Configuring two-factor authentication

Two-factor authentication is available for added security. In two-factor authentication, X.509 certificate-based authentication is combined with RADIUS authentication. When a user establishes an SSH connection to the switch, two factor-authentication occurs as follows:
  • The username in the user's X.509 certificate is validated against the local user accounts on the switch.

  • The username and password are validated against the accounts on the RADIUS server and the configured trust anchors.

  • The switch SSH server is enabled.

  • Your switch management computer, though its SSH client, is connected to the switch.

  • A remote RADIUS server is available to authenticate switch users and is configured on the switch.

  • Every user that will use two-factor authentication is configured both on the RADIUS server and locally on the switch using identical usernames. Users are added locally on the switch with the user command. These usernames must precisely match the usernames identified by the X.509 user certificates.

  • The X.509 CA certificate is both installed on your switch management computer and is also visible to your computer's SSH client. The X.509 CA certificate is the root of trust for the client certificate being used.

  • One X.509 certificate per user is available on your switch management computer and is visible to your computer's SSH client. The usernames identified by these user certificates must be the same as the usernames already defined on the RADIUS server and locally on the switch.

  1. Create a TA profile with the command crypto pki ta-profile. This command switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that is used to validate the certificates of clients communicating with the SSH server.
  2. Although optional, it is recommended that you enable certificate revocation checking with the command revocation-check ocsp.
  3. Import the root certificate of the CA with the command ta-certificate.
  4. Exit the TA configuration context with the command exit.
  5. For each user that will be using two-factor authentication, import the public key from the individual X.509 user certificate with the command user <USERNAME> authorized-key <PUBKEY>. Each user identified by <USERNAME> must exist locally on the switch and on the RADIUS authentication server.
  6. Enable two-factor authentication with the command ssh two-factor-authentication.


This example installs the root certificate root-cert and enables two-factor authentication for user admin:

switch(config)# crypto pki ta-profile root-cert
switch(config-ta-root-cert)# revocation-check ocsp
switch(config-ta-root-cert)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
switch(config-ta-cert)# -----BEGIN CERTIFICATE-----
switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBq
switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY
switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDV
switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2MDL8
switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5E8DH73nW/
switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYoCD/TMsAW0nG7yY
switch(config-ta-cert)# -----END CERTIFICATE-----
The certificate you are importing has the following attributes:
Issuer:  C=US, ST=CA, L=Rocklin, O=Company, OU=Site,
Subject: C=US, ST=CA, L=Rocklin, O=Company, OU=Site,
Serial Number: 12121221634631568498 (0xaea51217d5945772)

Do you want to accept this certificate (y/n)? y
TA certificate accepted.
switch(config-ta-root-cert)# exit
switch(config)# user admin authorized-key ssh-rsa 
iAfcGvqvWtWWBSoWd011DeEZNKnOO8uEKeTEcAjfrnRHeOk2QJmw== ""
switch(config)# ssh two-factor-authentication