Advisor II
Posts: 56
Registered: ‎12-18-2015
2,680
Guide: Configuring Cisco devices to use Centrify Identity Platform as a back end RADIUS server
[ Edited ]

Didn't find the giude to configure particularly SSH access to Cisco devices. So here it is.

Testing env is simple:

test_env.JPG

 

According to the guide here configuring Centrify Identity Service:

1. Make a connector RADIUS Serer:

1.JPG

2. Configure authorized RADIUS clinets (Cisco network devices):

2.JPG

3. Configure Policy and Authentication profile (make sure is it set to 'active'):

3.JPG

 

4. Done!

 

Now go to Cisco device and configure it.

Official Cisco guide

Basic config:

#sh run
Building configuration...

!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
!
!
ip domain-name ht.local
!

interface FastEthernet0/16
 description radius test

 authentication event fail action authorize vlan 111
 authentication event server dead action authorize vlan 111
 authentication event no-response action authorize vlan 111
 authentication event server alive action reinitialize
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout quiet-period 5
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5


ip radius source-interface Loopback0
!
radius-server host 192.168.50.11 auth-port 1812 acct-port 1813 timeout 3
radius-server key secret
!
!
end

Result:

Multifactor Authentication during SSH to Cisco switch:

cisco_ssh_mfa_cut.jpg

cisco_ssh_mfa_sh_users.JPG

 

As an option Push notification to Centrify enrolled mobile device:

S70905-160922.jpg

Who Me Too'd this topic