multi factor authentication exos MFA for SSH
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-06-2018 04:25 PM
Hello Hub
I have a customer asking me about using MFA (Multi Factor Authentication) to secure SSH logins to their EXOS switches (X440-g2s, x450-g2s and x460-g2s) 22.4 code
(customer wants the sequesnce of events to look like this:
user SSHs to switch, valid user/pass kicks off a text message to the user's cell phone, the user has to respond to text or input a code, email could also be an option)
the customer is using RSA today for other security 'stuff' and from what I was reading the RSA can handle the MFA...
If the RSA handles the MFA, would XMC just need to act as a proxy for the radius request from the EXOS switch?
has anyone tried to do something like this (MFA for SSH to exos switch) ?
thanks
Jake
I have a customer asking me about using MFA (Multi Factor Authentication) to secure SSH logins to their EXOS switches (X440-g2s, x450-g2s and x460-g2s) 22.4 code
(customer wants the sequesnce of events to look like this:
user SSHs to switch, valid user/pass kicks off a text message to the user's cell phone, the user has to respond to text or input a code, email could also be an option)
the customer is using RSA today for other security 'stuff' and from what I was reading the RSA can handle the MFA...
If the RSA handles the MFA, would XMC just need to act as a proxy for the radius request from the EXOS switch?
has anyone tried to do something like this (MFA for SSH to exos switch) ?
thanks
Jake
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-06-2018 06:17 PM
In addition to Brad's suggestion, I've also heard of solutions where the 6 digit MFA code is added to the end of the user's password. The token is handled by the auth server once it gets sent over. I don't recall any of the names or specifics right now though... sorry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-06-2018 04:31 PM
Hi Jake,
You would need to add the TACACS+/Radius configuration to the switch to send the request to the RSA device. RSA would then handle the MFA process. Only after the RSA blesses the user will the RSA send the notification to the switch to allow the login.
Regards,
Brad
You would need to add the TACACS+/Radius configuration to the switch to send the request to the RSA device. RSA would then handle the MFA process. Only after the RSA blesses the user will the RSA send the notification to the switch to allow the login.
Regards,
Brad
