In this article, we will take a look at how to secure Firepower Device Management (FDM) SSH sessions with Duo two-factor authentication (2FA) and where Cisco ISE is deployed as a RADIUS server.
- Firepower locally managed
- Cisco ISE
- Active Directory
- At least one Duo authentication proxy installed on an internal machine
In this article, the initial configurations for ISE, active directory and Firepower are already configured and beyond the scope of this article. Active Directory users are also synced with Duo.
- Access the Duo admin panel and login with an admin account
- Select Application > Protect Application and search for ‘RADIUS’. Select ‘RADIUS’ 2FA and click ‘Protect’
- In this demostration the default Global policy will be used. Feel free to change/add policies before scrolling to the bottom of the screen to save the configuration. Do not log out as the integration key, secret key and API hostname will be required for the authentication proxy later.
Firepower Device Management Configuration
- Access the GUI of the FDM
- Navigate to System Settings > Management Access and under the AAA Configuration tab, create a new Server Group
- Configure the RADIUS Server Group and add a Cisco ISE Policy Service Node (PSN) IP as your RADIUS server. If you have multiple PSN’s you can add them within the same group. Once configured, click ‘OK’ to save the configuration.
- Select the Server Group that you’ve just configured and click ‘SAVE’.
- Deploy the configuration changes to the Firepower device
- Access the GUI of ISE
- Navigate to Administration > Network Resources > Network Devices and add the FDM as a Network Device. Enter the device IP address and a RADIUS secret in the RADIUS authentication section. Note: The secret is the same secret that was configured for the RADIUS server/s on the FDM.
- Navigate to Administration > Identity Management > External Identity Sources > RADIUS Token. Note: This article assumes that your AD server is already joined to ISE and therefore, this configuration will not be covered in this article. Click ‘Add’ to add a new RADIUS Token Server and configure a name followed by the IP address and shared secret of the Duo proxy in the connections tab. Once configured, click ‘Save’ to complete the configuration.
Note: The secret key configured will need to match the secret key configured in the Duo authentication proxy.
- Navigate to Administration > Identity Management > Identity Source Sequences and add a new Identity Source Sequence to include the newly configured RADIUS Token Server and the Active Directory. In the ‘Advanced Search List Settings’, ensure that the ‘Treat as if the user was not found and proceed to the next store in the sequence’ radio button is selected. Also ensure that the RADIUS Token Server is selected first in the sequence list.
- Navigate to Policy > Policy Elements > Results and under the Authorization section, select ‘Authorization Profiles’ to create a new Authorization Profile to be used as part of this demo. There are two different types of attributes that can be configured and assigned to users accessing the FDM via SSH. These Cisco Role-Based Access Control (RBAC) Attribute Value Pairs are:
- Administrative (6) = Read-Write (RW) access
- NAS Prompt (7) = Read-Only (RO) access
In this lab, we will configure a user for RO access to the FDM via SSH.
- When complete, click ‘Submit’ to save the Authorization Profile.
- Navigate to Policy > Policy Sets and click the ‘+’ icon to create a new policy set. Our demo policy set might look different to yours but the following are main points to consider when building out your policy set.
- The policy set condition needs to be able to match on the FDM device. The screenshot below shows how we have configured the policy set
- Authentication policy uses the Idenity Store that was created previously and the options are configured as follows:
- Authorization policy needs to match the users that will be accessing the FDM via SSH and the Authorization Profile created previously needs to be selected
Configure the Authentication Proxy
- Access the device where the Duo Authentication Proxy is configured. This article assumes that the Authentication Proxy is already downloaded and installed and therefore, this demo will not cover that.
- Open the authproxy.cfg file and enter the configuration necessary to your environment for the following sections:
- [ad_client] section = contains your AD IP address, a service account username and password, followed by the base search DN for your domain.
- [radius_server_auto] section = contains your Duo RADIUS application Integration Key, Secret Key and API hostname followed by the IP address of the ISE PSN/S, the shared secret and the ad_client to perform the lookup for primary authentication. Addition settings can be added; please check out the link below for more information.
- For information on how to configure the authentication proxy, click here.
A screenshot of our omitted configuration can be seen below.
- Once configured, save the authproxy.cfg file and start or restart the Duo auth proxy with the following commands:
net stop duoauthproxy & net start duoauthproxy
Verification and Testing
With all the configuration in place, it’s time to test that our new setup works and users authenticating to the FDM using SSH are promoted for 2FA.
- On ISE, navigate to Operations > RADIUS > Live Logs
- On a device with an console terminal, connect to the FDM via SSH and log in with a valid username and password that is in AD and Duo with a 2FA device that has already been enrolled. Once the password has been entered, the user should be promoted via Duo Push for 2FA. Confirm and accepts the request from Duo and confirm that you have been logged into the device
- You can view the successful authentication on the RAIDUS live logs and within the Duo Admin panel under the reports section