September 30, 2021 | Download PDF
In 1960, the Massachusetts Institute of Technology (MIT) developed a computer called Compatible Time-Sharing System (CTSS) that all researchers had access to. However, they shared a common mainframe as well as a single disk file. So, to help keep individual files private, the concept of a password was developed so that users could only access their own specific files for their allotted time.
After many decades, there have been several improvements to protect the password in rest, in use, and in transit using sophisticated encryption and hashing techniques. However, the concept itself has not changed. If your password is leaked or compromised, we have the same problem that we did on day one.
In 2019, an anonymous creator released 2.2 billion usernames and passwords freely across attacker forums, known at that time to be the largest collection of breaches.
So, it’s quite obvious that a single password has not stood the test of time.
We need something more than a single password...
"By 2022, 60% of large and global enterprises and 90% of midsize enterprises (MSEs), will implement passwordless methods in more than 50% of use cases." -Gartner Research
One of the use cases we are going to talk about is protecting our network device login with Multi-Factor Authentication.
90% of customers that I encounter today still use their LOCAL, RADIUS, or TACACS enabled username and password to protect their critical network infrastructure. What we’ll see in the remainder of this article is how easy it is to deploy MFA to your existing infrastructure to protect your network devices.
This is where Cisco Duo does a great Job. The application is not limited to only protecting network device logins; however, this is one area that I am often concerned about. Compromising one network device can lead to compromising the entire network. Click here for a complete list of Duo capabilities.
So, if you’re interested in protecting your network device logins with MFA, then please continue reading!
Now that we understand the basic flow of events, we clearly see there are four key components involved here:
Our process will involve configuring these four components.
Start by creating a free Duo account, logging in, and clicking on the application you want to protect for TACACS login protection. I will select RADIUS.
This will generate three keys:
Make note of these keys in a secure location because we will be using them soon. These credentials should never be stored or transmitted in unsecure systems such as email, internal documentation / wiki pages, source code repositories, etc. They should only exist on the system(s) being protected by Duo.
Now we can download and install Duo proxy, which can be supported on variety of endpoints. In my case, I’m using Win Server 2012 (a lot of old stuff in my home lab, but it does the job!). Click here for more details on supported devices and how to install Duo proxy.
Once proxy is installed, configure it to be the bridge between your network and the Duo server by configuring the AuthProxy file. This is where we will use those three keys we talked about.
Start the Duo Authentication Proxy Service and check logs to ensure connectivity.
Let’s now configure our TACACS Server (ISE) to send request to Duo proxy server.
We will start by creating a new radius token named Duo (can be any name) with assigned Duo proxy server IP and shared secret (not the same as Secret Key used between Auth Proxy and Duo app). If you prefer, you can configure multiple servers as primary and backup.
Create an Identity Source Sequence
Integrate AD and Import Groups
Built normal TACACS authentication and authorization policy pointing to the source sequence created above. You can get creative here; all I want is to give a user belonging to IT group privilege level 15 if the user passes MFA.
I’m using basic TACACS config for AAA; you can get as creative as you want. I’m using a very basic TACACS configuration below:
In my case, I’m configuring a user manually on Duo. However, if you want to sync AD group with Duo, you can follow instructions here.
It’s a three-step process to activate a user:
Start Adding User Account and Phone Number
Send Activation Instructions to Phone
User Receives Instructions and Installs the Duo App
There are multiple ways to authenticate a user; we are using push notification.
Verify on the Duo Admin Portal that User is Onboarded
We are ready to access our device using MFA! As we do, we can verify the logs on ISE, Auth Proxy and Duo.
On ISE under TACACS live logs we see authentication and authorization logs.
AuthProxy Logs Returning Access-Accept
On Duo ituser2 Granted Access
You saw in this article how to start protecting your critical infrastructure in a few simple steps. However, this is just the tip of the iceberg!
If you have any questions or would like help setting up MFA, please reach out to your DSI account manager or email firstname.lastname@example.org. They can put you in touch with me directly and we can discuss how to protect your applications/users and network infrastructure with Cisco Duo.
Thank you for reading and we look forward to discussing a new topic in the next newsletter!
Ambuj M. is a Cisco Certified Internetwork Expert (CCIE) and Certified Wireless Network Expert (CWNE) with 15 years of industry experience. He currently works as a Network Solutions Architect for DISYS Solutions Inc. (DSI).