How can you setup SSH 2FA for switches and routers?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2022 11:41 PM
- - Automated/scripted access doesn’t need 2FA.
- - Network monitoring doesn’t have to be 2FA.
- - We can have an admin user without 2FA if we lock it to physical access (e.g., console port)
- - Can assume everything is Cisco.
- - Most of the routers are actually ASAs.
- - Most models of switches are Cisco Catalyst (3650 and 4500).
- Labels:
-
General Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:58 AM
To make sure I understand properly, you want to authenticate your admins that are attempting to login to your network appliances via SSH and to enforce 2fa on the login?
I don't know Cisco really well (actually at all) but from an authentication standpoint here is what I do know
- Some appliances allow for a web based authentication. This MIGHT be something that could be used with SSO.
- RADIUS will allow you to authenticate to the network, but I haven't heard of this to gain access to an appliance.
- LDAP is usually the best way here. This will allow you to map JC users to the appliances they need/have access to. The only probably at the moment is that we do not have MFA on LDAP. BUT, that will be available by end of the quarter.
Sorry, I couldn't be more help. I am in the same boat with limited experience with CISCO. So hopefully someone with an extended knowledge of those panels might see this and decide to pay it forward 🙂
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)