Summary: Implementation plan for enabling multi-factor authentication on a subset of Cisco IOS-XE devices using Cisco ISE and Cisco Duo, with Microsoft Authenticator as the TOTP client. Direct ISE-to-Duo Cloud integration was introduced in ISE 3.3 Patch 1 and is not available in ISE 3.2; an upgrade is a hard prerequisite. Devices in the MFA group are identified by ISE Network Device Group. VTY access uses TACACS with Duo MFA; console access is restricted to local login only.
MFA-Required NDG and assign target devicesISE 3.3 Patch 1 introduced native direct integration with Duo Cloud as an identity source for TACACS+ device administration. ISE PSN nodes make HTTPS calls to the Duo API to trigger and validate the second factor. No Authentication Proxy is required, provided PSN nodes have outbound TCP 443 access to Duo Cloud. ISE can also sync users directly from Active Directory into Duo, simplifying enrolment.
Flow legend:
Console access is excluded from this flow by design. Line con 0 on MFA devices is bound to a separate AAA authentication list that uses local credentials only, ensuring console break-glass access is never dependent on Duo or internet availability.
⚠️ Microsoft Authenticator — TOTP Only
ISE 3.3 Patch 1 direct Duo integration supports Duo Push and phone call as described in the Cisco ISE 3.3 Patch 1 release notes. Microsoft Authenticator can be used as a TOTP passcode generator but does not support Duo Push — that requires the Duo Mobile app. If push notifications are preferred in future, users would need to re-enrol with Duo Mobile. Confirm the TOTP-only approach is acceptable before proceeding.
| Component | Current | Required | Notes |
|---|---|---|---|
| ISE Application | 3.2.0.401 | 3.3 Patch 1 minimum | Upgrade is a hard prerequisite — see Phase 0 |
| ISE Infrastructure | 3.2.0.542 | 3.3 Patch 1 minimum | Upgraded together with the application |
| ISE Licence Tier | Unconfirmed | Advantage or Premier | See ISE 3.3 Licensing Guide |
| Device Admin Licence | Unconfirmed | Active | TACACS Device Administration licence must be active |
⚠️ ISE Upgrade is a Hard Prerequisite
Direct Duo integration as an identity source for TACACS+ was introduced in ISE 3.3 Patch 1. It does not exist in ISE 3.2. The Duo Security identity source option will not appear in the ISE UI until the upgrade is complete. No Duo configuration should be attempted before the upgrade is validated.
| Component | Minimum | Notes |
|---|---|---|
| Duo Licence Tier | Essentials | Supports TOTP and third-party authenticator apps; Advantage adds Push and phone call — see Duo Edition Comparison |
| User Enrolment | Required before enforcement | AD sync creates accounts; users must still complete authenticator setup |
| Microsoft Authenticator | TOTP only | Users enrol via the Other TOTP app flow in Duo |
api-XXXXXXXX.duosecurity.com on TCP 443 (outbound HTTPS)⚠️ Internet Dependency on PSN Nodes
With direct cloud integration, VTY authentication depends on ISE PSN nodes reaching Duo Cloud. If outbound internet access is lost at a site, SSH/Telnet to MFA devices at that site will fail. Console local login remains unaffected. Ensure network resilience and monitoring accounts for this dependency.
This phase is a blocking prerequisite. No Duo configuration is possible until ISE 3.3 Patch 1 or later is running at both sites.
1. Administration → System → Backup and Restore → Schedule Backup (on-demand)
— Include: Configuration, Operational (optional), Reports
— Store backup off-appliance (SFTP/FTP)
2. Take a VM snapshot of the Primary PAN (US) node
3. Take a VM snapshot of the Secondary PAN (UK) node
4. Take VM snapshots of any PSN-only nodes at either site
Upgrade in this order — upgrading the Primary PAN first ensures policy remains consistent during the process:
⚠️ Do Not Upgrade Nodes Simultaneously
Upgrading both PAN nodes at the same time will leave no active policy administration node during the process. Upgrade one node at a time and confirm it is healthy before starting the next.
Before proceeding to Duo configuration, confirm the existing environment is healthy on 3.3:
Before configuring ISE, establish the current state of the Duo environment:
admin.duosecurity.comapi-XXXXXXXX.duosecurity.com) — required for the ISE identity source⚠️ Confirm No Existing Auth Proxy Dependency
If the Duo environment has an existing Authentication Proxy deployed for other integrations (e.g., VPN), do not decommission it as part of this project. The ISE TACACS integration uses direct cloud access independently.
