Pragma 2-factor SSH for Cisco & Federal Agencies

In collaboration with Cisco, Pragma introduced its 2-factor RFC 6187 compliant ssh clients and servers for Cisco routers and switches on June 8, 2015. 2-factor RFC 6187 SSH is a key requirement for US DoD and Federal Government departments to avoid the hacking & unauthorized access going around from foreign countries and intruders. Pragma Fortress SSH clients and servers fully support RFC 6187 2-factor authentication, has been validated by Cisco to work in its secure environment ( Cisco IOS 15.2 (2) supports 2-factor RFC 6187). The solutions are available now. Pragma 2-factor SSH can be ordered today from our website or contacting our sales department.

Pragma Systems Fortress SSH Server, SFTP (secure file transfer) and SCP (secure copy) holds a full Certificate of Networthiness (CoN 201621769) from the U.S. Army Network Enterprise Technology Command (NETCOM). The CoN is a requirement for all enterprise software products in the Army Enterprise Infrastructure Network. The CoN certification signifies that Pragma’s Windows secure shell product, Fortress SSH Server, is in full compliance with the Army Enterprise Infrastructure’s strict standards for security, supportability, sustainability, and compatibility. In addition to the U.S. Army, the certification applies to all National Guard, Army Reserve, and Department of Defense organizations that use the Army Enterprise Infrastructure Network.

Using FortressCL X.509 authentication with Cisco RADIUS

Here’s the cisco reference:


If the RADIUS protocol is used, the password that is configured for the username in the AAA server should be set to “cisco,” which is acceptable because the certificate validation provides authentication and the AAA database is only being used for authorization. When the TACACS protocol is used, the password that is configured for the username in the AAA server is irrelevant because TACACS supports authorization without requiring authentication (the password is used for authentication).

The problem is that although RADIUS is only being used for authentication and not authorization for Cisco network devices, many users use the same backend for both authentication and authorization for other devices. A common example is using Active Directory using NPS. In this scenario, the Active Directory is used to authenticate/authorize all windows computer on the network. Organizations wishing to add cisco devices supporting 2FA have to create additional users that have hard coded passwords. It CAN be safely done, but you have to be exceedingly careful to limit these accounts to the cisco devices. This also means that the same accounts cannot be used for both windows authentication and cisco authentication. Government orgs often have their employee CAC cards set up to map to an active directory account and wish to authenticate using their CAC card. The Cisco limitation makes this problematic since the users password need to be hard coded to a known value.

Helpful links


Social Media