Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎10-28-2015

CPPM - Tacacs auth with AD credenciais plus Mfa (duo)

Can cppm do this type of auth?
Example: user John will log to a router with his user name and a password wich is made of his AD password and mfa token with a coma in between (adpwd,mfatoken).
Cppm will send adpwd via Ldap to AD and mfatoken to duo security cloud.
MVP
Posts: 992
Registered: ‎04-13-2009

Re: CPPM - Tacacs auth with AD credenciais plus Mfa (duo)

No, well, I think it might be possible but not without a little help from a couple of Duo applications.

This guide will get you going: https://duo.com/docs/syncing_users_from_active_directory

You wouldn't need to add the mfatoken to the username.

The (very basic) flow would be:

User authenticates on switch/router
TACACS or RADIUS request is sent CPPM
CPPM sends request to Duo Authentication Proxy
Duo Authentication Proxy sends request to Duo
Duo sends MFA request to users MFA device (smartphone I assume)
User accepts MFA request & gains access to switch/router

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II
Posts: 11
Registered: ‎10-28-2015

Re: CPPM - Tacacs auth with AD credenciais plus Mfa (duo)

Thanx for the reply James, yeah i know that using DUO proxy i can do it, even with the token as the proxy will strip it and send one part to the AD and another to the cloud. What i wanted to kwow is if the CPPM could do the work of the proxy so we wouldn´t need another machine in the solution (the DUO proxy). PS - i have seen some docs for using DUO directly from CPPM but only for Guest access...
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: CPPM - Tacacs auth with AD credenciais plus Mfa (duo)

Yes, the native Duo hooks are for web based workflows.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: CPPM - Tacacs auth with AD credenciais plus Mfa (duo)

Yes, the native Duo hooks are for web based workflows.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: