Two Factor Authentication adds a second layer of security to your existing account before granting access to corporate applications and services as well as Network Access Devices (NAD).
As you may already have an existing account in your company such as Active Directory, LDAP etc . With 2FA you verify your existing identity using a second factor , like your phone or other mobile devices to provide a secondary password.
The prevents just anyone logging in even if your primary password is compromised , and your secondary factor of authentication is independent from your primary username and password , so Duo never sees your primary password.
Note You may use either the passcode provided by the application on your mobile device or by Duo sending a PUSH notification to your mobile device requesting to Approve or Deny the login request.
The Duo Proxy Server can be installed on Windows or Linux as well as a Virtual host.
Use the following document as guidance steps to deploy your proxy server: Install the Duo Authentication Proxy
Your configuration file (authproxy.cfg) should look something like this:
host=x.x.x.x (your domain controller)
radius_ip_1=x.x.x.x (your ISE RADIUS Server)
The following fields ikey/skey/api_host can be found in your Duo Dashboard under the protected application that you have chosen.
Once your file is completed start the Proxy as followed in Start the Proxy.
If your having any trouble starting your proxy please refer to Troubleshooting.
Duo provides several enrollment methods to add users to the system.
In this example we will be using the "Manual Enrollment" method from manual-enrollment.
Keep in mind since this is a manual enrollment be sure that the Duo username matches the users primary authentication username (in this scenario it will be our Active Directory account).
Maker sure to Install Duo App on your mobile device. This can be done either via your dashboard or by going to Play Store and downloading Duo App. See manual-enrollment process.
You have completed the Duo portion of the setup.
Log into ISE and enable Tacacs+ Service by going to Administration > System > Deployment , choose the relevant node you with to run Device Admin Services on and check mark the box next to "Enable Device Admin Service"
Click on "Add" fill in the following fields and click "Submit"
Joint Point Name: AD1
Active Directory Domain: isedemo.net
See following Document on How To Add Active Directory to ISE and retrieve groups: Getting Started With ISE.
In this example we will import the AD Group "West_Coast"
In this section we will add the NAD to ISE which we will use for Tacacs+ (Device Admin)
In this section we will add the duo proxy server we setup in previous steps to ISE , in order to allow for mutual communication between the two.
Before we setup a Policy Set with Authentication and Authorization Policies we need to create Tacacs policy elements to provide TACACS Profiles and command sets.
Guide lines on how to configure these can be found at the following:
Device Admin contains its own Policy Set as well as Authentication and Authorization policies.Do not confuse this with the policy sets that are used for Network Access Control.
In the following example we have created a Policy Set called "Duo 2FA" and the Condition to be met will be the IP Address of my NAD device , leaving "Default Device Admin" Protocols.
With in the Policy set we will create the Authentication Policy and use the Duo Proxy we created in previous steps for Authentication.
Notice the 3rd condition is to match the AD Group we imported "West_Coast"
At this point we are ready to login to our Network Access Device using Duo 2FA
There are a couple of methods to Authenticate with Duo
In the following diagram we have achieved Authentication using the Duo_AuthC policy we configured previously.
Note the user "hdwest" is a part of the AD group "West_Coast"