01-18-2019 07:12 AM - edited 03-11-2019 01:54 AM
Does ISE support TACACS authentication of network devices using public keys? Public key config would be on the network devices. This would be helpful for workflows where automation is being utilized. If so, any documentation out there?
01-20-2019 01:48 PM
As far as I know the TACACS authentication is always interactive. As far as the allowable passwords is concerned, these can be supplied using ASCII/PAP/CHAP/MSCHAPv1 - in public key crypto there needs to be a way to negotiate the key exchange (e.g. Diffie Helman) - I don't see any provision for this in the TACACS protocol. The best it can do is to support symmetric key exchange, which is no different to what exists today when both parties have to know the same password and then supply that via ASCII/PAP/CHAP etc..
02-17-2019 08:54 AM
I would suggest you to try authentication locally and passing only the authorizations to T+ server(s).
https://www.pragmasys.com/products/support/cisco-2-factor is similar to your ask, although PragmaSys's solution is geared to be more secured than for automation convenience.
02-18-2019 07:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide