Solved: Duo with TACACS+ for Cisco switch authentication

mike.gusway · ‎09-25-2025

Hello,

We have successfully integrated Duo with TACACS+ (ISE) and authentication proxy for authentication to all of our Cisco switches and firewalls. Is it possible to set a period of time, say 10 or 15 minutes, where subsequent MFA requests will not be required after a successful login?

For example, I may need to simultaneously interact with several switches. If I successfully approve MFA request in my Duo mobile app for the first switch, can MFA be bypassed for the next several minutes? I swear I remember seeing this option discussed somewhere while going through the integration several months ago, but now I can't seem to find it.

Thanks,

-Mike

DuoKristina · ‎09-25-2025

While Duo does have a remembered devices feature with an explicit option to remember the device for a defined period of time, and also is able to do some authentication dampening with risk-based remembered devices, neither of those features support RADIUS authentication via the Duo Authentication Proxy (which I have assumed is the configuration you've deployed).

You can submit a feature request for remembered device support for RADIUS authentication by contacting your Duo Care or Cisco account rep, or Duo Support if you don't have a dedicated contact.

Duo, not DUO.

View solution in original post

DuoKristina · ‎09-25-2025

While Duo does have a remembered devices feature with an explicit option to remember the device for a defined period of time, and also is able to do some authentication dampening with risk-based remembered devices, neither of those features support RADIUS authentication via the Duo Authentication Proxy (which I have assumed is the configuration you've deployed).

You can submit a feature request for remembered device support for RADIUS authentication by contacting your Duo Care or Cisco account rep, or Duo Support if you don't have a dedicated contact.

Duo, not DUO.