Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1265
Views
15
Helpful
8
Replies

2FA + Static Login with IP Restriction

eshaq786
Level 1
Level 1

‎08-09-2022 02:54 AM

Hi

We have setup 2FA on our switches using Duo auth proxy. This is working fine.

However we would like to be able to add a static account with no 2FA so that our security scanning tool can login to the device to retrive config details etc. This login would come from a single IP address therefore we would like to restrict this login to that IP address.

This would need to work alongside our existing 2FA logins. Has anyone done this and can show us what we would need to do?

Below is our current login config:

aaa authentication login default group DUO

 

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎08-09-2022 03:14 AM - edited ‎08-09-2022 03:34 AM

@eshaq786 you could configure a specific VTY line with a different authentication method list, which uses a different authentication server. Use the rotary command under VTY line and configure SSH on a specific port, which references the rotary number for that specific VTY line. You can also configure a specific ACL on that VTY line.

Example:

line vty 15
 access-class 102 in
 rotary 16
 transport input ssh
 login authentication METHOD-LIST
 !
ip ssh port 2016 rotary 16

You connect to the device using port SSH to port 2016

eshaq786
Level 1
Level 1
In response to Rob Ingram

‎08-09-2022 03:33 AM

Can i use this method but use a static username stored locally on the device? Furthermore, can i then restrict this so that only a specified ip address can login using this method as it would be deemed insecure since it had no 2FA.

0 Helpful

Rob Ingram
VIP
VIP
In response to eshaq786

‎08-09-2022 03:44 AM - edited ‎08-09-2022 03:54 AM

@eshaq786 yes you just reference a method list that uses local authentication. Yes you can apply an ACL just to that VTY line.

0 Helpful

eshaq786
Level 1
Level 1
In response to Rob Ingram

‎08-09-2022 05:17 AM

This is my existing VTY config

line con 0
password 7 xxxxx
logging synchronous
login authentication No-Radius-Login
line vty 0 4
password 7 xxxxxx
transport input ssh
line vty 5 15
password 7 xxxxxx
transport input ssh

If i issue just a line VTY 15, will that change the existing line vty 5 15 to vty 5 14? 

access-list 1 permit 192.168.1.10
line vty 15
access-class 1 in
 rotary 16
 transport input ssh
 login authentication No-Radius-Login
!
ip ssh port 2016 rotary 16

Does the ACL look right? Or do i need to add a deny in there as well?

0 Helpful

Rob Ingram
VIP
VIP
In response to eshaq786

‎08-09-2022 05:20 AM

@eshaq786 if you configure line 15, then lines 5 - 14 will remain the same.

Configuration looks ok.

0 Helpful

PradeepSingh
Level 1
Level 1

‎08-15-2022 04:45 AM

Hi. 

If you have a static source IP for the scanning tool you easily can define a rule above the main rule in authentication section of ISE policy with source IP as condition in TACACS.Remote-Address Equals <scanning tool server ip> and choose ID store local or ID whatever is applicable. By this way you avoid modifying config on all devices.

eshaq786
Level 1
Level 1
In response to PradeepSingh

‎11-09-2022 11:57 AM

Hi

Should have specified that I am not using TACACS to manage the switches.

0 Helpful

Walker
Level 1
Level 1

‎08-15-2022 07:12 AM

Within the Device Admin policy, add the IP in the authentication condition and set the Identity store to internal users. Configure the security scanning tool username/pw in the local identity store.

Customers Also Viewed These Support Documents