Network Device Management Access with Smartcard

Jeff Horton · ‎11-07-2024

I am considering using Cisco ISE for Smartcard PKI authentication to our network devices (All Cisco).

I don't know what is needed for this, and I could use some help. I tried the Cisco chat, but that was worthless.

I only have a Cisco ASA, 2 Nexus 9k, and 8 Catalyst 9300.

I would appreciate any recommendations.

Arne Bier · ‎11-07-2024

Hi Jeff,

My high-level 2c worth.

I have only dabbled with public key authentication using putty and Cat9K devices. I started looking at cert based authentication as well but have never implemented it. I don't know how Smart Card technology works exactly, but I would assume it's certificate based. Assuming it is, then authentication is between the terminal client (e.g. putty) and the network device - ISE is not involved. Every network device must be configured to have the Root CA cert that signed your Smart Card. In addition, the aaa authentication command will need to be adapted to perform local auth.

In the case of public key auth (using public/private keys) the task was to configure and install the public key of EVERY admin user on EVERY device. Can be automated using a key distribution tool. But the point is that every admin user creates their own pub/priv key pair, and then has to deposit the public key on every device.

Authorization is then handled by ISE/TACACS+ - but the main takeaway is that authentication is between terminal app and the network device.

I would be keen to know if the smart card stuff works as I assume above - in Windows 802.1X supplicants, Microsoft also uses the term "Smart Card Authentication" when referring to Cert-based-auth/EAP-TLS. So perhaps I am not too far off.

Jeff Horton · ‎11-18-2024

I was able to get PUTTYCAC to work getting to switches.

Now I have to figure out how to put a public key from a DoD CAC card on the switch and it recognize the key. I have tried all sorts of things but haven't been successful.