Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2768
Views
10
Helpful
4
Replies

Cisco IOS MFA -SSH Certificate Authentication/Radius Authorization

pakmon1722
Level 1
Level 1

‎02-01-2021 09:06 AM

Hello,

 

Very new to Cisco IOS devices and AAA configurations. We currently have a PKI infrastructure, and are using NPS for radius authentication/authorization.

I've been tasked to change our baseline IOS configuration so that it can validate user pki certificate for authentication and then validate the user with the NPS server for authorization.

Currently we have some basic configuration like this:

aaa authentication login default group radius-server1
aaa authentication login console group radius-server1
aaa authorization console
aaa authorization exec default group radius-server1

I've successfully gotten the certificate authentication to work with the following:

crypto pki trustpoint domain.local
 enrollment terminal
 revocation-check crl none
 revocation-check ocsp none
 authorization list CERT
 authorization username subjectname commonname

ip ssh server certificate profile
   user
      trustpoint verify domain.local

ip ssh server algorithm hostkey x509v3-ssh-rsa
ip ssh server algorithm authentication publickey
ip ssh server algorithm publickey x509v3-ssh-rsa

aaa authorization network CERT none

For the life of me I cannot find a good example for SSH cert authentication/radius authorization. I've read numerous forum posts from people saying you can do cert authentication and then be prompted for username and password for radius authorization, but not concrete examples.

 

Any help with an example would be appreciated. Thank you

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-01-2021 09:29 AM

Very good question and thinking - i have not deployed and tested. but looking at the document durable.

 

Authorisation example with ISE-  you can replace with NPS configuration here - ( appologies if i misguiding you here)

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pakmon1722
Level 1
Level 1
In response to balaji.bandi

‎02-11-2021 05:42 AM

Hello,

 

Thanks for providing the article, it was helpful but only if I'm using TACACS+ and ISE. Unfortunately I'm trying to use radius. 

 

I read here: 

Cisco Content Hub - Configuring Authorization and Revocation of Certificates in a PKI

 

Under the section RADIUS or TACACS+ Choosing a AAA Server Protocol that if you create radius users with the default password cisco it might be possible. 

 

Will test and update this post.

 

Thanks

0 Helpful

hboesenberg
Level 1
Level 1
In response to pakmon1722

‎02-11-2022 09:58 AM

I am trying to accomplish this exact same procedure. Were you able to successfully authorize through your AAA server?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-11-2021 06:40 AM

Thank you for the input, that give more information all members of community, feedback the results will help.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card