Symptom
This is a feature request to port over to NXOS a functionality currently available for IOS/IOS-XE. The particular use case (Integration with TACACS+ server) is described in the following IOS/IOS-XE tech note.
Configuring SSH with x509 authentication on IOS devices
https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html
Use case of interest combines the following aspects:
1. a remote SSH user relies on x509v3 certificate identity-based SSH authentication, in accordance with standard RFC6187 - X.509v3 Certificates for Secure Shell Authentication
2. authentication and authorization of users is performed via an external AAA/TACACS+ server, which relies on an external Actice Directory (AD).
3. The username has to be fetched by the switch from the x509v3 certificate for accounting and authorization purposes. A configuration knob on the switch allows to designate the particular username that should be sent over to AAA/TACACS+. There are several configuration options, including and not limited to:
authorization username alt-subjectname userprinciplename
Conditions
user relies on x509v3 certificate, in accordance with RFC6187 - X.509v3 Certificates for Secure Shell Authentication
integration with AAA/TACACS+ server
