In this article, I will demonstrate how Firepower devices can be configured for external two-factor authentication using Cisco ISE and Duo. The Firepower deployment in this demonstration is managed by the Firepower Management Center (FMC) and ISE is operating as a standalone deployment.
Assumptions
- Working knowledge and understanding of Firepower, Cisco ISE and Duo 2FA
- Understanding of RADIUS
- Your environment is connected in a way that allows connectivity between all devices in this demonstration
Equipment used in this demo
- Cisco Firepower 6.6.4
- Cisco ISE 2.6
- Microsoft Server 2019
- Duo Authentication Proxy
- Duo Admin Panel
Configure Firepower for External RADIUS Authentication
- With access to the Firepower Management Center, navigate to Settings > Users > External Authentication > Add External Authentication Object. Select RADIUS and enter the configuration related to your environement. In my example shown in the screenshot below, the Primary Server, the RADIUS-Specific parameter for the Admin role and the Shell Access Filter has been configured. Optionally you can test authentication against the RADIUS server if required before saving the configuration changes.
Navigate to Users and create an external user. Make sure that the authentication of the user is configured to ‘Use External Authentication Method’ as shown in the screenshot below. This user should be already configured within your Active Directory and Duo Admin Panel.
Configure Cisco Duo
With access to the Duo admin panel, navigate to Applications > Protect and Application and search for ‘RADIUS‘. Select this application and configure the policies as per your requirements. Make a note of the Integration Key, Secret Key and API hostname as this will be required for the authentication proxy.
Download the authentication proxy and install it within your environment. Ensure that the machine where the authentication proxy is installed has access to Duo cloud via TCP/443. You will also need to make sure that the authentication proxy can communicate with Cisco ISE. You can download the authentication proxy here.
Once the configuration proxy has been installed, configure the ‘authproxy.cfg’ file to include your AD configuration and application configuration. You can find more information on configuring the authentication proxy here.
Note: It is worth pointing out that the Duo Prompt is not available with this application. There are two main ways to configure this but the option used will be decided based on whether you’re using external authentication for console access to the Firepower devices too.
Option 1: Configure the authentication proxy with ‘radius_server_auto’. This will automatically send a push notification to your 2FA device for secondary authentication when accessing the FMC GUI or Firepower Console. Below is an example of the configuration template here:
[ad_client]
host=<IP Address Here of AD Server>
service_account_username=<Username Here>
service_account_password=<Password Here>
search_dn=DC=<DN Here>
[radius_server_auto]
ikey=<Integration Key Here>
skey=<Secret Key Here>
api_host=<API Hostname Here>
radius_ip_1=<IP Address of ISE Node>
radius_secret_1=<RADIUS Secret Key Here>
port=1812
client=ad_clientOption 2: If you are using external authentication to access the Firepower console then you may want to configure the authentication proxy with ‘radius_server_challenge’. When accessing the console, after primary authentication credentials have been entered you will be presented with a challenge for secondary authentication. If external authentication is used to access the FMC GUI too then this option will not work.
[ad_client]
host=<IP Address Here of AD Server>
service_account_username=<Username Here>
service_account_password=<Password Here>
search_dn=DC=<DN Here>
[radius_server_challenge]
ikey=<Integration Key Here>
skey=<Secret Key Here>
api_host=<API Hostname Here>
radius_ip_1=<IP Address of ISE Node>
radius_secret_1=<RADIUS Secret Key Here>
port=1812
client=ad_clientOnce you’ve configured the authentication proxy, save the .cfg file and start the authentication proxy service using the following command (providing you have installed it on a Windows machine). Providing that your configuration is correct, you shouldn’t encounter any issues.
net start duoauthproxyConfigure Cisco ISE
Ensure that your Firepower devices are configured on ISE under the Network Devices section and that your RADIUS secret keys match between both devices. Next, navigate to External Identity Sources > RADIUS Token and click Add. Here is where you will add the Duo authentication proxy as a RADIUS token server for 2FA. Under the Connection tab, ensure that the host IP address points to the auth proxy and that the shared secret matches too. If you have opted to use a different port then ensure that the port matches what is configured on the auth proxy too.
Once complete, navigate to Identity Source Sequences and configure the authentication source list to include the RADIUS Token Server first and then your Active Directory domain. Under the Advanced Search List Settings select ‘Treat as if the user was not found and proceed to the next store in the sequence’.
Once complete, navigate to Policy > Policy Sets and add a new policy set. The main aim here is to ensure that the authentication policy uses the source sequence list that you just configured in the last step.
You should now be able to test authentication to your Firepower devices. I would recommend checking your Duo authentication events and the ISE authentication log.
