Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TACACS+, Active Directory, and SmartCards (CAC)

Can someone tell me what is possible with Cisco SecureACS v4.2 and use of a SmartCard as far as logging in to a Cisco router/switch via SSH?

In our environment we log into our workstations with a CAC/SmartCard and do not have any form of username or password, just a PIN for the CAC.  I know SecureACS can talk to AD, but what would happen if that was setup in this situation?  I would open putty and log into the device and it would still ask for a login/password, correct?  Is there a 2-factor authentication solution that doesn't rely on RSA SecureID tokens?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: TACACS+, Active Directory, and SmartCards (CAC)

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~BR Jatin Katyal **Do rate helpful posts**
2 REPLIES
Cisco Employee

Re: TACACS+, Active Directory, and SmartCards (CAC)

Hi Kenneth,


Yes, ACS can talk to AD and authenticate user on the basis of user credentials defined on the AD (external database) for wireless/VPN/administrative sessions. AS far as I know, there is no way to use CAC (Smart card) to authenticate and authorize a user to the router/switch CLI (ssh/telnet/console).

CSACS + SecurID meets the letter of the law for two-factor authentication so only solution here we can rely on is RSA secure ID (Does support by ACS).


ACS integration with RSA secureID


http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You may refer the below listed document:

Understanding and Implementing Smart Card

http://www.tech-faq.com/implementing-smart-card-authentication.shtml

HTH

Regards,
JK

Plz rate helpful posts-
       

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: TACACS+, Active Directory, and SmartCards (CAC)

Thanks, JK!

  I was afraid that was the only solution.  I will give those documents a read.  Your help is much appreciated!

-Ken

4183
Views
0
Helpful
2
Replies