cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5809
Views
0
Helpful
11
Replies

SSH and ASDM Two Factor Authentication

thomas.talley
Level 1
Level 1

We have a requirement to establish Two Factor Authentication (2FA) to manage all network devices. Seeking guidance/advice on connecting to a device via SSH and ASDM. VPN is not implemented. Our current environment includes a router, switch and ASA firewall. We currently are using Active Directory and Windows NPS to support RADIUS. The network devices are not allowed to have local user accounts, only a single emergency account. All users are sourced from Active Directory.

Any advice on the way forward to cost effective implementation of 2FA would be appreciated.

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

If the device (ASA or otherwise) is setup to use the Microsoft NPS server as its RADIUS server, all of the 2FA work happens on the NPS side.

 

There's nothing special you need to do with the ASA beyond telling it to authenticate and authorize the users via the RADIUS server.

What about if user accounts are on a TACACS (ISE) server for authentication?

In that case I don't believe it's currently supported.

 

Since Cisco recently acquired Duo, we may see additional 2FA features as those products get blended into the Cisco offerings but that's all future work.

Thanks Marvin. Yes I saw that Cisco acquired Duo and I hope that solutions come quicker given Duo's expertise in MFA. DoD mandated that it be MFA be completed last December, but you know how that goes. Must do, but no guidance in how to do on a closed network that doesn't see the cloud.

 

Thanks and much appreciated.

In a press release on the Duo purchase it states: "Duo is the leading provider of unified access security and multi-factor authentication delivered through the cloud". It would not seem to be an option for a closed network.

 

My initial question is in support of DoD environment with an expectation that the 2FA leverage CAC/Token/Smartcard. The only solution I have been able to obtain from DoD is RSA SecureID. But the cost of that solution would be almost the same as the cost of the three devices being managed. Does not seem to be a cost effective solution for our situation.

Thomas,

 

You're right that Duo uses the cloud for 2FA, however, Cisco has a need to provide 2FA (CAC/Smartcard) support to the DoD as a whole who have network devices not only on Classified (closed) networks but on the Unclassified network. A question would be to ask in terms of the Unclassified network, is does DoD want to have 2FA account information in the cloud? RSA SecureID would not necessarily work in our small environment since I believe that to use an RSA SecureID we would require the purchase of an RSA server and token. Too much cost just for one or two users in our unique program. Therefore, I am looking at vendors that can provide a standalone solution that either uses an account on a TACACS server or AD regardless of the ios that is currently on the network devices. ASDM UI for the ASA is just one of those things that doesn't take 2FA into account.

RADIUS configuration seems not enough, this configuration work fine for SSH but with ASDM there are some problem, a lot of continuosly push were prompted from DUO on the DUO APP ... so doesn't work

When the external identity source used by RADIUS is setup with MFA, we typically adjust the timeout to something like 1-2 minutes so that the end user has time to confirm their login using the configured MFA solution.

oeortiz01
Level 1
Level 1

Hello!!

 

I implemented NPS as a Radius Identity Server (external Identity Store) on Cisco ACS 5.8. I think that this is possible in ISE v 2 too.

 

Regards

FYSA Here is another nice-to-know 2factor solution involving ISE: https://www.pragmasys.com/products/support/cisco-2-factor
Older doc, but works with 9k devices too. HTH!

Kombi
Level 1
Level 1

If you place ACL on the switches and limit Ip to /32 on the firewall.  Could you implement MFA on the the station to get in compliance till Cisco catches up to what regulation are requesting?

Review Cisco Networking for a $25 gift card