DUO and IOS 2FA

nflnetwork · ‎09-28-2021

How do you setup 2FA on Cisco IOS devices (Cat 9300) using DUO? Is there any setup guides available with step-by-step instructions ?

Marvin Rhoads · ‎09-28-2021

You can't do it directly. Instead, use a TACACS+ or RADIUS AAA server that in turn uses MFA/2FA. For instance, Cisco ISE or Microsoft NPS. (I've done it with both of these - ISE with Duo Security and NPS with the Azure AD plug-in and Microsoft Authenticator.)

Once your AAA server is setup with MFA (both my examples have some how to guides - see below), the IOS or other network device that uses that AAA server will get the MFA automatically (assuming its policies are properly setup).

ISE + Duo guide: https://community.cisco.com/t5/security-documents/duo-mfa-integration-with-ise-for-tacacs-device-administration/tac-p/3951156#M6538

NPS + Azure AD/Microsoft Authenticator guide: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

nflnetwork · ‎09-28-2021

@Marvin Rhoads

Thank you so much for the reply!

So to confirm I do NOT require to setup ISE? But to use DUO ISE is a requirement?

If we do not have ISE then my ONLY option is to setup "NPS with the Azure AD plug-in and Microsoft Authenticator"?

Marvin Rhoads · ‎09-28-2021

You're welcome.

Cisco ISE (with Cisco Duo - two separate products) or NPS (with Azure AD and Microsoft Authenticator - again separate products) are just two most common examples I see being used.

You could probably come up with numerous other integrations to make it work but would be more on your own there.

For instance Free RADIUS and yubikey seems to be a possibility but the guide I found leaves a lot to be desired:

https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_1FA_via_PAM.html

nflnetwork · ‎09-28-2021

@Marvin Rhoads

Is there a document on how to configure a Cisco switch to authenticate using NPS?

What is the correct terminology for this implementation?

Marvin Rhoads · ‎09-28-2021

NPS is, generically speaking, a RADIUS server.

Here are a couple of step-by-step articles that supplement the one I provided earlier that was specific to MFA:

https://www.ciscozine.com/access-network-devices-radius/

https://www.ciscozine.com/manage-cisco-with-nps-radius/

nflnetwork · ‎09-29-2021

when using the NPS extension which authentication methods should i have enabled .

I keep getting access denied when trying to authenticate .

nflnetwork · ‎10-04-2021

i got it working with duo auth proxy and NPS . thanks for your help.

What do i do with my local accounts on the switch Can they be used for backup purpose? i tried logging in with a local account but it seems to be trying to hit the RADIUS server and it just times out . I t would be nice to have the local admin login as a backup option! how would i implement that feature?

Marvin Rhoads · ‎10-04-2021

Once you have a working RADIUS (or TACACS+) server first in your aaa method list, that option will always be tried first. As long as the server(s) is responding, the device will use it, even if the response is to deny access. Only when the defined server(s) do not respond at all will the device fall back to the local method (assuming you have it configured).

Otherwise one could completely circumvent the security afforded by RADIUS/TACACS+ with a central identity store (and MFA) by just using a local account. If that account is compromised then your entire security for device administration is also compromised.