Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
205
Views
0
Helpful
5
Replies

Does duo MFA support other brand network management?

dianawinskymartin
Level 1
Level 1

‎04-05-2025 04:10 AM - edited ‎04-05-2025 04:11 AM

Does Duo MFA support integration with other brand network management such as Fortigate mgmt, juniper switch mgmt, and ruckus switch mgmt? Is there a guide for that?

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎04-05-2025 04:45 PM

Yes

Anything that uses LDAP or Radius can ask the Duo Authentication Proxy to authenticate a user. The proxy can check against LDAP or other Radius server if the password is good and then send the push verification.

Its all here
https://duo.com/docs


0 Helpful

dianawinskymartin
Level 1
Level 1
In response to Ken Stieers

‎04-08-2025 04:44 AM

But what if the network devices don't have RADIUS or a RADIUS server? As we only use local account? 

Also, what could be the guide and requirements needed if we are going to protect the SSH access of the network device management aside from the GUI? When it comes to GUI, is there a requirement for that?

0 Helpful

Ken Stieers
VIP
VIP
In response to dianawinskymartin

‎04-08-2025 04:59 AM

Do you have AD?
Duo Auth Proxy can serve radius for your hardware, and use AD for the passwords.

On most hardware that would all logins, gui and ssh.


0 Helpful

dianawinskymartin
Level 1
Level 1
In response to Ken Stieers

‎04-09-2025 03:20 AM

We have on-prem AD, and we have already set up the auth proxy in my environment. 

0 Helpful

Jonatan Jonasson
Level 4
Level 4

‎04-09-2025 03:43 AM

If you think about how the authentication flow works, you'll come down to a few different options:

If you're logging into network equipment using local users on this equipment, then that equipment needs to have built-in support for additional 2FA/MFA in order to attach any kind of MFA to the authentication process.
This is almost never the case, rare exceptions apply.

In order to involve external MFA solution like DUO, you need to be able to ask an external source.

While technically speaking, you could get creative with local users and external authorization flow, but the most common setup is to have a centralized identity store (for example, AD), and you authenticate to that via RADIUS or LDAP(s).

For GUI authentications only, you could also use SAML and DUO SSO.

So typically you would be using RADIUS or LDAP from the switch or firewall to the DUO auth proxy, authenticate against something (AD), and if that authentication succeeds, an additional factor (DUO PUSH) is applied.

One thing to keep in mind is to extend the authentication timeout to allow the end-user/admin to go through the MFA process.

So to answer your initial question, you can use DUO for practically anything and any vendor, as long as your authentication process involves RADIUS, LDAP, or SAML.

 

On a practical note, however, you could also base your design on a trusted bastion/jump host, have MFA towards that host, but not from the host to the network equipment.
In the environments that I've seen implementing MFA directly towards management on network equipment, it often ends up with multiple exceptions because of automation, script usage, or other use-cases, creating a false sense of security around MFA usage on network management.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents