cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
223
Views
0
Helpful
1
Replies

Caching MFA session for Ise with DUO 3.3+

We want to implement a solution that allows a user to be able to access multiple network devices via ssh without having to enter the second factor each time. I would like to know if this would be possible with the rise of cisco ise 3.3+ with native duo integration. In particular, I noticed that there are MFA policies on here you can probably integrate this solution. If this is not possible through duo, is there any solution (even third-party) that is possible to integrate with cisco ise?

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

How would you envisage this to work in practice? In other words, at (or after) what point in time would the user be challenged to enter an MFA token?

I can't speak to Duo or any other MFA, but have you considered public key or cert authentication instead?

SSH public keys and certs. It means that the user must have their public key on every device (or have a cert that is trusted by every device) and you can still use AAA for authorization. It's not as hard as it sounds, and it can make authentication a lot more secure than relying on passwords. 

it's a pity that Cisco IOS doesn't support GSSAPI - I have experienced this on linux hosts and the user never enters their password because that is asserted via the protocol, assuming that the same user has been authenticated on the host from which they are issuing the SSH.

View solution in original post

1 Reply 1

Arne Bier
VIP
VIP

How would you envisage this to work in practice? In other words, at (or after) what point in time would the user be challenged to enter an MFA token?

I can't speak to Duo or any other MFA, but have you considered public key or cert authentication instead?

SSH public keys and certs. It means that the user must have their public key on every device (or have a cert that is trusted by every device) and you can still use AAA for authorization. It's not as hard as it sounds, and it can make authentication a lot more secure than relying on passwords. 

it's a pity that Cisco IOS doesn't support GSSAPI - I have experienced this on linux hosts and the user never enters their password because that is asserted via the protocol, assuming that the same user has been authenticated on the host from which they are issuing the SSH.