Hi Krishnan,

I understand 2FA works for VPN.  That is setup and working already.  I want to know if I can use ACS to do 2FA with TACACS to authenticate an SSH session to a router, switch, ASA, etc.. for device administration.

Thanks

-Dan

Hi Dan,

In the link above there is a reference for 2FA for device administration in 'On campus' that works for ACS as well.

Here is the direct link for reference to that

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/white-paper-c11-7…

2FA behind VPN depends on what is supported via VPN. ACS is just a RADIUS server for VPN that processes a second factor.

ACS support RSA Secure ID token and RADIUS ID server out of box for two factor authentication.

User Guide for Cisco Secure Access Control System 5.3 - Managing Users and Identity Stores [Cisco Secure Access Control …

Thanks

Krishnan

Hey Krishnan,

Thanks for the clarification and direct pointer.  A couple of follow-on questions.

When reading that document, it looks like it requires a particular SSH client (Pragma Fortress CL SSH Client) and it is using certs for initial authentication pulling the username from the cert and then using DoD CAC or PIV card for 2nd factor. And it looks like the cert is for authentication and the 2FA is tied to authorization.

Would we need to use the Pragma Fortress CL SSH client for this to work or can any generic SSH client work for this? i.e. Putty? Linux client, etc....

Can this also be done using AD username/password credentials for first factor tacacs authentication and Symantec VIP for 2nd factor?

And would the 2nd factor really be for authorization and not authentication? i.e. First factor tacacs authentication using AD username/password and 2nd factor is Symantec VIP RSA command authorization where the PIN would be entered when issuing a command?  And if so, is the PIN cached or would they have to input the PIN every time they issue a command?

Thanks,

-Dan

Hi Krishnan,

Thanks for the information.  Do you have a copy of the PDF that you mention?  The link comes back as "Page cannot be found".

I am interested in this because we are using Duo for 2FA.  Today, we use ACS for TACACS authentication but we have a project budgeted to move to ISE this year.  Our security team wants us to continue to use TACACS but then would like us to have 2FA as well for device administration.

Hi Charlie,

Done, please see the updated link in the community site.

I have added a link to the dcloud training as well if you have access to it.

Thanks

Krishnan

Did you ever get this working?  I'm curious, as I am trying to do a similar setup with TACACS through ACS 5.6 already configured for AD primary authentication and need to enable 2FA with a Duo proxy server.  All the links here, and the Cisco documentation is cryptic at best on how to configure ACS to accomplish this, and the replies in the community here all seem to be geared towards Network Access as opposed to Device Administrative logins.

Thanks,

Matt

Hi Matthew,

See if this can help you

ISE 2.1 with Duo 2 Factory

Here are a couple of links to duo docs

https://community.duo.com/t/how-to-use-duo-with-cisco-tacacs/446

https://duo.com/docs/radius

Thanks

Krishnan

Unfortunately those docs do not help me...  I've already reviewed the docs from Duo themselves including both links you provided, but while the first link shows that you can have 2 different mechanisms for Duo 2FA with ACS, it does not cover HOW to implement either within ACS.  Specifically, I'm trying to accomplish the second version where ACS does direct AD authentication to it's configured AD servers, then reaches out to the Duo Radius_only server for the 2FA portion.

Your link to ISE 2.1 with Duo 2FA doesn't help me either.  first, it's for ISE, not ACS, and second, that community thread only covers the auth setup where Duo is used for both LDAP/AD as well as 2FA.  Again, this does not cover the setup I am trying to deploy.

I know how to configure the Duo side of this, but I need to know how to setup ACS v5.6 to continue using my already configured AD servers for authentication, just simply add the Duo Proxy radius_only_server for ONLY the 2FA portion of the config.  Please do not link to a document that refers to ISE... this is ACS, and while they are similar in function, they are different in how they are configured.

Thanks,

Matt

Hi Matthew,

I added the link for reference since ACS and ISE are very similar in function.  Procedure is the same. You still have to add a external ID store first and instead of using it authentication policy, you need to use in Identity policy.

Here is the link how to configure external ID store for ACS 5.6.

User Guide for Cisco Secure Access Control System 5.6 - Managing Users and Identity Stores [Cisco Secure Access Control …

Here is the link to configure Identity policy

User Guide for Cisco Secure Access Control System 5.6 - Managing Access Policies [Cisco Secure Access Control System] - …

Here is the compatibility matrix for ACS 5.6

Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.6 - Cisco

Thanks

Krishnan