multi factor authentication exos MFA for SSH


Hello Hub

I have a customer asking me about using MFA (Multi Factor Authentication) to secure SSH logins to their EXOS switches (X440-g2s, x450-g2s and x460-g2s) 22.4 code

(customer wants the sequesnce of events to look like this:
user SSHs to switch, valid user/pass kicks off a text message to the user's cell phone, the user has to respond to text or input a code, email could also be an option)

the customer is using RSA today for other security 'stuff' and from what I was reading the RSA can handle the MFA...

If the RSA handles the MFA, would XMC just need to act as a proxy for the radius request from the EXOS switch?

has anyone tried to do something like this (MFA for SSH to exos switch) ?

thanks

Jake

2 replies

Userlevel 5
Hi Jake,

You would need to add the TACACS+/Radius configuration to the switch to send the request to the RSA device. RSA would then handle the MFA process. Only after the RSA blesses the user will the RSA send the notification to the switch to allow the login.

Regards,
Brad
Userlevel 7
In addition to Brad's suggestion, I've also heard of solutions where the 6 digit MFA code is added to the end of the user's password. The token is handled by the auth server once it gets sent over. I don't recall any of the names or specifics right now though... sorry.

Reply