10-02-2024 12:51 AM
We want to implement a solution that allows a user to be able to access multiple network devices via ssh without having to enter the second factor each time. I would like to know if this would be possible with the rise of cisco ise 3.3+ with native duo integration. In particular, I noticed that there are MFA policies on here you can probably integrate this solution. If this is not possible through duo, is there any solution (even third-party) that is possible to integrate with cisco ise?
Solved! Go to Solution.
10-02-2024 03:45 PM
How would you envisage this to work in practice? In other words, at (or after) what point in time would the user be challenged to enter an MFA token?
I can't speak to Duo or any other MFA, but have you considered public key or cert authentication instead?
SSH public keys and certs. It means that the user must have their public key on every device (or have a cert that is trusted by every device) and you can still use AAA for authorization. It's not as hard as it sounds, and it can make authentication a lot more secure than relying on passwords.
it's a pity that Cisco IOS doesn't support GSSAPI - I have experienced this on linux hosts and the user never enters their password because that is asserted via the protocol, assuming that the same user has been authenticated on the host from which they are issuing the SSH.
10-02-2024 03:45 PM
How would you envisage this to work in practice? In other words, at (or after) what point in time would the user be challenged to enter an MFA token?
I can't speak to Duo or any other MFA, but have you considered public key or cert authentication instead?
SSH public keys and certs. It means that the user must have their public key on every device (or have a cert that is trusted by every device) and you can still use AAA for authorization. It's not as hard as it sounds, and it can make authentication a lot more secure than relying on passwords.
it's a pity that Cisco IOS doesn't support GSSAPI - I have experienced this on linux hosts and the user never enters their password because that is asserted via the protocol, assuming that the same user has been authenticated on the host from which they are issuing the SSH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide