Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
223
Views
1
Helpful
1
Replies

Cisco Switch login behavior with ISE, TACACS+ and DUO for MFA

Go to solution
mike.gusway
Level 1
Level 1

‎02-28-2025 08:34 AM

Hello,

I'm working on getting our 3850 and 9000 series switches changed over to TACACS+ authentication using ISE 3.1 and DUO for MFA. I followed this article:

Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users - Cisco Community

It's working, but when I SSH to a switch and put in my credentials, I only have a few seconds before the switch logon says

End of keyboard-interactive prompts from server
Access denied

If I have my mobile device in my hand and immediately click on the DUO push, it lets me in. If I take a couple of seconds to pick up my device, unlock the screen, and accept the DUO push, the logon has already timed out on the switch. ISE and DUO logs show the successful authentication and authorization, but the switch still sits at the Password: prompt. If I put my password in again and immediately accept the DUO push, I can get in.

How can we adjust this login timeout period to give us a more reasonable time frame, say 10-20 seconds instead of 5, to accept the DUO push?

Thanks,

-Mike
 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mike.gusway
Level 1
Level 1

‎02-28-2025 10:56 AM

Answering my own question here in case someone else runs into the same issue.

If I ran 

test aaa group tacacs+ username password legacy

I would get the DUO push on my phone and the switch would say no response received from tacacs server if I waited 5 seconds. If I accepted the DUO push immediately, the test would successfully authenticate.

On the 3850 I was testing with, there was a default "tacacs-server timeout 5" that does not show up in running-config unless you show running-config all. I set that value to 30 and now it is behaving as expected.

View solution in original post

1 Reply 1

Go to solution
mike.gusway
Level 1
Level 1

‎02-28-2025 10:56 AM

Answering my own question here in case someone else runs into the same issue.

If I ran 

test aaa group tacacs+ username password legacy

I would get the DUO push on my phone and the switch would say no response received from tacacs server if I waited 5 seconds. If I accepted the DUO push immediately, the test would successfully authenticate.

On the 3850 I was testing with, there was a default "tacacs-server timeout 5" that does not show up in running-config unless you show running-config all. I set that value to 30 and now it is behaving as expected.

Customers Also Viewed These Support Documents