SSH X.509v3 Authentication Using RADIUS
Version 32.2 introduces support for SSH X.509v3 Authentication Using RADIUS. When enabled, the SSH server requests a password from the client during X.509v3 key-certificate authentication. The user name and password received are then sent to Authentication, Authorization, and Accounting (AAA) for authentication. AAA sends these credentials to the RADIUS server for authentication. If the RADIUS server is not configured or is not reachable, then AAA will validate the user name and password through local authentication.
For authentication, you can use Principal Name as the user name in the client's certificate. The ‘principalName‘ (OID: 18.104.22.168.2.4.318) is displayed below the ‘otherName‘ identifier in the ‘SubjectAltName‘ (SAN) extension of the X509v3 key-certificate.
The following is an example of openssl.cnf to generate X509v3 certificate with SAN extension having ‘prinicipalName‘:
[ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE #nsCertType = client, email #nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection authorityInfoAccess = OCSP;URI:http://ocspserver.extremenetworks.com:2561 subjectAltName = otherName:22.214.171.124.2.4.318;UTF8:email@example.com
This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.
New CLI Commands
The following new commands support the RADIUS password authentication feature:
configure ssh2 x509v3 radius-password-auth [on | off]
configure ssh2 x509v3 username overwrite [on | off]
configure ssh2 x509v3 username strip-domain [on | off]
configure ssh2 x509v3 username use-domain [domain_name | none]