Solved: MFA for Cisco switches and routers

Richard Lucht · ‎12-07-2017

Hello,

We currently use ISE 2.2 and the radius protocol to SSH into our network gear. We now have a requirement to make that access multi-factor authentication. We are also standing up an azure multi-factor authentication server for Cisco anyconnect. Is there a way i could use that azure multi-factor server to get the desired results? Also I have been messing around with DUO auth proxy. has anyone had success using this. I am getting some traffic to ISE and seeing some info on the log of the DUO authproxy. I am getting either a failed password or invalid key on ISE and the log states [RadiusClient (UDP)] dropping packet from 10.200.1.30:1812 - response packet has invalid authenticator. DUO says the following.

It looks like the primary authentication to the radius server is timing out because it looks like its looks for a specific authetnicator that is sending back ''response packet has invalid authenticator'' which means..

This usually occurs at the later stage when the EAP message is attached. The first RADIUS packet of the 802.1x session does not include the EAP message; there is no Message-Authenticator field and it is not possible to verify the request, but at that stage, the client is able to validate the response with the use of the Authenticator field.

I would check the radius server settings to see if this might be enabled and looking for anykind of EAP or 802.1x information.

Charlie Moreton · ‎12-08-2017

Here is a link detailing different MFA efforts for ISE

Two Factor Authentication on ISE – 2FA on ISE

For Device Administration, we do 2 factor through the use of CAC/PIV cards and the Pragma SSH Client

https://www.pragmasys.com/products/support/cisco-2-factor

View solution in original post

Charlie Moreton · ‎12-08-2017

Here is a link detailing different MFA efforts for ISE

Two Factor Authentication on ISE – 2FA on ISE

For Device Administration, we do 2 factor through the use of CAC/PIV cards and the Pragma SSH Client

https://www.pragmasys.com/products/support/cisco-2-factor

Richard Lucht · ‎01-12-2018

I found my issue, i was not using DUO correctly. I set it up as a Radius Token server and then used it as an identity store in my authentication profile. I was not quite please with the process of the MFA with DUO so i tried to use Microsoft Azure MFA the same way. the results were exactly what I was looking for. On Cisco devices that I tried to SSH into I would either get a prompt for my token or a push notification. This was based on how I wanted my MFA to do. Even tried it with a phone call, the timeout for radius will need to be longer for that. No extra configuration for my network devices or anyconnect VPN.

chad patterson · ‎04-02-2019

I am also interested in getting all of my Cisco routers and Switches (with IOS <= 12.2) to use Azure MFA for SSH login. It seems that you have done this successfully.

Does it require any extra configuration on the Cisco switch, other than authenticating against RADIUS?
Do you have to configure NPS as a RADIUS proxy?
Is this possible without ISE?

I would be grateful if you could share the details of your experience here. Thanks

steve.woods3 · ‎05-03-2019

Chad did you get this working? I'm using ISE and Azure but never get a prompt for my PIN.

TIA

Steve

info@maplesimaging.com · ‎05-09-2020

Hey hi Did you get any information on Direct MFA with Cisco Switches without ISE.

@chad patterson wrote:
I am also interested in getting all of my Cisco routers and Switches (with IOS <= 12.2) to use Azure MFA for SSH login. It seems that you have done this successfully.
Does it require any extra configuration on the Cisco switch, other than authenticating against RADIUS?
Do you have to configure NPS as a RADIUS proxy?
Is this possible without ISE?
I would be grateful if you could share the details of your experience here. Thanks

quamrul · ‎12-11-2023

There have been many requests to make Cisco MFA & Pragma Fortress CL work with Microsoft NPS Radius and Active Directory as the AAA without needing Cisco ISE for sites that do not have ISE. Pragma support team have just published a document describing the entire setup process at https://www.pragmasys.com/downloads/cisco_fortresscl_ms_npsradius.pdf . Thanks.