10

We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH when configuring the devices.

We are now in the beginning stages of deploying smart cards for logins. Does anyone know of a way to login to a Cisco switch using a smart card instead of a domain username and password?

The SSH client we are using is Putty. Workstations are Windows 7. RADIUS is running on Windows 2008R2. We are running our own certificate authority on Windows 2008; network is not connected to the Internet.

We prefer to not have to purchase additional proprietary devices for this functionality.

murisonc
  • 2,968
  • 2
  • 20
  • 30
  • 1
    Using Cisco VPN Client, you can raise VPN-tunnel with the authorization through a smart card to your device and then use the Putty. But it is rather an alternative. – Aleksandr Makhov Jun 28 '11 at 18:29
  • By using a smart card, do you mean like a RSA ID that generates numbers, and not a physical card you have to insert into a slot? – Aaron Aug 04 '11 at 10:56
  • Not the RSA device. A physical smart card that you insert into a reader and has PKI certificates. – murisonc Aug 08 '11 at 14:15
  • I'm not sure what you mean when you say you don't want to buy additional devices. Are these smart card readers already attached to the computers? So, you want to put the smart card into a computer and then be able to log into a router without passing any more "manual" credentials? – Aaron Sep 22 '11 at 20:34
  • Correct, we have smart card readers on the workstations and use these to logon to the domain by entering a PIN. I'd like to open an SSH session to the router using Putty and then just get prompted for the smart card PIN. Currently I have to enter my domain username and password which is passed to the NPS server for authentication. – murisonc Sep 22 '11 at 22:05
  • 1
    I'm definitely not an expert on smart cards, but I don't think what you're looking for can be done without custom coding. Basically, using RADIUS (or TACACS) all authentication is done by the server, and it just sends a 'yes' or 'no' to the router. So you'd need an app on the computer to initiate that request (since that's the only place that knows what smartcards are) and then pass through to the router. – Aaron Sep 27 '11 at 03:16
  • What model and IOS version are on the switches. IOS 15.0M added public key SSH authentication support which with an appropriate SSH client to read the smart card for PKI credentials should work but older IOS will not. – Thomas G Mar 26 '12 at 20:20
  • We have 2960, 3750, 3560 switches and 3800 series routers plus a lone 2611xm router. I'll have to look into IOS 15.0M. – murisonc Mar 26 '12 at 20:37
  • Not an expert here but I think OpenSC project provided some extensions for Putty which worked with smartcard bundles. http://www.opensc-project.org/scb/ – fmysky Sep 15 '12 at 05:00

2 Answers2

1

Configure the Cisco network devices to point to your Certificate Authority and enable authentication using PKI.

On the client side you need to replace putty's pagent.exe with a version which will accept smartcard as authentication type, found here: Secure Shell with Smart Card Authentication

For more information you should look at: Cisco IOS Security Configuration Guide

Daniël W. Crompton
  • 111
  • 4
  • Welcome to Server Fault! Generally we like answers on the site to be able to stand on their own - Links are great, but if that link ever breaks the answer should have enough information to still be helpful. Please consider editing your answer to include more detail. See the [FAQ](http://www.serverfault.com/faq) for more info. – slm Aug 14 '13 at 00:28
  • @sim Thanks for the note, sadly to describe how to setup the PKI infrastructure and configure the switches/routers Cisco uses ~ 1500 pages. I'm unsure on how to condense that into this answer, if you have any tips I would be very grateful. – Daniël W. Crompton Aug 14 '13 at 00:31
  • If there is a section in the doc you could just refer to them. Anything to bolster your answer. Link only answers are discouraged. – slm Aug 14 '13 at 00:33
0

You can use the Cisco Secure Services Client. It works well but can be very difficult to setup. Here is cisco's datasheet for the product. The client works with both Cisco Secure ACS and Microsoft IAS RADUS services.

Fergus
  • 1,313
  • 9
  • 19
  • 1
    This application appears to be for authentication the user/device to the network using 802.1x. It does not appear to support authenticating the user logging into the network device using a smart card over SSH. – murisonc Jul 25 '11 at 22:52