Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6168
Views
0
Helpful
3
Replies

TACACS+, Active Directory, and SmartCards (CAC)

Go to solution
kwkirchner
Level 1
Level 1

‎12-30-2009 11:28 PM - edited ‎03-10-2019 04:51 PM

Can someone tell me what is possible with Cisco SecureACS v4.2 and use of a SmartCard as far as logging in to a Cisco router/switch via SSH?

In our environment we log into our workstations with a CAC/SmartCard and do not have any form of username or password, just a PIN for the CAC.  I know SecureACS can talk to AD, but what would happen if that was setup in this situation?  I would open putty and log into the device and it would still ask for a login/password, correct?  Is there a 2-factor authentication solution that doesn't rely on RSA SecureID tokens?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-10-2010 01:46 AM

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-10-2010 01:46 AM

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin
0 Helpful

Go to solution
kwkirchner
Level 1
Level 1
In response to Jatin Katyal

‎01-10-2010 09:41 AM

Thanks, JK!

  I was afraid that was the only solution.  I will give those documents a read.  Your help is much appreciated!

-Ken

0 Helpful

Go to solution
cnorborg
Level 1
Level 1

‎04-25-2022 07:21 AM

Maybe its changed since this?   This article shows how to use CAC with TACACS using SecureCRT

 

https://www.mathewjbray.com/2020/01/27/cisco-ise-device-administration-two-factor-authentication-2fa-with-common-access-card-cac-using-securecrt/

0 Helpful
Customers Also Viewed These Support Documents