09-06-2019 07:10 AM
I would like to use multi-factor authentication for admin access to my switches and routers. Currently TACACS and an ISE (2.4) are being used. My first question is the switch commands. Does anything in the switch or router configuration need to change to support multi-factor authentication? I am used to enter a username and being prompted for a password. I am assuming the ISE configuration will trigger the switch/router to prompt me (the admin) for additional info (a token). The multi-factor solution selected (Centrify) allows for multiple methods for the second authentication: text message, email or a phone call. For example, when I log into a server, I get an option to select the 2nd method authentication. I might select text message, then enter the received code. Does a switch or router support this?
below are my aaa commands, as originally asked....do I need something else? I will address ISE at a later point.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 6 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 9 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 11 default group tacacs+ local
aaa authorization commands 12 default group tacacs+ local
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update newinfo periodic 1440
aaa accounting identity default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 2 default stop-only group tacacs+
aaa accounting commands 3 default stop-only group tacacs+
aaa accounting commands 4 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 6 default stop-only group tacacs+
aaa accounting commands 7 default stop-only group tacacs+
aaa accounting commands 8 default stop-only group tacacs+
aaa accounting commands 9 default stop-only group tacacs+
aaa accounting commands 10 default stop-only group tacacs+
aaa accounting commands 11 default stop-only group tacacs+
aaa accounting commands 12 default stop-only group tacacs+
aaa accounting commands 13 default stop-only group tacacs+
aaa accounting commands 14 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group radius
09-06-2019 07:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide