Two-factor authentication configuration commands
aaa authentication ssh
Syntax
aaa authentication ssh [enable | login]
Description
Configure authentication mechanism used to control SSH access to the switch.
NOTE: This command must be used before using any of the two-factor
forms of the | |
Options
enable | Configure access to the privileged mode commands. |
login | Configure login access to the switch. |
aaa authentication ssh two-factor
Syntax
aaa authentication ssh [enable | login]
two-factor [local | none | authorized |
server-group <server-group>
| two-factor-type]
Description
Set two-factor authentication method as the primary authentication method.
Options
local | Use local switch user/password database. |
none | Do not use backup authentication methods. |
authorized | Allow access without authentication. |
server-group | Specify the server group to use. |
two-factor-type | Use the certificate or public key for the first authentication method and username/password for the second authentication method. |
aaa authentication ssh two-factor two-factor-type
Syntax
aaa authentication ssh [enable | login] two-factor two-factor-type [publickey-password | certificate-password]
Description
Use the certificate or public key for the first authentication method and username/password for the second authentication method.
Options
publickey-password | Use the public key for the first authentication method and username/password for the second authentication method. |
certificate-password | Use the X.509v3 certificate for the first authentication method and username/password for the second authentication method. |
aaa authentication ssh two-factor two-factor-type publickey-password
Syntax
aaa authentication ssh [enable | login] two-factor two-factor-type publickey-password [local | tacacs | radius]
Description
Use the public key for the first authentication method and username/password for the second authentication method.
Options
local | Use local switch user/password database. |
tacacs | Use TACACS+ server. |
radius | Use RADIUS server. |
aaa authentication ssh two-factor two-factor-type certificate-password
Syntax
aaa authentication ssh [enable | login] two-factor two-factor-type certificate-password [local | tacacs | radius]
Description
Use the X.509v3 certificate for the first authentication method and username/password for the second authentication method.
Options
local | Use local switch user/password database. |
tacacs | Use TACACS+ server. |
radius | Use RADIUS server. |
Two-factor authentication restrictions
When an SSH client establishes a connection by choosing the user authentication method password or public-key and password, the switch will terminate the connection if two-factor authentication or password configuration-control is enabled.
For successful authentication when Two-factor authentication is enabled, the user authentication method must be public-key and keyboard interactive.
When password configuration-control alone is enabled, the user authentication method must include keyboard interactive.
Two-factor authentication validation rules
Validation |
Error/Warning/Prompt |
---|---|
If the authentication method is being set to two-factor authentication, various messages display. |
If both the public key and username/password are not configured: Public key and username/password should be configured for a successful two-factor authentication. If public key is configured and username is not configured: Username and password should be configured for a successful two-factor authentication. If the username is configured and public key is not configured: Public key should be configured for a successful two-factor authentication. If “ssh-server” certificate is not installed at the time of enabling certificate-password authentication: The “ssh-server” certificate should be installed for a successful two-factor authentication. |
If the authentication method is set to two-factor while installing the public key, a message displays. |
The client public keys without username will not be considered for the two-factor authentication for the SSH session. |
If the username and the key installation user for that privilege do not match, a message displays and installation is not allowed. This will also happen when the authentication method is set for two-factor. |
The username in the key being installed does not match the username configured on the switch. |
If secondary authentication type for two-factor authentication chosen is not none, a message displays. |
Not legal combination of authentication methods. |
If the authentication method is anything other than two-factor and the two-factor authentication method options are set, a message displays. |
Not legal combination of authentication methods. |
If
two-factor authentication is set and user tries to SSH into another
system using |
SSH client is not supported when the two-factor authentication is enabled. |
Two-factor authentication event log messages
Event | Message |
---|---|
RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS | W 01/01/15 18:24:03 03397: auth: %s. Examples: W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Public key should be configured for the successful two-factor authentication. I 01/01/15 18:24:03 03397: auth: The validation of certificate of SSH user (user1) is successful. |
RMON_SSH_KEY_TWO_FACTOR_EN | W 01/01/15 18:24:03 03399: ssh: %s. Examples: W 01/01/15 18:24:03 03399: ssh: The client public keys without username will not be considered for the two-factor authentication for SSH session. W 01/01/15 18:24:03 03399: ssh: The privilege level for the user with the SSH key conflicts with the user configured. |
RMON_SSH_TWO_FACTOR_AUTH_FAIL | W 01/01/15 18:24:03 03398: ssh: %s. Examples: W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in public key authentication. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in username/password authentication. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in validating the client certificate. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed as “ssh-server” certificate is not installed. |