Configuring Multi-Factor Authentication with Duo
Overview
Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust assessment, and phishing-resistant MFA deployment aligned with NIST 800-63B AAL2/AAL3 requirements.
When to Use
- When deploying or configuring configuring multi factor authentication with duo capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with identity access management concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Objectives
- Configure Duo MFA for VPN, RDP, SSH, and web applications
- Implement adaptive access policies based on user, device, and network context
- Deploy phishing-resistant authentication (Duo Verified Push, WebAuthn)
- Configure device health policies (trusted endpoints, OS version enforcement)
- Set up Duo Admin Panel monitoring and reporting
- Implement MFA bypass and emergency access procedures
Key Concepts
Duo Authentication Methods (by security strength)
- Security Keys (WebAuthn/FIDO2): Phishing-resistant, AAL3 capable
- Duo Verified Push: Requires code entry, resistant to MFA fatigue attacks
- Duo Push: Push notification to Duo Mobile app
- TOTP (Duo Mobile Passcode): Time-based one-time password
- Hardware Tokens: OTP from physical token
- SMS/Phone Call: Least secure, use only as fallback
Duo Integration Architecture
- Duo Authentication Proxy: On-premises proxy for RADIUS/LDAP integration
- Duo Web SDK: Embed Duo MFA in web applications
- Duo OIDC/SAML: SSO integration for cloud applications
- Duo for RDP: Windows Logon MFA
- Duo Unix: PAM-based MFA for SSH
Adaptive Access Policies
- Trusted Networks: Reduce MFA friction for corporate networks
- Remembered Devices: Skip MFA for trusted devices (configurable duration)
- Device Health: Block or require MFA based on OS patch level, encryption, firewall
- Risk-Based Authentication: Step-up MFA for anomalous login patterns
Workflow
Step 1: Duo Authentication Proxy Setup
- Deploy Duo Authentication Proxy on Windows/Linux server
- Configure primary authentication (AD/LDAP or RADIUS)
- Configure Duo API credentials (Integration Key, Secret Key, API Hostname)
- Set failmode (safe=deny if Duo unreachable, secure=allow)
- Test proxy connectivity to Duo cloud and AD
Step 2: VPN MFA Integration
- Configure VPN concentrator for RADIUS authentication
- Point RADIUS to Duo Authentication Proxy
- Configure Duo proxy with [radius_server_auto] section
- Test VPN login with Duo Push
- Deploy to all VPN users with enrollment period
Step 3: RDP/Windows Logon MFA
- Install Duo Authentication for Windows Logon on target servers
- Configure Duo application in Admin Panel
- Set offline access options (allow N offline logins)
- Configure bypass for service accounts
- Test RDP login with Duo MFA
Step 4: Adaptive Policy Configuration
- Create user groups (Standard, Privileged, Contractors)
- Configure per-group authentication policies:
- Standard: Duo Push allowed, remembered device 7 days
- Privileged: Verified Push required, no remembered device
- Contractors: WebAuthn required, no remembered device
- Configure device health policies:
- Require encrypted disk
- Block outdated OS versions
- Require firewall enabled
- Set trusted network exceptions for corporate IPs
Step 5: Phishing-Resistant MFA Deployment
- Enable Verified Push (requires entering 3-digit code from login screen)
- Register WebAuthn/FIDO2 security keys for privileged users
- Disable SMS and phone call for high-risk groups
- Configure Duo Risk-Based Factor Selection
- Monitor for MFA fatigue attack patterns
Step 6: Monitoring and Response
- Configure Duo Admin Panel alerts
- Set up authentication log forwarding to SIEM
- Monitor for: MFA denial patterns, bypass usage, new device enrollments
- Create incident response playbook for MFA compromise
- Regular review of bypass and exception policies
Security Controls
| Control | NIST 800-53 | Description |
|---|---|---|
| MFA | IA-2(1) | Multi-factor authentication for network access |
| MFA for Privileged | IA-2(2) | MFA for privileged account access |
| Replay Resistance | IA-2(8) | Replay-resistant authentication |
| Device Identification | IA-3 | Device identity and trust |
| Authenticator Management | IA-5 | MFA enrollment and lifecycle |
Common Pitfalls
- Not deploying phishing-resistant MFA (Verified Push/FIDO2) for privileged accounts
- Setting failmode to "safe" (allow access when Duo is down) in production
- Not disabling SMS/phone call for users with app-capable devices
- Forgetting to configure offline access for laptops
- Not monitoring for MFA fatigue/prompt bombing attacks
Verification
- VPN login requires Duo MFA
- RDP to servers requires Duo MFA
- SSH access requires Duo MFA
- Verified Push enabled for privileged users
- Device health policy blocks non-compliant devices
- Authentication logs forwarded to SIEM
- Bypass/emergency access procedures tested
- MFA fatigue detection alerts configured