Configuring two-factor authentication
The username in the user's X.509 certificate is validated against the local user accounts on the switch.
The username and password are validated against the accounts on the RADIUS server and the configured trust anchors.
The switch SSH server is enabled.
Your switch management computer, though its SSH client, is connected to the switch.
A remote RADIUS server is available to authenticate switch users and is configured on the switch.
Every user that will use two-factor authentication is configured both on the RADIUS server and locally on the switch using identical usernames. Users are added locally on the switch with the
user
command. These usernames must precisely match the usernames identified by the X.509 user certificates.The X.509 CA certificate is both installed on your switch management computer and is also visible to your computer's SSH client. The X.509 CA certificate is the root of trust for the client certificate being used.
One X.509 certificate per user is available on your switch management computer and is visible to your computer's SSH client. The usernames identified by these user certificates must be the same as the usernames already defined on the RADIUS server and locally on the switch.
-
Create a TA profile with the command
crypto pki ta-profile
. This command switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that is used to validate the certificates of clients communicating with the SSH server. -
Although optional, it is recommended that you enable certificate revocation checking with the command
revocation-check ocsp
. -
Import the root certificate of the CA with the command
ta-certificate
. -
Exit the TA configuration context with the command
exit
. -
For each user that will be using two-factor authentication, import the public key from the individual X.509 user certificate with the command
user <USERNAME> authorized-key <PUBKEY>
. Each user identified by<USERNAME>
must exist locally on the switch and on the RADIUS authentication server. -
Enable two-factor authentication with the command
ssh two-factor-authentication
.
Example
This example installs the root certificate my-root-cert and enables two-factor authentication for user admin:
switch(config)# crypto pki ta-profile my-root-cert switch(config-ta-my-root-cert)# revocation-check ocsp switch(config-ta-my-root-cert)# ta-certificate Paste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBq switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDV switch(config-ta-cert)# OTQucm9zZS5yZGxhYnMuaHBlY29ycC5uZXQxJDAiBgkqhkiG9 switch(config-ta-cert)# YW4uaHVhbmdAaHBlLmNvbTAeFw0xODAxMTIxODMwNDZaFw0yM switch(config-ta-cert)# MIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pY switch(config-ta-cert)# Um9ja2xpbjEMMAoGA1UECgwDSFBOMRYwFAYDVQQLDA1IUE4gU switch(config-ta-cert)# DAYDVQQDDAU4NDAwWDEkMCIGCSqGSIb3DQEJARYVZnJlZW1hb switch(config-ta-cert)# Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy switch(config-ta-cert)# U2tr7EBWczMspmdWxVpr4oNMeezY8afNU3nD8Jv6kXtM6zBID switch(config-ta-cert)# 9LgnJ25VMo8qe00h10J55ZkKu7DYEB1aCmAvhOzhzsh3efP2E switch(config-ta-cert)# i5vM4iulcA5y2fo5sQZoQezFkKMjyZ/u8ffqS3w5BdrFbIyD0 switch(config-ta-cert)# 67W4o+sLC5i1ZXKO6CC4MEcD3c7qrrcp6W9/0ub3oJsbGDPtR switch(config-ta-cert)# 6OLAYduce4/iEm7yVMN901bG2wMJMDRNSySwk+8EC/oHguAGH switch(config-ta-cert)# LdGpLwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXrW/nxQmAN switch(config-ta-cert)# yS2JaP2xg2xqG/Gn3NYn1F52iqdpbxaACOnbF3y1FFpw3zEPV switch(config-ta-cert)# BoSMPULi+DlDeT/3xzzrA2LiiF4MrXhOMdEzpTIxXYdFOmoOA switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2MDL8 switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5E8DH73nW/ switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYoCD/TMsAW0nG7yY switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Issuer: C=US, ST=California, L=Rocklin, O=Mys, OU=Mysite, CN=mysite.com/emailAddress=test.ca@mysite.com Subject: C=US, ST=California, L=Rocklin, O=Mys, OU=Mysite, CN=8400/emailAddress=test.ca@mysite.com Serial Number: 12183621634631568498 (0xaea41787d5945772) Do you want to accept this certificate (y/n)? y TA certificate accepted. switch(config-ta-my-root-cert)# exit switch(config)# switch(config)# user admin authorized-key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6krLTrFTnzg3YjLiZKTZEYnh4cUiuOK+cjduxFnZUHBiOdPYvVRTPfMasMxYUz3cscty05ORJaehU6df7IhlnkcuIBKIwLS451ALU3TAtwSgTimqKPhMtDFRcFdd+TpMWYo5f3dar7+FEL3i2784FZrOL1o9+6u6qkanfj2hRDzPzfznT+Lu5CUTUR7Vwqx8fUzENUP/DVT3YS2w1pOfLK1KxlB9NdZpJeNGKZZZ+yKmuh8H6cyMBa0SgHPLVj7VYQ5NcLYbUMeBF+r3LBeuDY4Saj7mezmHM4zmHiHLIfSKoluv9hcRcfNmcYJlKhtYERpdiD6ixQc9TALzEx3oAZI9/SdCqckyl3h6DMe4ajBeFzjegTzy3rHM5VbKvj0WaeG7jkN6ZZteZurR05wLHto+ObLdLEa2SBaOKtcjG3c7eZ2c+DYiAfcGvqvWtWWBSoWd011DeEZNKnOO8uEKeTEcAjfrnRHOk2QJmw== "xxxx@yyy.zzz.net" switch(config)# switch(config)# ssh two-factor-authentication