The link you put in is what I experimented with and though it is a solution it isn't practical for us. With over 100 switches we don't fancy having to put certificates on each device and then keep up with them come renewal, or replacement time. You also need to upgrade each switch to Denali 16.3.X so you can complete part of the configuration. A command or two aren't in 3.7.5E, that upgrade also adds some new ACL's for Auto-QoS and Control Plane, which is nice; however, it did kill one of my mgt ACL's keeping me from accessing the device after reboot. Took a while to figure out what happened there.

I would have to discuss the other options you posted with the group and see what they think. We are trying to get away from the password issue and we are working towards a transition to ISE form ACS but that could be a bit off in the future. 

Unfortunately we need to do more research and find a different method.

ej

How about this; you change to using SSH with keys only (no usernames and passwords).  You then configure the devices to only allows access from a very limited number of machines (you could specifically use jump hosts for this purpose), and configure the jump hosts to only allow CAC access.

A 4096 bit SSH key is the equivalent of a 512 character password.  So pretty good in my book.

It is not quite what you want; but does ultimately achieve your end game - access to the devices can only be done using a CAC.  It is also simple - and when it comes to maintaining devices simple can be pretty valuable.

Well it seems like the long way round the barn for us. Here's our layout Admins > ACS > Edge/distro/core devices. We use ACS for AAA that allows us access to the edge devices based on tiers in the department. When we access the network devices they then check to see if our Uname/Pwd is valid and what rights we have. Then we are allowed in the device with our privileges. So I don't see how we get around that part. We can hit a jump box to get to the device but the device goes to the ACS to get permission.

Like asking Dad for a cookie because he's a softy but he just says talk to Mom, keeper of the cookie jar. :^) That never ended well for me. :^(

I'm still looking but keep returning to the realization we may just have to wait on ISE to resolve this issue.

I'm by no means an expert, still working on passing my route exam so any suggestions are helpful.

ej

Well that makes it easy.  That rules out all options I know of.  So perhaps it may be that there is no solution that addresses everything that you need.

Yes, I think it may work if we begin using Active Directory again with our ACS.

Thanks for the suggestions though.

ej