The network device authenticates you and ISE authorizes you. Just enter your PIN, and you’re in.
Note: You can load multiple root certificates if you’d like!
Configure IOS (15.2(4)E9)
Make sure your time is good:
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone clock timezone PST -8 0 clock summer-time PDT recurring ntp authentication-key 1 md5 0505121F32444F1B1C011C17125D 7 ntp authentication-key 2 md5 11070D15041A0A1E012E20213161 7 ntp authenticate ntp trusted-key 1 ntp trusted-key 2 ntp server 4.4.4.4 key 1 ntp server 192.168.1.129 key 2
Setup TACACS and SSH (skip this if you already have it running):
crypto key generate rsa modulus 2048 ip ssh version 2 aaa new-model line vty 0 15 transport input ssh authorization exec LAB_AUTHZ_LIST login authentication LAB_AUTH_LIST tacacs server LAB_ISE_1 address ipv4 10.2.1.124 key Cisco123 timeout 2 tacacs server LAB_ISE_2 address ipv4 10.2.1.125 key Cisco123 timeout 2 aaa group server tacacs+ TACACS_GROUP_1 server name LAB_ISE_1 server name LAB_ISE_2 aaa authentication login LAB_AUTH_LIST group tacacs+ local aaa authorization exec LAB_AUTHZ_LIST group tacacs+ local aaa authorization network LAB_NET_AUTHZ_LIST group tacacs+
View your certificate’s properties to find your applicable root cert:

Prep to load your root cert:
crypto pki trustpoint CA3 enrollment terminal revocation-check none authorization list LAB_NET_AUTHZ_LIST authorization username subjectname commonname
Load your root cert (base64 format):
crypto pki authenticate CA3 -----BEGIN CERTIFICATE----- MIIDczCCAlugAwIBAgIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJVUzEY <...> fOs/QbP1b0s6Xq5vk3aY0vGZnUXEjnI= -----END CERTIFICATE----- quit
Configure x.509 (keyboard auth still an option):
ip ssh server certificate profile user trustpoint verify CA3 ip ssh server algorithm hostkey ssh-rsa ip ssh server algorithm authentication publickey keyboard ip ssh server algorithm publickey x509v3-ssh-rsa
Configure ISE (2.6)
Ensure Device Admin Service is enabled (Administration > System > Deployment):

Add your network devices (Work Centers > Device Administration > Network Resources):

Enter the IP and TACACS key used in your IOS device:

Create a profile (Work Centers > Device Administration > Policy Elements > Results):

Set the privilege level to 15 and add a custom attribute named “cert-application” with a value of “all“:

Add an identity group (Work Centers > Device Administration > User Identity Groups):

Just name it and save:

Create users (Work Centers > Device Administration > Identities):

*** IMPORTANT ***
The username MUST be the “Common Name” or “CN” from the certificate. Run “Manage User Certificates” in the Start Menu to view the details of your cert. (This is also a good time to double check you loaded the correct root cert under the “Certification Path” tab):

Ensure the Name matches the CN in the certificate exactly. The password is not used during CAC authentication, but can still be used with traditional keyboard authentication:

Go to the default Policy Set for TACACS (Work Centers > Device Administration > Device Admin Sets):

Add a new rule:

Enter your rule name, set a condition to match your group, and apply the shell profile you created:

Configure SecureCRT (8.7 Beta)
Enter Global Options (Options > Global Options):

Under SSH2, select your cert, get the username from the common name, do not use raw key, and do not add keys to agent (optionally consider more settings HERE):

Test!
Moment of truth (ensure PublicKey is checked):

Accept & Save the key if prompted:

Enter your PIN:

We’re in.
