Smart card authentication to a Cisco switch?

cisco radius smartcard pki
5,807

Configure the Cisco network devices to point to your Certificate Authority and enable authentication using PKI.

On the client side you need to replace putty's pagent.exe with a version which will accept smartcard as authentication type, found here: Secure Shell with Smart Card Authentication

For more information you should look at: Cisco IOS Security Configuration Guide

Share:
5,807

Related videos on Youtube

murisonc
Author by

murisonc

Jack of all trades in IT. Sysadmin, Network admin, developer and just about everything else in between and outside of those.

Updated on September 18, 2022

Comments

  • murisonc
    murisonc almost 2 years

    We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH when configuring the devices.

    We are now in the beginning stages of deploying smart cards for logins. Does anyone know of a way to login to a Cisco switch using a smart card instead of a domain username and password?

    The SSH client we are using is Putty. Workstations are Windows 7. RADIUS is running on Windows 2008R2. We are running our own certificate authority on Windows 2008; network is not connected to the Internet.

    We prefer to not have to purchase additional proprietary devices for this functionality.

    • Aleksandr Makhov
      Aleksandr Makhov almost 13 years
      Using Cisco VPN Client, you can raise VPN-tunnel with the authorization through a smart card to your device and then use the Putty. But it is rather an alternative.
    • Aaron
      Aaron almost 13 years
      By using a smart card, do you mean like a RSA ID that generates numbers, and not a physical card you have to insert into a slot?
    • murisonc
      murisonc almost 13 years
      Not the RSA device. A physical smart card that you insert into a reader and has PKI certificates.
    • Aaron
      Aaron almost 13 years
      I'm not sure what you mean when you say you don't want to buy additional devices. Are these smart card readers already attached to the computers? So, you want to put the smart card into a computer and then be able to log into a router without passing any more "manual" credentials?
    • murisonc
      murisonc almost 13 years
      Correct, we have smart card readers on the workstations and use these to logon to the domain by entering a PIN. I'd like to open an SSH session to the router using Putty and then just get prompted for the smart card PIN. Currently I have to enter my domain username and password which is passed to the NPS server for authentication.
    • Aaron
      Aaron over 12 years
      I'm definitely not an expert on smart cards, but I don't think what you're looking for can be done without custom coding. Basically, using RADIUS (or TACACS) all authentication is done by the server, and it just sends a 'yes' or 'no' to the router. So you'd need an app on the computer to initiate that request (since that's the only place that knows what smartcards are) and then pass through to the router.
    • Thomas G
      Thomas G over 12 years
      What model and IOS version are on the switches. IOS 15.0M added public key SSH authentication support which with an appropriate SSH client to read the smart card for PKI credentials should work but older IOS will not.
    • murisonc
      murisonc over 12 years
      We have 2960, 3750, 3560 switches and 3800 series routers plus a lone 2611xm router. I'll have to look into IOS 15.0M.
    • fmysky
      fmysky almost 12 years
      Not an expert here but I think OpenSC project provided some extensions for Putty which worked with smartcard bundles. opensc-project.org/scb
  • murisonc
    murisonc almost 13 years
    This application appears to be for authentication the user/device to the network using 802.1x. It does not appear to support authenticating the user logging into the network device using a smart card over SSH.
  • slm
    slm almost 11 years
    Welcome to Server Fault! Generally we like answers on the site to be able to stand on their own - Links are great, but if that link ever breaks the answer should have enough information to still be helpful. Please consider editing your answer to include more detail. See the FAQ for more info.
  • Daniël W. Crompton
    Daniël W. Crompton almost 11 years
    @sim Thanks for the note, sadly to describe how to setup the PKI infrastructure and configure the switches/routers Cisco uses ~ 1500 pages. I'm unsure on how to condense that into this answer, if you have any tips I would be very grateful.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Authenticate Cisco ASA to Windows 2008 domain
configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication
RADIUS authentication on Cisco switches: how to assign privilege levels?
Revocation status of DC can't be verified
Setting up Cisco ASA VPN to use both radius and local users
Windows will not pass smart card information to browsers
Flutter: Custom Bottom Navigation Bar Cut Radius
Configuring a DHCP server with VLAN on a switch
Enable USB smartcard inside VMware
Read and Write Card Details using a Smart Card Reader