TOTPRadius : MFA for SSH access to Cisco switches
Cisco switches do not natively support two-factor authentication, a third-party solution is required for this configuration. As a third-party solution we use TOTPRadius. This guide will document how to configure 2-factor authentication on a Cisco Catalyst 3750 Switch, using Microsoft Active Directory as the first factor and TOTPRadius Server as the second. This guide may be suitable for other Cisco Catalyst switch models as well.
The guide is based on the following components:
• Active Directory deployed on Windows Server 2016 ( ip: 192.168.99.10)
• Token2 TOTPRadius v0.2.6 with built-in free 5 users license( ip: 192.168.99.11)
• Classic or a programmable Token2 TOTP hardware token used as the second factor. TOTP compliant mobile apps can be used as well
• Cisco Catalyst 3750 series switch (management interface ip :126.96.36.199)
Once the TOTPRadius appliance has been installed and initialized, configure the following settings on the General settings page:
► Set or generate a new Radius secret
► Set 'Allow initial login' value to zero
► [optional] In the Endpoint IP and subnet fields specify the parameters of your Cisco Catalyst 3750 Switch (192.168.99.77)
► Set LDAP as enabled
► Specify the LDAP server IP/FQDN (192.168.99.10) and the format of the username
(%firstname.lastname@example.org or DOMAIN\%username% format, where "DOMAIN" or "domain.local" need to be replaced with the domain name or removed if needed )
► If you decide to allow self-enrollment, make sure "Allow ldap enrollment" parameter is enabled. In the same section, you can also allow re-enrollment and modify the intro text of the LDAP web enrollment page.
Cisco Catalyst 3750 series switch
Once the TOTPRadius appliance has been configured , the following steps outline how to configure Catalyst 3750 series switch
to use TOTPRadius as Radius server. Cisco switches have poor functionality in web interface , that’s why we use command shell to give settings:
• aaa new-model This command just activates aaa on your router and nothing more.
• aaa authentication login default group radius Exec Access using Radius.
• radius-server host 192.168.99.11 auth-port 1812 key Qwerty123321Aa
You can use command do show running-config to be sure that new settings are added to configuration.
The following settings are needed to activate ssh . You can skip if you already have them.
• hostname cisco3750
• ip domain-name token2.local
• crypto key generate rsa modulus 1024
• ip ssh version 2
• line vty 0 15
- transport input ssh
- login authentication default
Generate or set the second factor for the user on the TOTPRadius applianceSecond factor for the user can be added in two ways:
1) By self-enrollment. Users can enroll their hardware tokens themselves using link http://(totpradius server_ip)/ldap-enroll :
Self Enrollment is possible using any TOTP app (such as Google Authenticator or Microsoft Authenticator). If you wish to use our programmable hardware, you can burn the secret onto the hardware token by scanning the QR code using one of the NFC Burner apps.
2) By TOTPRadius admin. Login to TOTPRadius admin interface, and click on New User:
You should now be ready to log in
After all 3 steps above are completed successfully and without errors, the user can login to Cisco Switch
using AD password and the 6 digit OTP generated by the hardware token using PuTTY or other ssh client app:
login as: tstark
[email protected]'s password: Pa$$w0rd123456
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Manage and use TOTP/HOTP codes via Python CLI script using a PC/SC device (USB NFC) or directly via USB. A cross-platform solution that works under Windows, macOS and Linux platforms.
Python-based tools are essential not only for their cross-platform compatibility, but also because their source-available nature allows experts/developers to examine the source code, ensuring transparency and minimizing the risk of hidden vulnerabilities or malicious elements. A GUI wrapper for the script is also available.
Token2 is excited to announce the upcoming mass production of their revolutionary PIN+ series, a line of FIDO2 Security keys. These security keys feature advanced PIN complexity rules that set a new standard for security. The firmware development for the PIN+ series is now complete, and the company is currently making preparations for mass production.
In a significant development for iOS users, Microsoft Azure Active Directory (AD) has expanded its support for FIDO2 security keys on the Safari browser. This advancement is a crucial step towards enhancing security and usability on Apple's mobile devices, ensuring seamless authentication experiences for Azure AD users. With FIDO2 security keys, users can now enjoy passwordless access to their Azure AD accounts, boosting convenience and significantly reducing the risk of password-related attacks. Let's dive deeper into this exciting development and explore the benefits it brings to iOS users.