Users Guide
OS10(config)# crypto security-profile secure-cluster
OS10(config-sec-profile)# certificate s4048-001
OS10(config-sec-profile)# exit
4. Configure the cluster security profile.
OS10(config)# cluster security-profile secure-cluster
OS10(config)# exit
SSH Smart Card Authentication
OS10 allows you to use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards for authenticating
users when connecting with Secure Shell (SSH). CAC and PIV smart cards contain Public Key Infrastructure (PKI) X.509v3
certificates that are issued by certificate authorities. This feature allows the OS10 software to verify user authentication and
email signing and encryption. To use smart card authentication, use an SSH client that supports X.509v3 authentication.
The OS10 SSH server supports X.509v3 smart card authentication in two forms - with or without a password. When you use
X.509v3 authentication with passwords, you can use X.509v3 authentication along with remote authentication using RADIUS or
TACACS+ authentication.
Remote user authentication with a password
When you configure the switch for X.509v3 SSH authentication and remote authentication of users using RADIUS or TACACS+,
and when connecting using SSH, the following sequence occurs:
1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard.
2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a
connection to the OS10 switch.
3. The SSH client application makes the initial connection to the switch, negotiates X.509v3 authentication, and validates the
OS10 switch X.509v3 certificate.
4. The SSH client application prompts you to select the required authentication certificate from the CAC or PIV card.
5. The SSH client application prompts you to enter the PIN for the CAC or PIV card.
6. The SSH client application sends an authentication request with your X.509v3 certificate.
7. The OS10 SSH server validates the public certificate, including validating the trust chain, valid date range, and usage fields. If
any of the fields are invalid, the authentication fails.
8. If the configured OS10 security profile calls for revocation checking, the OS10 SSH server verifies that the certificate is not
revoked. Verification is done by checking either the appropriate CRL or by sending an OCSP request to the appropriate
OCSP responder.
9. If the certificate is revoked, the authentication fails.
10. If peer-name-checking is enabled in the security profile, the OS10 SSH server matches the common name or principal name
fields from the user certificate against the username. The authentication fails if there is no match.
11. The OS10 SSH server prompts you for a password.
12. The OS10 SSH server performs standard RADIUS or TACACS+ user authentication using the username and returned
password.
13. On successful authentication, the SSH session continues.
Local user authentication with a password
When you configure the OS10 SSH server for X.509v3 SSH local authentication and when you connect using SSH, the following
sequence occurs:
1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard.
2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a
connection to the OS10 switch.
3. The SSH client application makes the initial connection to the switch, negotiates X.509v3 authentication, and validates the
X.509v3 certificate.
4. The SSH client application prompts you to select the required authentication certificate from the CAC or PIV card.
5. The SSH client application prompts you to enter the PIN for the CAC or PIV card.
6. The SSH client application sends an authentication request with the X.509v3 certificate.
Security
1393