topic Re: SSH and ASDM Two Factor Authentication in Network Security

SSH and ASDM Two Factor Authentication

thomas.talley — Fri, 21 Feb 2020 15:37:35 GMT

We have a requirement to establish Two Factor Authentication (2FA) to manage all network devices. Seeking guidance/advice on connecting to a device via SSH and ASDM. VPN is not implemented. Our current environment includes a router, switch and ASA firewall. We currently are using Active Directory and Windows NPS to support RADIUS. The network devices are not allowed to have local user accounts, only a single emergency account. All users are sourced from Active Directory.

Any advice on the way forward to cost effective implementation of 2FA would be appreciated.

Re: SSH and ASDM Two Factor Authentication

Marvin Rhoads — Fri, 13 Apr 2018 11:08:18 GMT

If the device (ASA or otherwise) is setup to use the Microsoft NPS server as its RADIUS server, all of the 2FA work happens on the NPS side.

There's nothing special you need to do with the ASA beyond telling it to authenticate and authorize the users via the RADIUS server.

Re: SSH and ASDM Two Factor Authentication

Robert Molina — Mon, 15 Oct 2018 23:21:47 GMT

What about if user accounts are on a TACACS (ISE) server for authentication?

Re: SSH and ASDM Two Factor Authentication

Marvin Rhoads — Tue, 16 Oct 2018 03:24:12 GMT

In that case I don't believe it's currently supported.

Since Cisco recently acquired Duo, we may see additional 2FA features as those products get blended into the Cisco offerings but that's all future work.

Re: SSH and ASDM Two Factor Authentication

Robert Molina — Tue, 16 Oct 2018 17:04:10 GMT

Thanks Marvin. Yes I saw that Cisco acquired Duo and I hope that solutions come quicker given Duo's expertise in MFA. DoD mandated that it be MFA be completed last December, but you know how that goes. Must do, but no guidance in how to do on a closed network that doesn't see the cloud.

Thanks and much appreciated.

Re: SSH and ASDM Two Factor Authentication

thomas.talley — Tue, 16 Oct 2018 17:19:06 GMT

In a press release on the Duo purchase it states: "Duo is the leading provider of unified access security and multi-factor authentication delivered through the cloud". It would not seem to be an option for a closed network.

My initial question is in support of DoD environment with an expectation that the 2FA leverage CAC/Token/Smartcard. The only solution I have been able to obtain from DoD is RSA SecureID. But the cost of that solution would be almost the same as the cost of the three devices being managed. Does not seem to be a cost effective solution for our situation.

Re: SSH and ASDM Two Factor Authentication

Robert Molina — Tue, 16 Oct 2018 17:37:36 GMT

Thomas,

You're right that Duo uses the cloud for 2FA, however, Cisco has a need to provide 2FA (CAC/Smartcard) support to the DoD as a whole who have network devices not only on Classified (closed) networks but on the Unclassified network. A question would be to ask in terms of the Unclassified network, is does DoD want to have 2FA account information in the cloud? RSA SecureID would not necessarily work in our small environment since I believe that to use an RSA SecureID we would require the purchase of an RSA server and token. Too much cost just for one or two users in our unique program. Therefore, I am looking at vendors that can provide a standalone solution that either uses an account on a TACACS server or AD regardless of the ios that is currently on the network devices. ASDM UI for the ASA is just one of those things that doesn't take 2FA into account.

Re: SSH and ASDM Two Factor Authentication

oeortiz01 — Mon, 02 Mar 2020 16:22:48 GMT

Hello!!

I implemented NPS as a Radius Identity Server (external Identity Store) on Cisco ACS 5.8. I think that this is possible in ISE v 2 too.

Regards

Re: SSH and ASDM Two Factor Authentication

Mike.Cifelli — Mon, 02 Mar 2020 17:30:09 GMT

FYSA Here is another nice-to-know 2factor solution involving ISE: https://www.pragmasys.com/products/support/cisco-2-factor
Older doc, but works with 9k devices too. HTH!

Re: SSH and ASDM Two Factor Authentication

Kombi — Thu, 01 Sep 2022 23:13:15 GMT

If you place ACL on the switches and limit Ip to /32 on the firewall. Could you implement MFA on the the station to get in compliance till Cisco catches up to what regulation are requesting?

Re: SSH and ASDM Two Factor Authentication

Luca Berlinghieri — Mon, 18 Dec 2023 14:00:55 GMT

RADIUS configuration seems not enough, this configuration work fine for SSH but with ASDM there are some problem, a lot of continuosly push were prompted from DUO on the DUO APP ... so doesn't work

Re: SSH and ASDM Two Factor Authentication

Marvin Rhoads — Mon, 18 Dec 2023 14:12:09 GMT

When the external identity source used by RADIUS is setup with MFA, we typically adjust the timeout to something like 1-2 minutes so that the end user has time to confirm their login using the configured MFA solution.