Hello, we have configured our edge devices with 802.1x and modified the AAA settings to allow access to the CLI using PKI/CAC cards rather than Username/Password. This is done using ISE 2.4 as the AAA server.
The configuration required setting up radius and tacacs+ groups, modifying the aaa authentication and authorization settings to lin clude these new groups and creating a trustpoint.
Creating the trustpoint is done in this manner
!#create trustpoint
config t
crypto pki trustpoint "trustpoint name"
enrollment terminal
revocation-check none
authorization username alt-subjectname userprinciplename
exit
crypto pki authenticate "trustpoint-name"
"-----BEGIN CERTIFICATE-----
key data~
"-----END CERTIFICATE-----"
!#We then regnerate the rsa key
crypto key generate rsa modulus 2048 label "labename" usage-keys
!#Now setup ip ssh settings
default ip ssh server authenticate user
ip ssh server algorithm authentication publickey keyboard
ip ssh server algorithm publickey x509v3-ssh-rsa
Is there a way to create this int he ASA from CLI or ASDM?
I've been googling around but not much luck in finding out if this can even be done on an ASA.
ej