Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
5
Helpful
5
Replies

2FA with ISE and CAC - Is it possible for the login to fallback?

Go to solution
shane.vickers
Level 1
Level 1

‎12-16-2019 10:38 AM - edited ‎02-21-2020 11:12 AM

When implementing 2FA authentication to networking devices using CAC/Pin (from this guide: https://www.pragmasys.com/products/support/cisco-2-factor ) is it possible for the login attempt to fallback to a non-CAC TACACS user or a local user account?

 

For example: If I have a Cisco Prime or SolarWinds deployment that is configured to SSH into the switches to execute scripts/jobs, how would I go about keeping that same functionality since the network management software will not be able to provide the publickey/pin? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to shane.vickers

‎12-17-2019 10:37 AM

In order to accomplish what you are searching for you need to append 'password' as shown below:
ip ssh server algorithm authentication publickey password
This will allow cac auth and/or user/pass. It will also allow you to be able to use either a local or ISE t+ user account. HTH!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-16-2019 01:28 PM

You can use an Identity Source Sequence in your authentication policy.  It can check the internal database of ISE first and if the user is not found, it can then use 2FA, AD, or whatever else you put in the list to try.

0 Helpful

Go to solution
shane.vickers
Level 1
Level 1
In response to Colby LeMaire

‎12-17-2019 09:04 AM

Thanks for the reply Colby, but I'm not sure that will work, unless I'm misunderstanding something. With the following commands configured on the switch:

 

ip ssh server algorithm hostkey ssh-rsa
ip ssh server algorithm authentication publickey
ip ssh server algorithm publickey x509v3-ssh-rsa

 

Won't the switch reject any SSH attempt that doesn't provide a digital certificate that can't be verified by the pki trustpoint configured on the switch? I'm not sure if the authentication request will be sent to ISE until the switch can verify the the User certificate first... I don't have a way to lab this up right now to test it out. 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to shane.vickers

‎12-17-2019 09:39 AM

That's a good point.  My response was based on ISE being the authenticator for both the certificate and the user/password.  

Go to solution
shane.vickers
Level 1
Level 1
In response to Colby LeMaire

‎12-17-2019 09:44 AM

I probably wasn't clear enough in my original question, sorry about that.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to shane.vickers

‎12-17-2019 10:37 AM

In order to accomplish what you are searching for you need to append 'password' as shown below:
ip ssh server algorithm authentication publickey password
This will allow cac auth and/or user/pass. It will also allow you to be able to use either a local or ISE t+ user account. HTH!
0 Helpful
Customers Also Viewed These Support Documents