Configuring two-factor authentication

Two-factor authentication is available for added security. In two-factor authentication, X.509 certificate-based authentication is combined with RADIUS authentication. When a user establishes an SSH connection to the switch, two factor-authentication occurs as follows:

  • The username in the user's X.509 certificate is validated against the local user accounts on the switch.

  • The username and password are validated against the accounts on the RADIUS server and the configured trust anchors.

Prerequisites

  • The switch SSH server is enabled.

  • Your switch management computer, though its SSH client, is connected to the switch.

  • A remote RADIUS server is available to authenticate switch users and is configured on the switch.

  • Every user that will use two-factor authentication is configured both on the RADIUS server and locally on the switch using identical usernames. Users are added locally on the switch with theuser命令。这些用户名必须precisely match the usernames identified by the X.509 user certificates.

  • The X.509 CA certificate is both installed on your switch management computer and is also visible to your computer's SSH client. The X.509 CA certificate is the root of trust for the client certificate being used.

  • One X.509 certificate per user is available on your switch management computer and is visible to your computer's SSH client. The usernames identified by these user certificates must be the same as the usernames already defined on the RADIUS server and locally on the switch.

Procedure
  1. Create a TA profile with the commandcrypto pki ta-profile. This command switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that is used to validate the certificates of clients communicating with the SSH server.
  2. Although optional, it is recommended that you enable certificate revocation checking with the commandrevocation-check ocsp.
  3. Import the root certificate of the CA with the commandta-certificate.
  4. Exit the TA configuration context with the commandexit.
  5. For each user that will be using two-factor authentication, import the public key from the individual X.509 user certificate with the commanduser authorized-key . Each user identified bymust exist locally on the switch and on the RADIUS authentication server.
  6. Enable two-factor authentication with the commandssh two-factor-authentication.

Example

This example installs the root certificateroot-certand enables two-factor authentication for useradmin:

switch(config)#crypto pki ta-profile root-certswitch(config-ta-root-cert)#revocation-check ocspswitch(config-ta-root-cert)#ta-certificatePaste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBq switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDV ... switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2MDL8 switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5E8DH73nW/ switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYoCD/TMsAW0nG7yY switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Issuer: C=US, ST=CA, L=Rocklin, O=Company, OU=Site, CN=site.com/emailAddress=test.ca@site.com Subject: C=US, ST=CA, L=Rocklin, O=Company, OU=Site, CN=8400/emailAddress=test.ca@site.com Serial Number: 12121221634631568498 (0xaea51217d5945772) Do you want to accept this certificate (y/n)?yTA certificate accepted. switch(config-ta-root-cert)#exitswitch(config)# switch(config)#user admin authorized-key ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAACAQC6krLTrFTnzg3YjLiZKTZEYnh4cUiuOK+cjduxFnZUa ... iAfcGvqvWtWWBSoWd011DeEZNKnOO8uEKeTEcAjfrnRHeOk2QJmw== "sv1@site.net" switch(config)# switch(config)#ssh two-factor-authentication