Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6220
Views
0
Helpful
4
Replies

logging into switch with radius and duo mfa

Go to solution
nflnetwork
Level 1
Level 1

‎10-03-2021 08:31 AM

hello i have setup my cisco catalyst switch for radius login. (cat 93k)  this is working fine. however i am trying to get duo 2fa now to work.  i have installed duo authentication proxy on my radius server but I'm not getting any 2fa prompts from duo .

 

is it ok to have the duo proxy and the radius on the same windows VM?

 

Does anyone know why I might not be getting a duo 2fa prompts but radius is working . ?

 

 

thanks, 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎10-03-2021 08:56 AM - edited ‎10-03-2021 09:01 AM

Your switch will send a Radius request to duo auth proxy, if both (proxy and radius server) are installed on the same machine either of them might get the request first, which can create a problem, I would suggest installing duo proxy on a separate machine/VM.

 

The flow should be like this Switch--> Radius--> Auth Proxy --> Radius ---> Radius Server --> Auth success response to Auth Proxy-->Auth proxy to Duo Cloud service--> Push to your phone

 

Make sure you have the right config on authproxy.cfg for duo authentication proxy.

[radius_client]
host=10.197.223.23                 IP Address of the Radius server
secret=cisco123                    Password on the Radius server to register the network device

The IP address of the Switch must be configured along with the RADIUS secret key.

[radius_server_auto]
ikey=xxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=10.197.223.76           IP Switch
radius_secret_1=cisco123            Radius secret key used on the Switch
failmode=safe
client=radius_client
port=1812
api_timeout=

 

Regards,

Chakshu

 

Do rate helpful posts!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎10-03-2021 08:56 AM - edited ‎10-03-2021 09:01 AM

Your switch will send a Radius request to duo auth proxy, if both (proxy and radius server) are installed on the same machine either of them might get the request first, which can create a problem, I would suggest installing duo proxy on a separate machine/VM.

 

The flow should be like this Switch--> Radius--> Auth Proxy --> Radius ---> Radius Server --> Auth success response to Auth Proxy-->Auth proxy to Duo Cloud service--> Push to your phone

 

Make sure you have the right config on authproxy.cfg for duo authentication proxy.

[radius_client]
host=10.197.223.23                 IP Address of the Radius server
secret=cisco123                    Password on the Radius server to register the network device

The IP address of the Switch must be configured along with the RADIUS secret key.

[radius_server_auto]
ikey=xxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=10.197.223.76           IP Switch
radius_secret_1=cisco123            Radius secret key used on the Switch
failmode=safe
client=radius_client
port=1812
api_timeout=

 

Regards,

Chakshu

 

Do rate helpful posts!

0 Helpful

Go to solution
Ember Norman
Level 1
Level 1

‎12-10-2021 06:41 AM

I understand this has been solved but wanted to add a few details of my experience for whomever might follow me in finding this thread.  My environment involves Cisco 2960s and 2960x switches 2fa using RADIUS proxy to Duo.  The pain points for me were properly configuring the Duo proxy and specifying the right port.  Below is my Duo proxy config note the user group "IT_Cisco_Admin" can only have users not groups (per Duo docs):

 

;[main]
;debug=true

; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])

[cloud]
ikey=XXXXXXXXX
skey=XXXXXXXXX
api_host=XXXXXX.duosecurity.com
service_account_username=duomfa
service_account_password_protected=XXXXXXXX
search_dn=DC=ad,DC=company,DC=local


[ad_client]
host=1.2.3.4
host_2=2.3.4.5
service_account_username=duomfa
service_account_password_protected=XXXXXX
search_dn=DC=ad,DC=company,DC=local
security_group_dn=CN=IT_Cisco_Admin,DC=ad,DC=company,DC=local

[radius_server_auto]
ikey=XXXXXXXXX
skey=XXXXXXXXX
api_host=XXXXXX.duosecurity.com
radius_ip_1=10.0.0.0/8
radius_secret_1=XXXXXXXX
client=ad_client
port=1645
failmode=safe

0 Helpful

Go to solution
manvik
Level 3
Level 3

‎04-29-2022 06:50 AM

My question is where to enter passcode, if you do not have DUO push option. No smart phone.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to manvik

‎04-29-2022 09:07 AM - edited ‎04-29-2022 09:08 AM

I haven't tired it but you can usually enter <password>,<passcode> at the password prompt order to provide Duo the passcode via the authentication process.

This is known as append mode:

https://guide.duo.com/append-mode

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card