Two-Factor Authentication for SSH

Table 1. Two-Factor Authentication for SSH product support

Feature

Product

Release introduced

Two-Factor Authentication for SSH

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

VSP 4450 Series

VOSS 8.0

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 8.0

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 8.0

VSP 8400 Series

VOSS 8.0

VSP 8600 Series

VSP 8600 8.0 demo feature

XA1400 Series

VOSS 8.0.50

Note

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see Fabric Engine and VOSS Feature Support Matrix.

Use the following information to understand the Two-Factor Authentication feature.

Two-Factor Authentication uses smart card technology for remote device management. Two-Factor Authentication requires enhanced secure mode with Secure Shell (SSH) and X.509 V3 authorization enabled on the switch. You must provide the digital certificates to enable the identity management for the SSH client and SSH server. Two-Factor Authentication requires the following items:

You can also use a Windows Server 2008, or newer, configured with a Remote Access Dial-In User Services (RADIUS) server and Active Directory.

Digital certificates in the X.509 V3 format provide identity management. A chain of signatures by a trusted certificate authority (CA) and its intermediate certificate CAs binds a given public signing key to a given digital identity. For user authentication, the SSH client sends the user certificate stored on the CAC or PIV card to the SSH server for verification. The SSH server validates the incoming user certificate using Public Key Infrastructure (PKI) trust-store.

After the switch validates the SSH certificate, the system parses for a username to forward to the RADIUS server for authorization. The switch prompts you to enter a password for the username. If the RADIUS server is unreachable or not configured, the authorization occurs locally on the switch for the username and password.

Two-Factor Authentication on the switch uses SSH and the X.509 V3 certificates stored on the smart card. X.509 V3 digital certificates are documented in RFC5280.

Smart Card Authentication Process

The process for PIV or CAC card authentication is as follows:

  1. The PIV Authentication or the Card Authentication certificate is read from the PIV Card Application.

  2. The relying system validates the PIV Authentication certificate from the PIV Card Application using standards-compliant PKI path validation to ensure that the certificate is valid and from a trusted source.

  3. The cardholder is prompted to submit a PIN to activate the card.

  4. The relying system issues a challenge string to the card and requests an asymmetric operation in response.

  5. The card responds to the previously issued challenge by signing using the PIV Authentication private key.

  6. The relying system verifies that the response from the card is expected for the issued challenge.

  7. A unique identifier from the PIV Authentication certificate is extracted and passed as input to the access control decision.