Mad Maxx
Supreme [H]ardness
- Joined
- Apr 12, 2016
- Messages
- 7,325
I've been trying to read up on this. Can't decide if it's something I should do. Thoughts?
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Yubico USB-C key ordered!
2FA is good and more secure, sure.
Talking about Google accounts, I wouldn't have moved to 2FA there few months ago (yeah, using Google Authenticator app as primary code generator) if there weren't the ten backup codes. 2 reasons:
1. Even when I wasn't using 2FA, and trying using my account on other computers, Google was asking to approve my access through my phone (just because I'm signed in on my phone) through system notification (and not some Authenticator).
2. Without backup codes I could lose my phone AND lose access to my home computer (or being somewhere abroad or far from it) - then I wouldn't have access to my account forever (probably). Unacceptable!
#1 wasn't acceptable anymore. It was almost the same as #2.
#2 is just as unacceptable for if/when I lose my phone AND lose access to the computer that I checked to login without enetring 2FA code.
With backup codes stored securely in a password manager whose DB file is backed up to many places, I can sleep calm I wouldn't lose access to my account. But pure 2FA where I need the phone/second_device to login and this device could be lost... no thanks!
Yubico USB-C key ordered!
So i am reading up on these Yubico devices, and I am trying to see if they could be used for TACACS like Cisco, Juniper etc. So far I cant seem to find anything on their site about it or from searching either. Has anyone done this with them yet and can provide a little insight?
Most current implementations for accessing Cisco and Juniper boxes typically involve authentication to a jump box and then logging into the network devices from there. There is some information on using 2FA with CISCO ISE. In the case of Yubikey, you would most likely set it up to act as a smartcard or OTP. You can get information on how to do that from Yubikey, how you then integrate it with Cisco would be on you and Cisco. Unless of course you hire Yubikey to consult and/or do the integration for you. They do provide that services as well.
What is the purpose of your implementation, is this for a company?
Just looking at two factor authentication for tacacs in a mixed environment. I have read the cisco items and they seem straight forward enough but cant find much on Juniper. would like to keep as vendor neutral as possible so regardless of gear installed could be used. Youbikey seems to have lots of instructions on how to set up their stuff on a variety or vendors but nothing that i could see about using tacacs.
You made me think a little more if this was going to be used like a smart card then shouldn't they expire at some point like a certificate or are they perpetually valid?
First thank you for the detailed response. So really using radius versus tacacs, I can see that working. Never used radius for that just dot1x items. I will have to look a little more into it. again thank you for the response. Also i guess i never really answered your question but my purpose would be to move away from username/passwords for this access at my employment. With Cisco they seem to have lots of documentation and forum posts about this, other vendors not near as much that i can find yet. I am still researching all options and probably will be a while until i recommend solutions and start planning of it, but i kinda like the idea of yubikey.So just to give a clue on how this generally works in mixed CISCO/Juniper environments I have been in, we use an AD for accounts matched with a Radius server that manages tokens. The users login through a portal where they have to provide 2FA, and then from there they can ssh into the network appliances using their AD account credentials.
EDIT: Forgot about the second part in your question here. As for the smart cards, that really depends on how you want to implement it, but yes part of certificate management is expiration. That is generally why people use AD with a CA.
Remember the Yubikey is mainly just hardware, what they are doing is providing that hardware with a lot of different tools and options on how it can be used. I was developing an interesting workflow with Yubico where the Yubikey provided not only smart card credentials, but also housed configuration information and encryption. The point being that in order to operate special devices and get them connected on a network, they would need the Yubikey to get the correct configuration, but in order to unlock the configuration, the user would need to authenticate using their credentials, and then after the configuration was done, it would use the yubikey as part of its encryption method to encrypt communications from the device.
EDIT 2: Also, just want to say, there are other key types out there, I suggest Yubikey because I have worked with them and know it can do a lot of different things. But most of these require you to create the implementation for how you want to use them. There are other easier turnkey solutions out there you can use if that would speed up the process for you or be better for your situation.
First thank you for the detailed response. So really using radius versus tacacs, I can see that working. Never used radius for that just dot1x items. I will have to look a little more into it. again thank you for the response. Also i guess i never really answered your question but my purpose would be to move away from username/passwords for this access at my employment. With Cisco they seem to have lots of documentation and forum posts about this, other vendors not near as much that i can find yet. I am still researching all options and probably will be a while until i recommend solutions and start planning of it, but i kinda like the idea of yubikey.