator for both the certificate and the user/password.  

I probably wasn't clear enough in my original question, sorry about that.

In order to accomplish what you are searching for you need to append 'password' as shown below:
ip ssh server algorithm authentication publickey password
This will allow cac auth and/or user/pass. It will also allow you to be able to use either a local or ISE t+ user account. HTH!