Introduction

Two Factor Authentication adds a second layer of security to your existing account before granting access to corporate applications and services as well as Network Access Devices (NAD).

As you may already have an existing account in your company such as Active Directory, LDAP etc . With 2FA you verify your existing  identity using a second factor , like your phone or other mobile devices to provide a secondary password.

The prevents just anyone logging in even if your primary password is compromised , and your secondary factor of authentication is independent from your primary username and password , so Duo never sees your primary password.

Requirements

• ISE2.x
• Identity Store
• Duo Proxy Server
• Duo Account

ISE Device Admin with Duo MFA flow

1. User Initiates an SSH session to the Network Device and is prompt for a username and password , at this stage the end user will provide this Primary Password (In this scenario we are using Active Directory) along with a secondary password which is the Duo Passcode , this is obtained by the duo application that is running on the end users mobile device.
2. TACACS+  authentication request is sent to ISE
3. ISE sends the Authentication request over Radius to the Duo Security Authentication Proxy Server
4. The Primary Authentication is done using the Active Directory password account , and only if successful will the proxy server continue with Secondary Authentication.
5. A Secondary Authentication request is sent to the Duo Security Service using the passcode generated by the duo application running on the user ends mobile device.In this step the proxy server will create an outbound connection to the Duo Security Service over tcp port 443 ,  keep this in mind if you have a FW or any blocking of access along the path.
6. The Authentication is successful which at  step 6 the Authentication proxy server will send a radius response of Access-Accept to ISE.
7. ISE will provide Access and Authorization based on Device Admin policy set.

Note You may use either the passcode provided by the application on your mobile device or by Duo sending  a PUSH notification to your mobile device requesting to Approve or Deny the login request.

Duo Deployment

Sign up for Duo Account and Protect Application

1. Go to following link to request a free trial account and follow the first 5 steps only.https://duo.com/docs/getting-started
2. In Step 5 you will be requested to choose a service/system/appliance you wish to protect with Duo . This is done from your Duo Admin Panel Dashboard you you logged onto in Step 4 under "Applications" (on the left hand side)
3. Go to following link to request a free trial account and follow the first 5 steps only.https://duo.com/docs/getting-started
4. In Step 5 you will be requested to choose a service/system/appliance you wish to protect with Duo . This is done from your Duo Admin Panel Dashboard you you logged onto in Step 4 under "Applications > Protect an Application" (on the left hand side) enter "Cisco RADIUS VPN" and click on "Protect this Application"
   
5. The "Cisco RADIUS VPN" application will have your Integration Key/Secret Key information which is needed when setting in the next step when setting up your Duo Proxy Server.
6. At the bottom of the page provide a "Name" , Duo users will see this in their push notifications that are sent to their mobile devices.

Create Duo Proxy Server

The Duo Proxy Server can be installed on Windows or Linux  as well as a Virtual host.

Use the following document as guidance steps to deploy your proxy server: Install the Duo Authentication Proxy

Your configuration file (authproxy.cfg) should look something like this:

[ad_client]
host=x.x.x.x (your domain controller)
service_account_username=duouser
service_account_password=password
search_dn=DC=example,DC=com

[radius_server_auto]
ikey=XXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXX
api_host=xxxxxxxxxxxxxxxx
radius_ip_1=x.x.x.x (your ISE RADIUS Server)
radius_secret_1=isesecret
failmode=safe
client=ad_client
port=1812

The following fields ikey/skey/api_host can be found in your Duo Dashboard under the protected application that you have chosen.

Once your file is completed start the Proxy as followed in Start the Proxy.

If your having any trouble starting your proxy please refer to Troubleshooting.

Enrolling Duo Users

Duo provides several enrollment methods to add users to the system.

In this example we will be using the "Manual Enrollment" method from manual-enrollment.

Keep in mind since this is a manual enrollment be sure that the Duo username matches the users primary authentication username (in this scenario it will be our Active Directory account).

Maker sure to Install Duo App on your mobile device. This can be done either via your dashboard or by going to Play Store and downloading Duo App. See manual-enrollment process.

You have completed the Duo portion of the setup.

ISE Device Admin Deployment

Enable TACACS+

Log into ISE and enable Tacacs+ Service by going to Administration > System > Deployment , choose the relevant node you with to run Device Admin Services on and check mark the box next to "Enable Device Admin Service"

Add Active Directory to ISE and Import Domain Groups

1. Go to Administration > Identity Management > External Identity Sources > Active Directory

2. Click on "Add" fill in the following fields and click "Submit"
   Joint Point Name: AD1
   Active Directory Domain: isedemo.net

See following Document on How To Add Active Directory to ISE and retrieve groups: Getting Started With ISE.

In this example we will import the AD Group  "West_Coast"

Add Network Access Device (NAD) to ISE

In this section we will add the NAD to ISE which we will use for Tacacs+ (Device Admin)

1. Go to Administration > Network Resources > Network Devices >  Click on "Add"
2. Fill in the following Fields
   Name: Your Device Name
   IP: x.x.x.x
3. Check mark "TACACS Authentication Settings" and enter "Shared Secret"
   
4. Click "Submit" at the bottom of the page.

Add Duo Proxy Server to ISE

In this section we will add the duo proxy server we setup in previous steps to ISE , in order to allow for mutual communication between the two.

1. Go to Administration > Identity Management > External Identity Sources > RADIUS Token
2. Click "Add"
3. Under Tab "General" enter a name that makes sense to you
4. Under Tab "Connection" fill in the following fields
   Host IP: <IP address of your Proxy Server>
   Shared Secret: <same Shared Secret  used when setting up the Proxy Server file authproxy.cfg>
   Server Timeout: 60 - note default time is 5 , make sure to modify to 60 to avoid radius timeouts
5. Click "Submit"

Setting up TACACS Policy Elements

Before we setup a Policy Set with Authentication and Authorization Policies we need to create Tacacs policy elements to provide TACACS Profiles and command sets.

Guide lines on how to configure these can be found at the following:
TACACS Profile

TACACS Command Sets

Create Device Admin Policy Set / Authentication / Authorization

Device Admin contains its own Policy Set as well as Authentication and Authorization policies.Do not confuse this with the policy sets that are used for Network Access Control.

In the following example we have created a Policy Set called "Duo 2FA" and the Condition to be met will be the IP Address of my NAD device , leaving "Default Device Admin" Protocols.

With in the Policy set we will create the Authentication Policy and use the Duo Proxy we created in previous steps for Authentication.

Authentication

Authorization

Notice the 3rd condition is to match the AD Group we imported "West_Coast"

Initiate Login Process

At this point we are ready to login to our Network Access Device using Duo 2FA

There are a couple of methods to Authenticate with Duo

• When you SSH to device and are prompt for password enter your Primary Password first followed by a comma and then passcode generated from the mobile app.They syntax should look like this:
  Password:mypassword,duopasscode
• Another option is to have Duo send a PUSH notification to your mobile for approval. The syntax to be used is your Primary Password follow by a comman and then the phrase "push". The syntax should look like this:
  Password:mypassword,push

TACACS Live Logs

In the following diagram we have achieved Authentication using the Duo_AuthC policy we configured previously.

Note the user "hdwest" is a part of the AD group "West_Coast"