Configuring Multi-Factor Authentication with Duo

Overview

Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust assessment, and phishing-resistant MFA deployment aligned with NIST 800-63B AAL2/AAL3 requirements.

When to Use

• When deploying or configuring configuring multi factor authentication with duo capabilities in your environment
• When establishing security controls aligned to compliance requirements
• When building or improving security architecture for this domain
• When conducting security assessments that require this implementation

Prerequisites

• Familiarity with identity access management concepts and tools
• Access to a test or lab environment for safe execution
• Python 3.8+ with required dependencies installed
• Appropriate authorization for any testing activities

Objectives

• Configure Duo MFA for VPN, RDP, SSH, and web applications
• Implement adaptive access policies based on user, device, and network context
• Deploy phishing-resistant authentication (Duo Verified Push, WebAuthn)
• Configure device health policies (trusted endpoints, OS version enforcement)
• Set up Duo Admin Panel monitoring and reporting
• Implement MFA bypass and emergency access procedures

Key Concepts

Duo Authentication Methods (by security strength)

1. Security Keys (WebAuthn/FIDO2): Phishing-resistant, AAL3 capable
2. Duo Verified Push: Requires code entry, resistant to MFA fatigue attacks
3. Duo Push: Push notification to Duo Mobile app
4. TOTP (Duo Mobile Passcode): Time-based one-time password
5. Hardware Tokens: OTP from physical token
6. SMS/Phone Call: Least secure, use only as fallback

Duo Integration Architecture

• Duo Authentication Proxy: On-premises proxy for RADIUS/LDAP integration
• Duo Web SDK: Embed Duo MFA in web applications
• Duo OIDC/SAML: SSO integration for cloud applications
• Duo for RDP: Windows Logon MFA
• Duo Unix: PAM-based MFA for SSH

Adaptive Access Policies

• Trusted Networks: Reduce MFA friction for corporate networks
• Remembered Devices: Skip MFA for trusted devices (configurable duration)
• Device Health: Block or require MFA based on OS patch level, encryption, firewall
• Risk-Based Authentication: Step-up MFA for anomalous login patterns

Workflow

Step 1: Duo Authentication Proxy Setup

1. Deploy Duo Authentication Proxy on Windows/Linux server
2. Configure primary authentication (AD/LDAP or RADIUS)
3. Configure Duo API credentials (Integration Key, Secret Key, API Hostname)
4. Set failmode (safe=deny if Duo unreachable, secure=allow)
5. Test proxy connectivity to Duo cloud and AD

Step 2: VPN MFA Integration

1. Configure VPN concentrator for RADIUS authentication
2. Point RADIUS to Duo Authentication Proxy
3. Configure Duo proxy with [radius_server_auto] section
4. Test VPN login with Duo Push
5. Deploy to all VPN users with enrollment period

Step 3: RDP/Windows Logon MFA

1. Install Duo Authentication for Windows Logon on target servers
2. Configure Duo application in Admin Panel
3. Set offline access options (allow N offline logins)
4. Configure bypass for service accounts
5. Test RDP login with Duo MFA

Step 4: Adaptive Policy Configuration

1. Create user groups (Standard, Privileged, Contractors)
2. Configure per-group authentication policies:
   • Standard: Duo Push allowed, remembered device 7 days
   • Privileged: Verified Push required, no remembered device
   • Contractors: WebAuthn required, no remembered device
3. Configure device health policies:
   • Require encrypted disk
   • Block outdated OS versions
   • Require firewall enabled
4. Set trusted network exceptions for corporate IPs

Step 5: Phishing-Resistant MFA Deployment

1. Enable Verified Push (requires entering 3-digit code from login screen)
2. Register WebAuthn/FIDO2 security keys for privileged users
3. Disable SMS and phone call for high-risk groups
4. Configure Duo Risk-Based Factor Selection
5. Monitor for MFA fatigue attack patterns

Step 6: Monitoring and Response

1. Configure Duo Admin Panel alerts
2. Set up authentication log forwarding to SIEM
3. Monitor for: MFA denial patterns, bypass usage, new device enrollments
4. Create incident response playbook for MFA compromise
5. Regular review of bypass and exception policies

Security Controls

Common Pitfalls

• Not deploying phishing-resistant MFA (Verified Push/FIDO2) for privileged accounts
• Setting failmode to "safe" (allow access when Duo is down) in production
• Not disabling SMS/phone call for users with app-capable devices
• Forgetting to configure offline access for laptops
• Not monitoring for MFA fatigue/prompt bombing attacks

Verification

• VPN login requires Duo MFA
• RDP to servers requires Duo MFA
• SSH access requires Duo MFA
• Verified Push enabled for privileged users
• Device health policy blocks non-compliant devices
• Authentication logs forwarded to SIEM
• Bypass/emergency access procedures tested
• MFA fatigue detection alerts configured