ACI Access with MFA

Trinh Nguyen · ‎09-17-2018

Current access to APIC, Leaves or Spines using TACACS are without any issues. We need to tighten security for ACI and many critical devices in our network by changing from normal TACACS to TACACS with MFA. I have no issue to convert all Cisco iOS devices, only with ACI.
Because MFA needs more time to authenticate, a successful converting to MFA needs to extend the authentication timeout from default 10 seconds to 30 seconds or more. 60 seconds is the maximum allow for timeout in Cisco iOS and also in ACI.
We deployed DUO for MFA where users must register and download DUO app to their phones to receive a “push” and response back. I changed ACI timeout to 60 seconds (Figure 1,2), but the timeout tripped at 14 seconds (Figure 3). When a user accesses the device, It takes somewhere between 8 to 10 seconds for DUO MFA to send out a push, so with 14 seconds timeout, user has only 4 seconds to react, not enough time, authentication fails. This shortage of timeout observes in both GUI and console.
ACI Version 2.3(1o)

Thanks,

Trinh Nguyen · ‎09-19-2018

~~Changing the global TACACS and TACACS providers timeout to 30 seconds seem to help. I don't get full 30 seconds, but enough time for user to react.~~

Found the delay issue between NAC and DUO, not in the APIC. The NAC timeout setting was default at 10 seconds so it is not enough time. Cisco iOS in CLI works because it takes less time then APIC in GUI to complete the authentication.

Change timeout at NAC to 30 seconds solves the problem.