At a high level, any Authentication (authN) method that is NOT password based, will still require a AAA server to perform Authorization (authZ).
e.g. imagine you connect to a Cisco IOS device using SSH, and your authN method is
- Public key. You must create the user account on every device and also put the user's public key on every device. But the aaa authorization still goes to the AAA server (TACACS+ or RADIUS)
- Cert auth. You don't create the user accounts on the devices. But you install the CA cert chain on all devices to trust the client certs. The aaa authorization still goes to AAA server.
I have only tested method 1 so far. Why most companies don't use public key authN? Probably because it's a lot of overhead and most companies don't have the key distribution software (or skills) in place to make this easy - but in public cloud it's usually the default authN method. And cert authN makes life even more complicated, because you're dealing with entities (certs) that have an expiry date - and someone has to ensure that these things are maintained. Or you'll have a very bad day.
I would imagine that smart cards operate similarly to X.509 certs - and that each device in the network must be configured to trust that type of authentication. But the exact steps of how it's done, is unclear to me.
