LAN managers who need switch access will connect to the GlobalProtect VPN as normal and use a SSH Gateway to access their switches. Network Operations has two dedicated SSH bastion hosts currently deployed within the WVU ITS ‘Greenfield’ environment. These servers are dedicated for allowing access to network devices that exist on a ‘private’ network to be reachable from the general client campus and VPN subnets. This will remove the requirement of granting access directly from the remote subnets. All traffic will be proxied through the bastion host, increasing security, auditing, and reducing the management of ALCs controlling access to the ‘private’ subnets to a single enforcement point.
Requirements
...
The following are requirements for secure access to the Network Operations SSH Gateways:
Traffic must originate from a campus wired /wireless or VPN network.
Active Directory account with proper justification for access is provided for Active Directory Group membership.
Active Directory Account has appropriate permissions within the Network Operation TACACS+ (Cisco Identity Services Engine) Service.
Active Directory account is DUO multi-factor enable and has been enrolled for ‘Push’ notifications.
Detailed operations
...
Once access has been granted to the SSH Gateway Service and the user is connected to an access network listed above, follow these steps to connect:
...