Configure X.509 V3 Authentication

Note

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable X.509 V3 authentication:

    ssh x509v3-auth enable

  3. Configure X.509 V3 revocation:

    ssh x509v3-auth revocation-check-method {none | ocsp}

  4. Configure X.509 V3 username:

    ssh x509v3-auth username {overwrite | strip-domain | use-domain WORD<1-254>}

Variable Definitions

The following table defines parameters for the ssh x509v3-auth command.

Variable Value

<none|oscp>

Specifies the X.509 V3 authentication revocation check method. The default is OCSP.

  • none - Specifies no revocation check method.

    oscp - Specifies Online Certificate Status Protocol (OSCP) as revocation check method.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.

overwrite|strip-domain|use-domain WORD<1-254>

Specifies the X.509 V3 username configuration. The default is disabled.

  • overwrite - Specifies the switch to send the principal name and domain name from the certificate to the RADIUS server for authorization.

    strip-domain - Specifies the switch to send the princial name from the certificate without the domain name to the RADIUS server for authorization.

    use-domain WORD<1-254> - Specifies the switch to send the principal name from the certificate, with the domain name you entered to the RADIUS server for authorization.

x509v3-auth is available for demonstration purposes on some products. For more information, see VOSS Feature Support Matrix.
9036843-01 Rev AD