cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

497
Views
0
Helpful
1
Replies
nflnetwork
Beginner

logging into switch with radius and duo mfa

hello i have setup my cisco catalyst switch for radius login. (cat 93k)  this is working fine. however i am trying to get duo 2fa now to work.  i have installed duo authentication proxy on my radius server but I'm not getting any 2fa prompts from duo .

 

is it ok to have the duo proxy and the radius on the same windows VM?

 

Does anyone know why I might not be getting a duo 2fa prompts but radius is working . ?

 

 

thanks, 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Chakshu Piplani
Cisco Employee

Your switch will send a Radius request to duo auth proxy, if both (proxy and radius server) are installed on the same machine either of them might get the request first, which can create a problem, I would suggest installing duo proxy on a separate machine/VM.

 

The flow should be like this Switch--> Radius--> Auth Proxy --> Radius ---> Radius Server --> Auth success response to Auth Proxy-->Auth proxy to Duo Cloud service--> Push to your phone

 

Make sure you have the right config on authproxy.cfg for duo authentication proxy.

[radius_client]
host=10.197.223.23 IP Address of the Radius server
secret=cisco123 Password on the Radius server to register the network device

The IP address of the Switch must be configured along with the RADIUS secret key.

[radius_server_auto]
ikey=xxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=10.197.223.76 IP Switch
radius_secret_1=cisco123 Radius secret key used on the Switch
failmode=safe
client=radius_client
port=1812
api_timeout=

 

Regards,

Chakshu

 

Do rate helpful posts!

View solution in original post

1 REPLY 1
Chakshu Piplani
Cisco Employee

Your switch will send a Radius request to duo auth proxy, if both (proxy and radius server) are installed on the same machine either of them might get the request first, which can create a problem, I would suggest installing duo proxy on a separate machine/VM.

 

The flow should be like this Switch--> Radius--> Auth Proxy --> Radius ---> Radius Server --> Auth success response to Auth Proxy-->Auth proxy to Duo Cloud service--> Push to your phone

 

Make sure you have the right config on authproxy.cfg for duo authentication proxy.

[radius_client]
host=10.197.223.23 IP Address of the Radius server
secret=cisco123 Password on the Radius server to register the network device

The IP address of the Switch must be configured along with the RADIUS secret key.

[radius_server_auto]
ikey=xxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=10.197.223.76 IP Switch
radius_secret_1=cisco123 Radius secret key used on the Switch
failmode=safe
client=radius_client
port=1812
api_timeout=

 

Regards,

Chakshu

 

Do rate helpful posts!

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad