Two Factor Authentication adds a second layer of security to your existing account before granting access to corporate applications and services as well as Network Access Devices (NAD).
As you may already have an existing account in your company such as Active Directory, LDAP etc . With 2FA you verify your existing identity using a second factor , like your phone or other mobile devices to provide a secondary password.
The prevents just anyone logging in even if your primary password is compromised , and your secondary factor of authentication is independent from your primary username and password , so Duo never sees your primary password.
Duo Proxy Server
ISE Device Admin with Duo MFA flow
User Initiates an SSH session to the Network Device and is prompt for a username and password , at this stage the end user will provide this Primary Password (In this scenario we are using Active Directory) along with a secondary password which is the Duo Passcode , this is obtained by the duo application that is running on the end users mobile device.
TACACS+ authentication request is sent to ISE
ISE sends the Authentication request over Radius to the Duo Security Authentication Proxy Server
The Primary Authentication is done using the Active Directory password account , and only if successful will the proxy server continue with Secondary Authentication.
A Secondary Authentication request is sent to the Duo Security Service using the passcode generated by the duo application running on the user ends mobile device.In this step the proxy server will create an outbound connection to the Duo Security Service over tcp port 443 , keep this in mind if you have a FW or any blocking of access along the path.
The Authentication is successful which at step 6 the Authentication proxy server will send a radius response of Access-Accept to ISE.
ISE will provide Access and Authorization based on Device Admin policy set.
Note You may use either the passcode provided by the application on your mobile device or by Duo sending a PUSH notification to your mobile device requesting to Approve or Deny the login request.
In Step 5 you will be requested to choose a service/system/appliance you wish to protect with Duo . This is done from your Duo Admin Panel Dashboard you you logged onto in Step 4 under "Applications" (on the left hand side)
In Step 5 you will be requested to choose a service/system/appliance you wish to protect with Duo . This is done from your Duo Admin Panel Dashboard you you logged onto in Step 4 under "Applications > Protect an Application" (on the left hand side) enter "Cisco RADIUS VPN" and click on "Protect this Application"
The "Cisco RADIUS VPN" application will have your Integration Key/Secret Key information which is needed when setting in the next step when setting up your Duo Proxy Server.
At the bottom of the page provide a "Name" , Duo users will see this in their push notifications that are sent to their mobile devices.
Create Duo Proxy Server
The Duo Proxy Server can be installed on Windows or Linux as well as a Virtual host.
Keep in mind since this is a manual enrollment be sure that the Duo username matches the users primary authentication username (in this scenario it will be our Active Directory account).
Maker sure to Install Duo App on your mobile device. This can be done either via your dashboard or by going to Play Store and downloading Duo App. See manual-enrollment process.
You have completed the Duo portion of the setup.
ISE Device Admin Deployment
Log into ISE and enable Tacacs+ Service by going to Administration > System > Deployment , choose the relevant node you with to run Device Admin Services on and check mark the box next to "Enable Device Admin Service"
Add Active Directory to ISE and Import Domain Groups
Go to Administration > Identity Management > External Identity Sources > Active Directory
Click on "Add" fill in the following fields and click "Submit" Joint Point Name: AD1 Active Directory Domain: isedemo.net
In this example we will import the AD Group "West_Coast"
Add Network Access Device (NAD) to ISE
In this section we will add the NAD to ISE which we will use for Tacacs+ (Device Admin)
Go to Administration > Network Resources > Network Devices > Click on "Add"
Fill in the following Fields Name: Your Device Name IP: x.x.x.x
Check mark "TACACS Authentication Settings" and enter "Shared Secret"
Click "Submit" at the bottom of the page.
Add Duo Proxy Server to ISE
In this section we will add the duo proxy server we setup in previous steps to ISE , in order to allow for mutual communication between the two.
Go to Administration > Identity Management > External Identity Sources >RADIUS Token
Under Tab "General" enter a name that makes sense to you
Under Tab "Connection" fill in the following fields Host IP: <IP address of your Proxy Server> Shared Secret: <same Shared Secret used when setting up the Proxy Server file authproxy.cfg> Server Timeout: 60 - note default time is 5 , make sure to modify to 60 to avoid radius timeouts
Setting up TACACS Policy Elements
Before we setup a Policy Set with Authentication and Authorization Policies we need to create Tacacs policy elements to provide TACACS Profiles and command sets.
Guide lines on how to configure these can be found at the following: TACACS Profile
Create Device Admin Policy Set / Authentication / Authorization
Device Admin contains its own Policy Set as well as Authentication and Authorization policies.Do not confuse this with the policy sets that are used for Network Access Control.
In the following example we have created a Policy Set called "Duo 2FA" and the Condition to be met will be the IP Address of my NAD device , leaving "Default Device Admin" Protocols.
With in the Policy set we will create the Authentication Policy and use the Duo Proxy we created in previous steps for Authentication.
Notice the 3rd condition is to match the AD Group we imported "West_Coast"
Initiate Login Process
At this point we are ready to login to our Network Access Device using Duo 2FA
There are a couple of methods to Authenticate with Duo
When you SSH to device and are prompt for password enter your Primary Password first followed by a comma and then passcode generated from the mobile app.They syntax should look like this: Password:mypassword,duopasscode
Another option is to have Duo send a PUSH notification to your mobile for approval. The syntax to be used is your Primary Password follow by a comman and then the phrase "push". The syntax should look like this: Password:mypassword,push
TACACS Live Logs
In the following diagram we have achieved Authentication using the Duo_AuthC policy we configured previously.
Note the user "hdwest" is a part of the AD group "West_Coast"