Users Guide
● Enable RADIUS or TACACS+ authentication.
radius-server host {hostname | ip-address} key {0 authentication-key | 9
authentication-key | authentication-key} [auth-port port-number]
aaa authentication login default group radius local
● Enable X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name
● If all SSH login attempts require an X.509v3 certificate, disable the plain password authentication and SSH public key
authentication in the SSH server.
no ip ssh server password-authentication
no ip ssh server pubkey-authentication
Configure local user authentication with a password
To support local user authentication by smart card and password, configure the following:
● Enable X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name
● If all SSH login attempts present an X.509v3 certificate, disable the plain password authentication and SSH public key
authentication in the SSH server.
no ip ssh server password-authentication
no ip ssh server pubkey-authentication
● If you enable the key-usage-check in the security profile but the user certificates uses a different name syntax than the user
login names, configure the user certificate details to allow the SSH server to match the user certificate to the account.
username username certificate subject “x509v3-subject-string”
or
username username certificate principal-name user-principal-name-string
or
username username certificate fingerprint fingerprint-value
Configure local user authentication without a password
To support password-less local user authentication using a smart card and password, configure the following:
● Enable password-less X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name password-less
● Leave plain password authentication enabled for users that do not have a configured certificate.
ip ssh server password-authentication
● Leave plain public key authentication enabled if it is required that users can alternatively use SSH public key password-less
authentication.
ip ssh server pubkey-authentication
● Configure the user X.509v3 certificate details to allow the SSH server to match the user certificate to the account.
username username certificate subject “x509v3-subject-string”
or
username username certificate principal-name user-principal-name-string
or
username username certificate fingerprint fingerprint-value
Security
1395