Cisco switches do not natively support two-factor authentication, a third-party solution is required for this configuration. As a third-party solution we use TOTPRadius. This guide will document how to configure 2-factor authentication on a Cisco Catalyst 3750 Switch, using Microsoft Active Directory as the first factor and TOTPRadius Server as the second. This guide may be suitable for other Cisco Catalyst switch models as well.
â–º Set 'Allow initial login' value to zero
â–º [optional] In the Endpoint IP and subnet fields specify the parameters of your Cisco Catalyst 3750 Switch (192.168.99.77)
â–º Set LDAP as enabled
â–º Specify the LDAP server IP/FQDN (192.168.99.10) and the format of the username
(%username%@domain.local or DOMAIN\%username% format, where "DOMAIN" or "domain.local" need to be replaced with the domain name or removed if needed )
â–º If you decide to allow self-enrollment, make sure "Allow ldap enrollment" parameter is enabled. In the same section, you can also allow re-enrollment and modify the intro text of the LDAP web enrollment page.
Cisco Catalyst 3750 series switch
Once the TOTPRadius appliance has been configured , the following steps outline how to configure Catalyst 3750 series switch
to use TOTPRadius as Radius server. Cisco switches have poor functionality in web interface , that’s why we use command shell to give settings:
• aaa new-model This command just activates aaa on your router and nothing more.
• aaa authentication login default group radius Exec Access using Radius.
• radius-server host 192.168.99.11 auth-port 1812 key Qwerty123321Aa
You can use command do show running-config to be sure that new settings are added to configuration.
The following settings are needed to activate ssh . You can skip if you already have them.
• hostname cisco3750
• ip domain-name token2.local
• crypto key generate rsa modulus 1024
• ip ssh version 2
• line vty 0 15
- transport input ssh
- login authentication default