We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH when configuring the devices.
We are now in the beginning stages of deploying smart cards for logins. Does anyone know of a way to login to a Cisco switch using a smart card instead of a domain username and password?
The SSH client we are using is Putty. Workstations are Windows 7. RADIUS is running on Windows 2008R2. We are running our own certificate authority on Windows 2008; network is not connected to the Internet.
We prefer to not have to purchase additional proprietary devices for this functionality.
Configure the Cisco network devices to point to your Certificate Authority and enable authentication using PKI.
On the client side you need to replace putty's pagent.exe with a version which will accept smartcard as authentication type, found here: Secure Shell with Smart Card Authentication
For more information you should look at: Cisco IOS Security Configuration Guide
You can use the Cisco Secure Services Client. It works well but can be very difficult to setup. Here is cisco's datasheet for the product. The client works with both Cisco Secure ACS and Microsoft IAS RADUS services.