SSH X.509v3 Authentication Using RADIUS

Version 32.2 introduces support for SSH X.509v3 Authentication Using RADIUS. When enabled, the SSH server requests a password from the client during X.509v3 key-certificate authentication. The user name and password received are then sent to Authentication, Authorization, and Accounting (AAA) for authentication. AAA sends these credentials to the RADIUS server for authentication. If the RADIUS server is not configured or is not reachable, then AAA will validate the user name and password through local authentication.

For authentication, you can use Principal Name as the user name in the client's certificate. The ‘principalName‘ (OID: 1.3.18.0.2.4.318) is displayed below the ‘otherName‘ identifier in the ‘SubjectAltName‘ (SAN) extension of the X509v3 key-certificate.

The following is an example of openssl.cnf to generate X509v3 certificate with SAN extension having ‘prinicipalName‘:

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
#nsCertType = client, email
#nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
authorityInfoAccess = OCSP;URI:http://ocspserver.extremenetworks.com:2561
subjectAltName = otherName:1.3.18.0.2.4.318;UTF8:exos-admin@sustaining.com

Supported Platforms

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.

New CLI Commands

The following new commands support the RADIUS password authentication feature:

configure ssh2 x509v3 radius-password-auth [on | off]

configure ssh2 x509v3 username overwrite [on | off]

configure ssh2 x509v3 username strip-domain [on | off]

configure ssh2 x509v3 username use-domain [domain_name | none]