SSH to Cisco switch/router (with IOS <= 12.2) with Azure MFA

chad patterson · ‎04-02-2019

I am interested in getting all of my Cisco routers and Switches (with IOS <= 12.2) to use Azure MFA for SSH login. I do not want to use ASA or ISE or anything else like that. I would like to just authenticate them against a RADIUS or TACACS+ server, which will in turn authenticate against AD, for which I have enabled MFA via Azure AD. I expect to receive MFA prompts on my phone, then successfully login to the switch.

Does it require any extra configuration on the Cisco switch, other than authenticating against RADIUS/TACACS+?
Do you have to configure NPS as a RADIUS proxy?
Is this possible without ISE?

I would be grateful if anybody could share the details of their experiences with MFA on SSH to Cisco routers/switches. Thanks

*I know I can use Google Authenticator and Azure MFA for Linux SSH, but it requires a client module.

Francesco Molino · ‎04-02-2019

Hi
For MFA you can use different solutions like the one you said or Duo Security.

I'm not very familiar with Azure mfa but between Google auth and Duo, if you need push, Duo is the way to go.

For both solutions you can have different configuration. For example, with Google auth you will keep a standard radius config on your router for example and your radius will communicate behind the scene (no need to have specific config).
For Duo, for simplicity, you can use a duo vm acting as a proxy which will validate credentials against your AD and then push a text or popup to your phone that you need to validate. In terms of Cisco config, it stays like a "normal" radius config referring this duo machine.

The final answer is yes you can do mfa and configure your device with a standard config. The"magic" occurs behind the scene and you don't need to have ISE for this.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question