Access Switch Using SSH Gateway
- Jessica Steele
LAN managers who need switch access will connect to the GlobalProtect VPN as normal and use a SSH Gateway to access their switches. Network Operations has two dedicated SSH bastion hosts currently deployed within the WVU ITS ‘Greenfield’ environment. These servers are dedicated for allowing access to network devices that exist on a ‘private’ network to be reachable from the general client campus and VPN subnets. This will remove the requirement of granting access directly from the remote subnets. All traffic will be proxied through the bastion host, increasing security, auditing, and reducing the management of ALCs controlling access to the ‘private’ subnets to a single enforcement point.
Requirements
The following are requirements for secure access to the Network Operations SSH Gateways:
Traffic must originate from a campus wired /wireless or VPN network.
Active Directory account with proper justification for access is provided for Active Directory Group membership.
Active Directory Account has appropriate permissions within the Network Operation TACACS+ (Cisco Identity Services Engine) Service.
Active Directory account is DUO multi-factor enable and has been enrolled for ‘Push’ notifications.
Detailed operations
Once access has been granted to the SSH Gateway Service and the user is connected to an access network listed above, follow these steps to connect:
Using PuTTY or similar SSH client connect to the one of the following servers:
When prompted enter your AD username.
Enter ‘1’ for DUO Push and Approve on registered device.
Once authenticated, log SSH directly to the network device via hostname or IP.
Multiple connections to the SSH gateway are allowed. If access to more than one device at a time is needed, additional sessions can be established.