Two-factor authentication configuration commands

aaa authentication ssh

Syntax

aaa authentication ssh [enable | login]

Description

Configure authentication mechanism used to control SSH access to the switch.


[NOTE: ]

NOTE: This command must be used before using any of the two-factor forms of the aaa authentication ssh command,


Options

enable

Configure access to the privileged mode commands.

login

Configure login access to the switch.

aaa authentication ssh two-factor

Syntax

aaa authentication ssh [enable | login]
 two-factor [local | none | authorized | 
 server-group <server-group> | two-factor-type]

Description

Set two-factor authentication method as the primary authentication method.

Options

local

Use local switch user/password database.

none

Do not use backup authentication methods.

authorized

Allow access without authentication.

server-group

Specify the server group to use.

two-factor-type

Use the certificate or public key for the first authentication method and username/password for the second authentication method.

aaa authentication ssh two-factor two-factor-type

Syntax

aaa authentication ssh [enable | login]
 two-factor two-factor-type [publickey-password | certificate-password]

Description

Use the certificate or public key for the first authentication method and username/password for the second authentication method.

Options

publickey-password

Use the public key for the first authentication method and username/password for the second authentication method.

certificate-password

Use the X.509v3 certificate for the first authentication method and username/password for the second authentication method.

aaa authentication ssh two-factor two-factor-type publickey-password

Syntax

aaa authentication ssh [enable | login] two-factor two-factor-type 
 publickey-password [local | tacacs | radius]

Description

Use the public key for the first authentication method and username/password for the second authentication method.

Options

local

Use local switch user/password database.

tacacs

Use TACACS+ server.

radius

Use RADIUS server.

aaa authentication ssh two-factor two-factor-type certificate-password

Syntax

aaa authentication ssh [enable | login] two-factor two-factor-type
 certificate-password [local | tacacs | radius]

Description

Use the X.509v3 certificate for the first authentication method and username/password for the second authentication method.

Options

local

Use local switch user/password database.

tacacs

Use TACACS+ server.

radius

Use RADIUS server.

Two-factor authentication restrictions

  • When an SSH client establishes a connection by choosing the user authentication method password or public-key and password, the switch will terminate the connection if two-factor authentication or password configuration-control is enabled.

  • For successful authentication when Two-factor authentication is enabled, the user authentication method must be public-key and keyboard interactive.

  • When password configuration-control alone is enabled, the user authentication method must include keyboard interactive.

Two-factor authentication validation rules

Validation

Error/Warning/Prompt

If the authentication method is being set to two-factor authentication, various messages display.

If both the public key and username/password are not configured:

Public key and username/password should be configured for a successful two-factor authentication.

If public key is configured and username is not configured:

Username and password should be configured for a successful two-factor authentication.

If the username is configured and public key is not configured:

Public key should be configured for a successful two-factor authentication.

If “ssh-server” certificate is not installed at the time of enabling certificate-password authentication:

The “ssh-server” certificate should be installed for a successful two-factor authentication.

If the authentication method is set to two-factor while installing the public key, a message displays.

The client public keys without username will not be considered for the two-factor authentication for the SSH session.

If the username and the key installation user for that privilege do not match, a message displays and installation is not allowed.

This will also happen when the authentication method is set for two-factor.

The username in the key being installed does not match the username configured on the switch.

If secondary authentication type for two-factor authentication chosen is not none, a message displays.

Not legal combination of authentication methods.

If the authentication method is anything other than two-factor and the two-factor authentication method options are set, a message displays.

Not legal combination of authentication methods.

If two-factor authentication is set and user tries to SSH into another system using ssh <IP | HOSTNAME> command, a message displays.

SSH client is not supported when the two-factor authentication is enabled.

Two-factor authentication event log messages

Event Message
RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS

W 01/01/15 18:24:03 03397: auth: %s.

Examples:

W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication.

W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication.

W 01/01/15 18:24:03 03397: auth: Public key should be configured for the successful two-factor authentication.

I 01/01/15 18:24:03 03397: auth: The validation of certificate of SSH user (user1) is successful.

RMON_SSH_KEY_TWO_FACTOR_EN

W 01/01/15 18:24:03 03399: ssh: %s.

Examples:

W 01/01/15 18:24:03 03399: ssh: The client public keys without username will not be considered for the two-factor authentication for SSH session.

W 01/01/15 18:24:03 03399: ssh: The privilege level for the user with the SSH key conflicts with the user configured.

RMON_SSH_TWO_FACTOR_AUTH_FAIL

W 01/01/15 18:24:03 03398: ssh: %s.

Examples:

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in public key authentication.

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in username/password authentication.

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in validating the client certificate.

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed as “ssh-server” certificate is not installed.