09-28-2021 07:02 AM
How do you setup 2FA on Cisco IOS devices (Cat 9300) using DUO? Is there any setup guides available with step-by-step instructions ?
09-28-2021 08:34 AM
You can't do it directly. Instead, use a TACACS+ or RADIUS AAA server that in turn uses MFA/2FA. For instance, Cisco ISE or Microsoft NPS. (I've done it with both of these - ISE with Duo Security and NPS with the Azure AD plug-in and Microsoft Authenticator.)
Once your AAA server is setup with MFA (both my examples have some how to guides - see below), the IOS or other network device that uses that AAA server will get the MFA automatically (assuming its policies are properly setup).
ISE + Duo guide: https://community.cisco.com/t5/security-documents/duo-mfa-integration-with-ise-for-tacacs-device-administration/tac-p/3951156#M6538
NPS + Azure AD/Microsoft Authenticator guide: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
09-28-2021 09:57 AM
Thank you so much for the reply!
So to confirm I do NOT require to setup ISE? But to use DUO ISE is a requirement?
If we do not have ISE then my ONLY option is to setup "NPS with the Azure AD plug-in and Microsoft Authenticator"?
09-28-2021 10:35 AM
You're welcome.
Cisco ISE (with Cisco Duo - two separate products) or NPS (with Azure AD and Microsoft Authenticator - again separate products) are just two most common examples I see being used.
You could probably come up with numerous other integrations to make it work but would be more on your own there.
For instance Free RADIUS and yubikey seems to be a possibility but the guide I found leaves a lot to be desired:
https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_1FA_via_PAM.html
09-28-2021 11:28 AM
Is there a document on how to configure a Cisco switch to authenticate using NPS?
What is the correct terminology for this implementation?
09-28-2021 12:05 PM
NPS is, generically speaking, a RADIUS server.
Here are a couple of step-by-step articles that supplement the one I provided earlier that was specific to MFA:
https://www.ciscozine.com/access-network-devices-radius/
https://www.ciscozine.com/manage-cisco-with-nps-radius/
09-29-2021 03:23 PM
when using the NPS extension which authentication methods should i have enabled .
I keep getting access denied when trying to authenticate .
10-04-2021 08:53 PM
i got it working with duo auth proxy and NPS . thanks for your help.
What do i do with my local accounts on the switch Can they be used for backup purpose? i tried logging in with a local account but it seems to be trying to hit the RADIUS server and it just times out . I t would be nice to have the local admin login as a backup option! how would i implement that feature?
10-04-2021 09:56 PM
Once you have a working RADIUS (or TACACS+) server first in your aaa method list, that option will always be tried first. As long as the server(s) is responding, the device will use it, even if the response is to deny access. Only when the defined server(s) do not respond at all will the device fall back to the local method (assuming you have it configured).
Otherwise one could completely circumvent the security afforded by RADIUS/TACACS+ with a central identity store (and MFA) by just using a local account. If that account is compromised then your entire security for device administration is also compromised.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide