Re: TACACS with public cert for AuthC

gjw_csco · ‎01-18-2019

Does ISE support TACACS authentication of network devices using public keys? Public key config would be on the network devices. This would be helpful for workflows where automation is being utilized. If so, any documentation out there?

Arne Bier · ‎01-20-2019

As far as I know the TACACS authentication is always interactive. As far as the allowable passwords is concerned, these can be supplied using ASCII/PAP/CHAP/MSCHAPv1 - in public key crypto there needs to be a way to negotiate the key exchange (e.g. Diffie Helman) - I don't see any provision for this in the TACACS protocol. The best it can do is to support symmetric key exchange, which is no different to what exists today when both parties have to know the same password and then supply that via ASCII/PAP/CHAP etc..

hslai · ‎02-17-2019

I would suggest you to try authentication locally and passing only the authorizations to T+ server(s).

https://www.pragmasys.com/products/support/cisco-2-factor is similar to your ask, although PragmaSys's solution is geared to be more secured than for automation convenience.

Mike.Cifelli · ‎02-18-2019

Hslai's post is definitely helpful and provides a legitimate solution.

See this too:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-3s/sec-usr-ssh-xe-3s-book/sec-secure-shell-auth-digi-certificate.pdf
There is a way to store a users public key locally on the device under their profile. You will need third party software like Pragma. I have used pragma for legit 2fa using tacacs+ as stated in article posted below, and to support local public keys on devices. I am certain that if you are running IOS version 15.2.4 or higher that your devices can support the pragma solution provided by Hslai. If running anything lower, look into other options.

HTH!