Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
1
Helpful
5
Replies

Emulate Smart Card

ryanbess
Level 1
Level 1

‎02-21-2024 05:54 PM

Trying to lab some things up.  Does anyone have a recommendation for software that emulates a PIV/CAC card?  

0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎02-21-2024 06:21 PM

I have never heard of this - just did a google search. But I am unclear what you're trying to emulate. I don't know how this solution is implemented, but like most MFA token-based solutions, they tend to run as a RADIUS service. If that is the case with PIV/CAC solution, then you could spin up another ISE VM, and have that act as your PIV/CAC server. Create some network access user identities there. Then, in your main ISE, configure a remote RADIUS server that uses the other ISE as a "RADIUS Token server" for token authentication. I have done this before to simulate RSA token servers.  Of course, you don't have a real token that has a dynamic password/code - but that is not what you're testing - the password would simply be a fixed password that exists in your fake PIV/CAC password. What you're testing is the ISE RADIUS functionality.

 

0 Helpful

ryanbess
Level 1
Level 1
In response to Arne Bier

‎02-21-2024 06:28 PM - edited ‎02-21-2024 06:29 PM

Hey arne

im trying to mock-up what I posted on the teap question.  I need to support piv and username password for user logins.  Looks like the nam module may have this functionality 

0 Helpful

Arne Bier
VIP
VIP

‎02-21-2024 06:47 PM

Oh right - if you want to simulate EAP-TEAP (or any TEAP method) then wpa_supplicant is also an excellent option.

Have a look here at some options

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎02-22-2024 12:40 AM

@ryanbess 

I guess you want to grab the authentication from PIV/CAC card, so Anyconnect NAM will give you that with smartcards just look into here https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure_nam.html

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

ryanbess
Level 1
Level 1
In response to Ruben Cocheno

‎02-22-2024 04:24 PM

ultimately I'm trying to lab up a few scenarios in my virtual lab.  One thing i want to see what happens if i configure the windows supplicant to do PEAP with the authentication method "Secured password (EAP-MSCHAP V2).  I get what would happen from the computer side, the computers credentials would be sent to ISE.  But what would happen if the user authenticated via PIV?  I get the computer would unlock but what would the supplicant do for the user authentication?  Would it still send the cert, would it send a cached credential, or would it do nothing.   

0 Helpful
Customers Also Viewed These Support Documents