SSH X.509v3 Authentication Using RADIUSNEW!
Version 32.2 introduces support for SSH X.509v3 Authentication Using RADIUS. When enabled, the SSH server requests a password from the client during X.509v3 key-certificate authentication. The user name and password received is then sent to Authentication, Authorization, and Accounting (AAA) for authentication. AAA sends these credentials to the RADIUS server for authentication. If the RADIUS server is not configured or is not rechable, then AAA will validate the user name and password through local authentication. You can use the following command to enable or disable the RADIUS password authentication feature:
configure ssh2 x509v3 radius-password-auth [on | off]
For authentication, you can use Principal Name as the user name in the client's certificate. The ‘principalName‘ (OID: 18.104.22.168.2.4.318) is displayed below the ‘otherName‘ identifier in the ‘SubjectAltName‘ (SAN) extension of the X509v3 key-certificate.
The following is an example of openssl.cnf to generate X509v3 certificate with SAN extension having ‘prinicipalName‘:
[ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE #nsCertType = client, email #nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection authorityInfoAccess = OCSP;URI:http://ocspserver.extremenetworks.com:2561 subjectAltName = otherName:22.214.171.124.2.4.318;UTF8:firstname.lastname@example.org
The configure ssh2 x509v3 username overwrite [on | off] command is used to enable or disable using Principal Name as the username for authentication. If 'principalName' is not found, then Common Name in the certificate will be used as the username. This command can only be used if radius-password-auth is enabled.
The configure ssh2 x509v3 username strip-domain [on | off] command is used to specify using the 'principalName' without its domain name. This command can only be used if radius-password-auth and overwrite are enabled.
The configure ssh2 x509v3 username use-domain [domain_name | none] command is used to add a domain name to the username for authentication. This command can only be used if radius-password-auth, overwrite, and strip-domain are enabled.