cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5409
Views
0
Helpful
3
Replies

TACACS+, Active Directory, and SmartCards (CAC)

kwkirchner
Beginner
Beginner

Can someone tell me what is possible with Cisco SecureACS v4.2 and use of a SmartCard as far as logging in to a Cisco router/switch via SSH?

In our environment we log into our workstations with a CAC/SmartCard and do not have any form of username or password, just a PIN for the CAC.  I know SecureACS can talk to AD, but what would happen if that was setup in this situation?  I would open putty and log into the device and it would still ask for a login/password, correct?  Is there a 2-factor authentication solution that doesn't rely on RSA SecureID tokens?

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

View solution in original post

3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~Jatin

Thanks, JK!

  I was afraid that was the only solution.  I will give those documents a read.  Your help is much appreciated!

-Ken

cnorborg
Beginner
Beginner

Maybe its changed since this?   This article shows how to use CAC with TACACS using SecureCRT

 

https://www.mathewjbray.com/2020/01/27/cisco-ise-device-administration-two-factor-authentication-2fa-with-common-access-card-cac-using-securecrt/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers