cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2360
Views
0
Helpful
6
Replies

Cisco IOS with 2FA

Hello, does Cisco IOS Router/Switch supports 2FA without ISE / ACS / AD??

 

Thanks,

Juan Carlos Arias

 

1 Accepted Solution

Accepted Solutions

I believe your option should be with certificate authentication but then you need to have at least an internal CA issuing them

View solution in original post

6 Replies 6

I believe your option should be with certificate authentication but then you need to have at least an internal CA issuing them

Thanks Giovanni for your comments, I was expecting something like that, and wanted to be sure that there were no radius option for secondary authentication.

 

Regards,

Hi,

I guess it depends on what 2FA solution you want to use. For example, If you use Cisco DUO, it uses a RADIUS proxy, so then, yes you could configure the IOS device to use 2FA.

 

HTH

That´s right Rob, I'm using DUO and already have Duo Security Authentication Proxy, but it's working only on a single authentication mode, it means that I'm using only the 6 digit duo code and not the user´s password to authenticate.

 

I was looking for a radius line configuration on Cisco IOS switch / router to specify a secondary authentication mode, but this line doesn´t exist.

 

Regards,

You can configure the DUO radius proxy to authenticate to AD to prompt for username and password, in addition to the DUO passcode.

 

There is no additional IOS command (that I am aware of) to specify a second authentication server, only for failover if the primary method is unavailable.

Hello Rob, at my understanding, the 2FA mode have to be configured on devices somehow, the secondary authentication, just like in ASA where there is the option of "secondary-authentication-server-group", but not on a Switch / Router.

The first authentication password is using the device  authentication process defined, and the second goes to DUO Proxy, on this case (Router / Switch) the first authentication process is missed, cause there is no secondary-authentication option to enable.

You´re right, there is no option for secondary-authentication, there is only option for failover when the first server is not reachable.

 

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: