cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
177
Views
0
Helpful
4
Replies

DUO MFA for ASA Admin/management

jeff76
Level 1
Level 1

We have an old Cisco ASA (5508) which has Duo configured for AnyConnect VPN, but using local accounts ONLY for Admin/Management. We are moving to a new FirePower device (in ASA mode) and want to enable some sort of SSO or MFA for Administrators using ASDM and SSH.

I've tried setting up Duo in a similar way as our previous Anyconnect (using Authentication Proxy Server), but while it authenticates domain users, I cannot find a way to only allow members of a specific AD group. I've been able to do this using full-scale RADIUS (Microsoft NPAS) but want to then pass this through Duo for MFA.

I've read an old post (c.2019) that says Duo's RADIUS implementation cannot determine group membership....is this still the case?

Can anyone recommend the best way to achieve the following:

Restrict admin/management of a Firepower FPR1140 device using ADSM & SSH, to a specific AD user group and require MFA.

4 Replies 4

In duo, create a new application with the appropriate limits rules etc

On the auth proxy create a new radius server on different port, pointed at the new application via its ikey/key

On new ASA create a new AAA server config, pointed at the new Duo server.

You could also do the auth proxy and ASA AAA config using LDAP

Thanks Ken,  I've been struggling with this for a while and have already tried various methods, first of which was AAA using LDAP as it sounded like it should work. However, I could not get it to work as expected. The way I'd configured it, it seemed to allow any valid domain member to authenticate, regardless of whether or not they were in my specified FWAdmins group in AD. Then I read somewhere that LDAP can only be used for VPN rather than local device management. Don't know whether this was an old page, or whether it's just bad info. 

You can use LDAP for AAA to the Firewall... I have my old 5525s pointed at LDAP right now.

The trick here is to put the limits in DUO in the Application configuration (only allow the FWAdmins group) .
You could also limit it via a second [ad_client] section and use an LDAP filter there so only the FWadmins group can auth via it.

[ad_client2]
host=1.2.3.4
host_2=1.2.3.5
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=FWADMINS,OU=Groups,DC=example,DC=com
transport=starttls
ssl_ca_certs_file=conf\example_com_ca.pem


[ldap_server_auto]
client=ad_client2
ikey=DIXXXXXXXXXXXXXXXXXX <= points at your fwadmin application in the Duo Admin center that has the group limitation on it.
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
exempt_primary_bind=false
exempt_ou_1=CN=ldaplookup,dc=acme,dc=org
ssl_key_path=ldap_server.key
ssl_cert_path=ldap_server.pem

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

DuoKristina
Cisco Employee
Cisco Employee

To get group memberships you either have to use ldap_server_auto with ad_client (as another poster suggested) or radius_server_whatever with radius_client. A mixed config of radius_server_whatever with ad_client cannot get the group memberships.

So, if you already have NPS then point radius_client in authproxy.cfg to your NPS server, and specify pass_through_all=true in both the radius_client and radius_server_whatever sections. That way additional RADIUS attributes returned by AD via NPS (like group memberships) get passed back through the Duo proxy to the NGFW. https://help.duo.com/s/article/4785

The advantage of radius+radius over ldap+ldap is that ldap doesn't report the authenticating client's IP address but radius does (assuming the radius access-request includes an IP value for calling_station_id). So, the RADIUS auths will have location information in the Duo admin panel or at least a private network IP, but LDAP auths have no location info (0.0.0.0 IP).

Duo, not DUO.
Quick Links