To make sure I understand properly, you want to authenticate your admins that are attempting to login to your network appliances via SSH and to enforce 2fa on the login?
I don't know Cisco really well (actually at all) but from an authentication standpoint here is what I do know
- Some appliances allow for a web based authentication. This MIGHT be something that could be used with SSO.
- RADIUS will allow you to authenticate to the network, but I haven't heard of this to gain access to an appliance.
- LDAP is usually the best way here. This will allow you to map JC users to the appliances they need/have access to. The only probably at the moment is that we do not have MFA on LDAP. BUT, that will be available by end of the quarter.
Sorry, I couldn't be more help. I am in the same boat with limited experience with CISCO. So hopefully someone with an extended knowledge of those panels might see this and decide to pay it forward 🙂