What does your config look like ? This is the options I see on mine.
(config)# aaa authentication ssh login
local Use local switch user/password database.
tacacs Use TACACS+ server.
radius Use RADIUS server.
peap-mschapv2 Use RADIUS server with PEAP-MSChapv2.
public-key Use local switch public key authentication database.
certificate Use the X.509 certificate.
------------------------------
Steve
------------------------------
Original Message:
Sent: Sep 14, 2021 09:16 AM
From: David King
Subject: radius authentication methods for SSH on AOS-S switches
My AOS-S (and AOS-CX) switches are using PAP for RADIUS auth. If you need to do CHAP or MSCHAPv2 I'm guessing you could get that working with EAP-TTLS but it wouldn't be straight forward.
------------------------------
David King
Original Message:
Sent: Sep 13, 2021 05:17 PM
From: Steve Cromie
Subject: radius authentication methods for SSH on AOS-S switches
Hi All,
I posted before about using Okta service for "2FA". Clearpass is not part the solution right now, and it was decided to use the Okta radius proxy agent. However it looks like the following are the only authentication protocols it supports.
The Okta RADIUS Server agent:
- Is a lightweight program that runs as a system service.
- Tunnels communication between on-premises services and Okta's cloud service.
- Delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA).
- Supports the Password Authentication Protocol (PAP).
- Supports EAP Generic Token Card (EAP-GTC).
Currently only supported by NetMotion mobility. - Supports EAP Tunneled Transport Layer Security (EAP-TTLS).
Currently the Cisco Meraki and Cisco ASA RADIUS apps support configuration for EAP-TTLS. - Supports UDP, defaulting to port 1812, using multiple ports simultaneously.
I believe the switches only support CHAP and MSCHAPv2. Is there anything on the AOS-S switches that can support one of these other methods?
Thanks,
Steve
------------------------------
Steve
------------------------------