Showing results for 
Search instead for 
Did you mean: 

How can you setup SSH 2FA for switches and routers?

Novitiate I
Helping on a project that has a simple requirement — to lock down our switches and routers to have 2FA for administrator access.  But, we’re out of our element on implementing this – and could use advice. 
We do not have any sort of directory right now … at all … but will shortly have everyone in the Office 365 Admin with assorted different 365 licenses. So, to an extent, Azure/AD is available if we wanted. But, there’s no on-premise directory, and we’d prefer not to have another item to manage.
We were thinking to use something simple like JumpCloud’s RADIUS in the Cloud service, but we’re open to other ideas.  Was hoping to avoid a full Duo, etc… implementation as it’s only for about 50 switches/routers, and only for admins, not users in anyway.
We’ve been able to create an instance of a RADIUS server in the cloud on JumpCloud, and we see the name, secret key, and believe that we have the right Ips, but when messing around in the Cisco console, to see if we can make anything stick, we’re just not getting anywhere.  We don’t see the device show up in the JumpCloud dashboard, and not sure if we’re doing the aaa setup right either (or what is necessary from it).
It just seems this shouldn’t be so hard.  We seem to be missing the fundamental piece of understanding of what’s necessary to setup simple 2FA for these devices, even using a service like JumpCloud’s RADIUS.  
Any ideas?  Suggestions as to alternatives?  Just looking for something inexpensive and not a pain in the ass for basic 2FA.
Things to note:
  • - Automated/scripted access doesn’t need 2FA.  
  • - Network monitoring doesn’t have to be 2FA.
  • - We can have an admin user without 2FA if we lock it to physical access (e.g., console port)
  • - Can assume everything is Cisco.  
  • - Most of the routers are actually ASAs.  
  • - Most models of switches are Cisco Catalyst (3650 and 4500).

JumpCloud Alumni
JumpCloud Alumni

To make sure I understand properly, you want to authenticate your admins that are attempting to login to your network appliances via SSH and to enforce 2fa on the login?

I don't know Cisco really well (actually at all) but from an authentication standpoint here is what I do know
- Some appliances allow for a web based authentication. This MIGHT be something that could be used with SSO.
- RADIUS will allow you to authenticate to the network, but I haven't heard of this to gain access to an appliance. 
- LDAP is usually the best way here. This will allow you to map JC users to the appliances they need/have access to. The only probably at the moment is that we do not have MFA on LDAP. BUT, that will be available by end of the quarter. 

Sorry, I couldn't be more help. I am in the same boat with limited experience with CISCO. So hopefully someone with an extended knowledge of those panels might see this and decide to pay it forward 🙂 

You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.