What's new

How can you setup SSH 2FA for switches and routers?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SWtw

New Around Here
Helping on a project that has a simple requirement — to lock down our switches and routers to have 2FA for administrator access. But, we’re out of our element on implementing this – and could use advice.
We do not have any sort of directory right now … at all … but will shortly have everyone in the Office 365 Admin with assorted different 365 licenses. So, to an extent, Azure/AD is available if we wanted. But, there’s no on-premise directory, and we’d prefer not to have another item to manage.
We were thinking to use something simple like JumpCloud’s RADIUS in the Cloud service, but we’re open to other ideas. Was hoping to avoid a full Duo, etc… implementation as it’s only for about 50 switches/routers, and only for admins, not users in anyway.
We’ve been able to create an instance of a RADIUS server in the cloud on JumpCloud, and we see the name, secret key, and believe that we have the right Ips, but when messing around in the Cisco console, to see if we can make anything stick, we’re just not getting anywhere. We don’t see the device show up in the JumpCloud dashboard, and not sure if we’re doing the aaa setup right either (or what is necessary from it).
It just seems this shouldn’t be so hard. We seem to be missing the fundamental piece of understanding of what’s necessary to setup simple 2FA for these devices, even using a service like JumpCloud’s RADIUS.
Any ideas? Suggestions as to alternatives? Just looking for something inexpensive and not a pain in the butt for basic 2FA.
Things to note:
  • - Automated/scripted access doesn’t need 2FA.
  • - Network monitoring doesn’t have to be 2FA.
  • - We can have an admin user without 2FA if we lock it to physical access (e.g., console port)
  • - Can assume everything is Cisco.
  • - Most of the routers are actually ASAs.
  • - Most models of switches are Cisco Catalyst (3650 and 4500).
 
Welcome to the forums @SWtw.

Are you paying the licensing fees for these Cisco products still? Wonder why Cisco isn't helping here?

Also, this would probably best be answered on a Cisco board?
 
I have used Cisco's AAA security many years ago. I ran RADIUS on a Windows server with RAID5 with hot swap. It was used across private leased lines so I would think it would run across VPNs. Cloud computing did not exist back then. We had around 500 Cisco devices.
If you lose communication central security access goes down but console access still worked as I remember. Our leased lines almost never were down.

In the enterprise networking world, there is little help with networking that you don't pay for.
 
Last edited:
JumpCloud’s RADIUS in the Cloud

I always get a chuckle out of things like this...

"here, put all the important security stuff into this cloud service..." and pray that it's not taken down by an insecure web server...

Again, VPN companies do the same thing - can't trust your internet provider, but surely you can trust us...
 
We’ve been able to create an instance of a RADIUS server in the cloud on JumpCloud, and we see the name, secret key, and believe that we have the right Ips, but when messing around in the Cisco console, to see if we can make anything stick, we’re just not getting anywhere.

When dealing with $ecurity $olutions with Ci$co equipment, be$t to disu$$ thi$ with your local $ervice Rep.

They can a$$iSt you with a proper implementation - it's ea$y, just add money...
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top