04-12-2018 09:49 AM - edited 02-21-2020 07:37 AM
We have a requirement to establish Two Factor Authentication (2FA) to manage all network devices. Seeking guidance/advice on connecting to a device via SSH and ASDM. VPN is not implemented. Our current environment includes a router, switch and ASA firewall. We currently are using Active Directory and Windows NPS to support RADIUS. The network devices are not allowed to have local user accounts, only a single emergency account. All users are sourced from Active Directory.
Any advice on the way forward to cost effective implementation of 2FA would be appreciated.
04-13-2018 04:08 AM
If the device (ASA or otherwise) is setup to use the Microsoft NPS server as its RADIUS server, all of the 2FA work happens on the NPS side.
There's nothing special you need to do with the ASA beyond telling it to authenticate and authorize the users via the RADIUS server.
10-15-2018 04:21 PM
What about if user accounts are on a TACACS (ISE) server for authentication?
10-15-2018 08:24 PM
In that case I don't believe it's currently supported.
Since Cisco recently acquired Duo, we may see additional 2FA features as those products get blended into the Cisco offerings but that's all future work.
10-16-2018 10:04 AM
Thanks Marvin. Yes I saw that Cisco acquired Duo and I hope that solutions come quicker given Duo's expertise in MFA. DoD mandated that it be MFA be completed last December, but you know how that goes. Must do, but no guidance in how to do on a closed network that doesn't see the cloud.
Thanks and much appreciated.
10-16-2018 10:12 AM - edited 10-16-2018 10:19 AM
In a press release on the Duo purchase it states: "Duo is the leading provider of unified access security and multi-factor authentication delivered through the cloud". It would not seem to be an option for a closed network.
My initial question is in support of DoD environment with an expectation that the 2FA leverage CAC/Token/Smartcard. The only solution I have been able to obtain from DoD is RSA SecureID. But the cost of that solution would be almost the same as the cost of the three devices being managed. Does not seem to be a cost effective solution for our situation.
10-16-2018 10:37 AM
Thomas,
You're right that Duo uses the cloud for 2FA, however, Cisco has a need to provide 2FA (CAC/Smartcard) support to the DoD as a whole who have network devices not only on Classified (closed) networks but on the Unclassified network. A question would be to ask in terms of the Unclassified network, is does DoD want to have 2FA account information in the cloud? RSA SecureID would not necessarily work in our small environment since I believe that to use an RSA SecureID we would require the purchase of an RSA server and token. Too much cost just for one or two users in our unique program. Therefore, I am looking at vendors that can provide a standalone solution that either uses an account on a TACACS server or AD regardless of the ios that is currently on the network devices. ASDM UI for the ASA is just one of those things that doesn't take 2FA into account.
12-18-2023 06:00 AM
RADIUS configuration seems not enough, this configuration work fine for SSH but with ASDM there are some problem, a lot of continuosly push were prompted from DUO on the DUO APP ... so doesn't work
12-18-2023 06:12 AM
When the external identity source used by RADIUS is setup with MFA, we typically adjust the timeout to something like 1-2 minutes so that the end user has time to confirm their login using the configured MFA solution.
03-02-2020 08:22 AM
Hello!!
I implemented NPS as a Radius Identity Server (external Identity Store) on Cisco ACS 5.8. I think that this is possible in ISE v 2 too.
Regards
03-02-2020 09:30 AM
09-01-2022 04:13 PM
If you place ACL on the switches and limit Ip to /32 on the firewall. Could you implement MFA on the the station to get in compliance till Cisco catches up to what regulation are requesting?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide