Cisco ISE Device Administration – Two Factor Authentication (2FA) with Common Access Card (CAC) using SecureCRT

The network device authenticates you and ISE authorizes you. Just enter your PIN, and you’re in.

Note: You can load multiple root certificates if you’d like!

Configure IOS (15.2(4)E9)

Make sure your time is good:

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone PST -8 0
clock summer-time PDT recurring
ntp authentication-key 1 md5 0505121F32444F1B1C011C17125D 7
ntp authentication-key 2 md5 11070D15041A0A1E012E20213161 7
ntp authenticate
ntp trusted-key 1
ntp trusted-key 2
ntp server key 1
ntp server key 2

Setup TACACS and SSH (skip this if you already have it running):

crypto key generate rsa modulus 2048
ip ssh version 2
aaa new-model
line vty 0 15
 transport input ssh
 authorization exec LAB_AUTHZ_LIST
 login authentication LAB_AUTH_LIST
tacacs server LAB_ISE_1
 address ipv4
 key Cisco123
 timeout 2
tacacs server LAB_ISE_2
 address ipv4
 key Cisco123
 timeout 2
aaa group server tacacs+ TACACS_GROUP_1
 server name LAB_ISE_1
 server name LAB_ISE_2
aaa authentication login LAB_AUTH_LIST group tacacs+ local
aaa authorization exec LAB_AUTHZ_LIST group tacacs+ local 
aaa authorization network LAB_NET_AUTHZ_LIST group tacacs+

View your certificate’s properties to find your applicable root cert:

Prep to load your root cert:

crypto pki trustpoint CA3
 enrollment terminal
 revocation-check none
 authorization list LAB_NET_AUTHZ_LIST
 authorization username subjectname commonname   

Load your root cert (base64 format):

crypto pki authenticate CA3

Configure x.509 (keyboard auth still an option):

ip ssh server certificate profile
 trustpoint verify CA3 
ip ssh server algorithm hostkey ssh-rsa 
ip ssh server algorithm authentication publickey keyboard 
ip ssh server algorithm publickey x509v3-ssh-rsa

Configure ISE (2.6)

Ensure Device Admin Service is enabled (Administration > System > Deployment):

Add your network devices (Work Centers > Device Administration > Network Resources):

Enter the IP and TACACS key used in your IOS device:

Create a profile (Work Centers > Device Administration > Policy Elements > Results):

Set the privilege level to 15 and add a custom attribute named “cert-application” with a value of “all“:

Add an identity group (Work Centers > Device Administration > User Identity Groups):

Just name it and save:

Create users (Work Centers > Device Administration > Identities):

The username MUST be the “Common Name” or “CN” from the certificate. Run “Manage User Certificates” in the Start Menu to view the details of your cert. (This is also a good time to double check you loaded the correct root cert under the “Certification Path” tab):

Ensure the Name matches the CN in the certificate exactly. The password is not used during CAC authentication, but can still be used with traditional keyboard authentication:

Go to the default Policy Set for TACACS (Work Centers > Device Administration > Device Admin Sets):

Add a new rule:

Enter your rule name, set a condition to match your group, and apply the shell profile you created:

Configure SecureCRT (8.7 Beta)

Enter Global Options (Options > Global Options):

Under SSH2, select your cert, get the username from the common name, do not use raw key, and do not add keys to agent (optionally consider more settings HERE):


Moment of truth (ensure PublicKey is checked):

Accept & Save the key if prompted:

Enter your PIN:

We’re in.

Leave a Reply

Your email address will not be published. Required fields are marked *