Security

Can cppm do this type of auth?
Example: user John will log to a router with his user name and a password wich is made of his AD password and mfa token with a coma in between (adpwd,mfatoken).
Cppm will send adpwd via Ldap to AD and mfatoken to duo security cloud.

No, well, I think it might be possible but not without a little help from a couple of Duo applications.

This guide will get you going: https://duo.com/docs/syncing_users_from_active_directory

You wouldn't need to add the mfatoken to the username.

The (very basic) flow would be:

User authenticates on switch/router
TACACS or RADIUS request is sent CPPM
CPPM sends request to Duo Authentication Proxy
Duo Authentication Proxy sends request to Duo
Duo sends MFA request to users MFA device (smartphone I assume)
User accepts MFA request & gains access to switch/router

Thanx for the reply James, yeah i know that using DUO proxy i can do it, even with the token as the proxy will strip it and send one part to the AD and another to the cloud. What i wanted to kwow is if the CPPM could do the work of the proxy so we wouldn´t need another machine in the solution (the DUO proxy). PS - i have seen some docs for using DUO directly from CPPM but only for Guest access...

Yes, the native Duo hooks are for web based workflows.

Yes, the native Duo hooks are for web based workflows.