cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4678
Views
0
Helpful
2
Replies
kwkirchner
Beginner

TACACS+, Active Directory, and SmartCards (CAC)

Can someone tell me what is possible with Cisco SecureACS v4.2 and use of a SmartCard as far as logging in to a Cisco router/switch via SSH?

In our environment we log into our workstations with a CAC/SmartCard and do not have any form of username or password, just a PIN for the CAC.  I know SecureACS can talk to AD, but what would happen if that was setup in this situation?  I would open putty and log into the device and it would still ask for a login/password, correct?  Is there a 2-factor authentication solution that doesn't rely on RSA SecureID tokens?

1 ACCEPTED SOLUTION

Accepted Solutions
Jatin Katyal
Cisco Employee

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

View solution in original post

2 REPLIES 2
Jatin Katyal
Cisco Employee

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

View solution in original post

Thanks, JK!

  I was afraid that was the only solution.  I will give those documents a read.  Your help is much appreciated!

-Ken

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel