Hello,
We are looking to improve security in our current network (focus is on network devices). The goal is to SSH to our network devices via bastion only, but I don't want to deploy SSH keys yet (overhead). Currently, all our switches have RADIUS authentication. I would like to allow network engineers to log in to the network devices using their credentials from AD (then authentication will be performed on the RADIUS). Then on the switches, I will set up that SSH access is only allowed from the bastion IP.
Is this concept making sense and does it match the purpose of the bastion?
Can the bastion handle each engineer using their own RADIUS username when connecting to switches (but at the same time use groups)? I found accountAddPersonalAccess with --user or with user USER|PATTERN|* and PasswordAuthentication yes KbdInteractiveAuthentication yes - is this the right approach?
Are there any additional tips available?
Our team is used to using PuTTY - can the bastion act as a kind of proxy in the above scenario?
Could you please advise? Thank you