cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4585
Views
0
Helpful
2
Replies
Highlighted
Beginner

TACACS+, Active Directory, and SmartCards (CAC)

Can someone tell me what is possible with Cisco SecureACS v4.2 and use of a SmartCard as far as logging in to a Cisco router/switch via SSH?

In our environment we log into our workstations with a CAC/SmartCard and do not have any form of username or password, just a PIN for the CAC.  I know SecureACS can talk to AD, but what would happen if that was setup in this situation?  I would open putty and log into the device and it would still ask for a login/password, correct?  Is there a 2-factor authentication solution that doesn't rely on RSA SecureID tokens?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

View solution in original post

Highlighted

Thanks, JK!

  I was afraid that was the only solution.  I will give those documents a read.  Your help is much appreciated!

-Ken