cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6221
Views
0
Helpful
4
Replies

logging into switch with radius and duo mfa

nflnetwork
Level 1
Level 1

hello i have setup my cisco catalyst switch for radius login. (cat 93k)  this is working fine. however i am trying to get duo 2fa now to work.  i have installed duo authentication proxy on my radius server but I'm not getting any 2fa prompts from duo .

 

is it ok to have the duo proxy and the radius on the same windows VM?

 

Does anyone know why I might not be getting a duo 2fa prompts but radius is working . ?

 

 

thanks, 

 

1 Accepted Solution

Accepted Solutions

Chakshu Piplani
Cisco Employee
Cisco Employee

Your switch will send a Radius request to duo auth proxy, if both (proxy and radius server) are installed on the same machine either of them might get the request first, which can create a problem, I would suggest installing duo proxy on a separate machine/VM.

 

The flow should be like this Switch--> Radius--> Auth Proxy --> Radius ---> Radius Server --> Auth success response to Auth Proxy-->Auth proxy to Duo Cloud service--> Push to your phone

 

Make sure you have the right config on authproxy.cfg for duo authentication proxy.

[radius_client]
host=10.197.223.23 IP Address of the Radius server
secret=cisco123 Password on the Radius server to register the network device

The IP address of the Switch must be configured along with the RADIUS secret key.

[radius_server_auto]
ikey=xxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=10.197.223.76 IP Switch
radius_secret_1=cisco123 Radius secret key used on the Switch
failmode=safe
client=radius_client
port=1812
api_timeout=

 

Regards,

Chakshu

 

Do rate helpful posts!

View solution in original post

4 Replies 4

Chakshu Piplani
Cisco Employee
Cisco Employee

Your switch will send a Radius request to duo auth proxy, if both (proxy and radius server) are installed on the same machine either of them might get the request first, which can create a problem, I would suggest installing duo proxy on a separate machine/VM.

 

The flow should be like this Switch--> Radius--> Auth Proxy --> Radius ---> Radius Server --> Auth success response to Auth Proxy-->Auth proxy to Duo Cloud service--> Push to your phone

 

Make sure you have the right config on authproxy.cfg for duo authentication proxy.

[radius_client]
host=10.197.223.23 IP Address of the Radius server
secret=cisco123 Password on the Radius server to register the network device

The IP address of the Switch must be configured along with the RADIUS secret key.

[radius_server_auto]
ikey=xxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=10.197.223.76 IP Switch
radius_secret_1=cisco123 Radius secret key used on the Switch
failmode=safe
client=radius_client
port=1812
api_timeout=

 

Regards,

Chakshu

 

Do rate helpful posts!

Ember Norman
Level 1
Level 1

I understand this has been solved but wanted to add a few details of my experience for whomever might follow me in finding this thread.  My environment involves Cisco 2960s and 2960x switches 2fa using RADIUS proxy to Duo.  The pain points for me were properly configuring the Duo proxy and specifying the right port.  Below is my Duo proxy config note the user group "IT_Cisco_Admin" can only have users not groups (per Duo docs):

 

;[main]
;debug=true

; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])

[cloud]
ikey=XXXXXXXXX
skey=XXXXXXXXX
api_host=XXXXXX.duosecurity.com
service_account_username=duomfa
service_account_password_protected=XXXXXXXX
search_dn=DC=ad,DC=company,DC=local


[ad_client]
host=1.2.3.4
host_2=2.3.4.5
service_account_username=duomfa
service_account_password_protected=XXXXXX
search_dn=DC=ad,DC=company,DC=local
security_group_dn=CN=IT_Cisco_Admin,DC=ad,DC=company,DC=local

[radius_server_auto]
ikey=XXXXXXXXX
skey=XXXXXXXXX
api_host=XXXXXX.duosecurity.com
radius_ip_1=10.0.0.0/8
radius_secret_1=XXXXXXXX
client=ad_client
port=1645
failmode=safe

manvik
Level 3
Level 3

My question is where to enter passcode, if you do not have DUO push option. No smart phone.

I haven't tired it but you can usually enter <password>,<passcode> at the password prompt order to provide Duo the passcode via the authentication process.

This is known as append mode:

https://guide.duo.com/append-mode

Review Cisco Networking for a $25 gift card