Skip to content

Cisco Duo

Description

Cisco Duo is a comprehensive Identity and Access Management (IAM) solution that enhances security by controlling and verifying user access. Within Duo, administrators can securely manage user identities, assign authentication tokens, and enforce policies that protect user accounts. Upon login, users receive a prompt on a separate trusted device, typically a smartphone with the Duo Mobile app, to confirm their identity. Duo supports all major platforms: Windows, macOS, iOS, Linux, and Android.

Authentication methods include:

  • Duo Push: Approve a login verification request sent to your smartphone with the Duo Mobile app
  • Passkey: Security keys and biometrics
  • Text Message: SMS message containing a one-time passcode that is valid for five minutes
  • Phone Call: Receive a phone call communicating a one-time passcode that is valid for five minutes
  • Duo Mobile passcode: Authenticate with a passcode generated in the Duo Mobile app
  • Hardware Token: Enter a passcode generated by a physical device issued by your organization
  • Yubikey passcode: Authenticate with a passcode generated by a Yubikey

User enrollment

There are three ways you can enroll users in your Duo environment: manual enrollment, self-enrollment, and automatic enrollment.

Manual enrollment

  1. Log in to the Duo Admin Panel, then click on Add New -> User.

  2. Enter the new user's information: username(s), email address, etc.

  3. Save the user, then send an enrollment email with a link for the user to complete setup, or generate an enrollment code to share manually.

Self-enrollment

  1. On the sidebar, click Applications -> Applications.

  2. Select the application you want to protect. In this example, I will use UNIX Application.

  3. Click on Edit Global Policy -> New User Policy. Ensure that Require enrollment is enabled.

Inline self-enrollment

This allows users who do not exist in Duo to be created dynamically when they first access the protected application. Once enrollment is complete, the user can then access the protected app.

Automatic enrollment

Setting up automatic enrollment involves preparing a user list in the form of a CSV file and importing it into Duo. Whereas the 'Bulk Enroll Users' tool is limited to containing only email addresses and usernames, CSV import values can include username aliases, email addresses, full names, groups, notes, and multiple phones or mobile devices. Once imported, the users are created immediately and can be managed from the Duo Admin Panel.

alt text

Properly formatted CSV file

Import your users:

  1. Navigate to Users -> Import Users in the left sidebar.

  2. Click Choose File, then select your CSV file, and click Upload.

  3. When the CSV is finished importing, you will see a message at the top of the screen showing the results.

Set up Duo MFA for Windows logon

Make sure you have enrolled your user from this machine and that they are ready to receive a code in the Duo Mobile app on their mobile device. The username (or alias) on Duo must match their Windows username.

  1. Navigate to Applications -> Application Catalog.

  2. Find Microsoft RDP in the catalog and click the Add button to create the application and get your integration key, secret key, and API hostname. Save these for later.

  3. Update the User access setting to grant access to this application to all users.

  4. Set the New User Policy for the Microsoft RDP application to Deny Access so that no unenrolled user can complete Duo enrollment via this application.

  5. Download and launch the Duo Authentication for Windows Logon installer package.

  6. Provide the integration key, secret key, and API hostname of your Microsoft RDP application.

  7. Finish the setup.

The Windows logon for this user is now protected with Duo MFA.