Before configuring the identity source, confirm ISE PSN nodes can reach Duo Cloud:
ping api-XXXXXXXX.duosecurity.com
curl -I https://api-XXXXXXXX.duosecurity.com
Duo-MFAapi-XXXXXXXX.duosecurity.comLocation or a custom Security-Tier)MFA-RequiredMFA-Required under the appropriate NDG fieldMFA-Device-AdminTACACS Device NDG EQUALS MFA-RequiredMFA-AuthDuo-MFA⚠️ Policy Set Ordering
ISE evaluates Device Admin policy sets top-to-bottom and stops at the first match. PlaceMFA-Device-Adminabove the general device admin policy set. If it falls below a catch-all, MFA devices will match the wrong set and bypass Duo entirely.
Each device assigned to the MFA-Required NDG requires the following configuration. VTY lines use the TACACS authentication list, which triggers Duo via ISE. The console uses a separate local-only authentication list with no TACACS or MFA dependency.
! Required — must appear before all other AAA commands
aaa new-model
! TACACS server group pointing to ISE PSN nodes at both sites
aaa group server tacacs+ ISE-TACACS
server-private <ISE_PSN_US_IP> key <tacacs_key>
server-private <ISE_PSN_UK_IP> key <tacacs_key>
ip vrf forwarding <VRF_NAME> ! remove if not using VRF
! VTY authentication — TACACS (triggers Duo MFA via ISE)
! No local fallback is intentional: if ISE is unreachable, SSH fails.
! Console break-glass (CON_LOCAL) is the recovery path.
aaa authentication login VTY_MFA group ISE-TACACS
! Console authentication — local only, no TACACS, no MFA dependency
aaa authentication login CON_LOCAL local
! Authorisation — named lists keep VTY and console fully independent.
! Using 'default' here would route console exec authorisation through TACACS,
! undermining break-glass independence.
aaa authorization exec VTY_MFA group ISE-TACACS local
aaa authorization commands 15 VTY_MFA group ISE-TACACS local
aaa authorization exec CON_LOCAL none ! console exec always permitted
! Accounting — scoped to VTY only; console sessions are excluded
aaa accounting exec VTY_MFA start-stop group ISE-TACACS
aaa accounting commands 15 VTY_MFA start-stop group ISE-TACACS
! Console — local login only, no TACACS authorisation dependency
line con 0
login authentication CON_LOCAL
authorization exec CON_LOCAL
exec-timeout 10 0
! VTY 0–4 — TACACS with Duo MFA via ISE
line vty 0 4
login authentication VTY_MFA
authorization exec VTY_MFA
transport input ssh
exec-timeout 15 0
! VTY 5–15 — same
line vty 5 15
login authentication VTY_MFA
authorization exec VTY_MFA
transport input ssh
exec-timeout 15 0
Every MFA device must have a local account for console break-glass use. This account is accessible only via the console because CON_LOCAL is applied to line con 0 only.
! Use algorithm-type sha256 (minimum) or scrypt (preferred on IOS-XE 17.x+)
username breakglass privilege 15 algorithm-type scrypt secret <strong_password>
⚠️ Break-Glass Account Security
This account bypasses Duo entirely and grants full access via the physical console. The password must be complex, stored securely offline (sealed envelope or secrets vault), and physical console access should be controlled or restricted via a console server with its own access controls.
With AD sync configured in Phase 2.2, ISE will push AD users into Duo automatically. This creates Duo user accounts without requiring manual invitation steps. Users in the Duo Admin Panel under Users should populate from AD shortly after sync is enabled.
Users still need to complete their own authenticator enrolment — AD sync creates the account but does not set up their device.
When SSH-ing into an MFA-enabled device:
The experience on the console is unchanged — users enter their local username and password with no Duo prompt.
api-XXXXXXXX.duosecurity.com (both sites)Assign a single test device to the MFA-Required NDG and validate:
MFA-Required NDG and confirm no Duo challenge is presentedIf MFA needs to be removed from a device urgently:
MFA-Required NDG. The next authentication attempt falls through to the standard policy set. No device configuration change is required.login authentication statement on VTY lines to the non-MFA method list. Requires console access using the local break-glass account.If the ISE 3.3 upgrade itself causes problems:
| Component | Current | Required | Notes |
|---|---|---|---|
| ISE Application | 3.2.0.401 | 3.3 Patch 1 minimum | Upgrade required before any Duo config |
| ISE Infrastructure | 3.2.0.542 | 3.3 Patch 1 minimum | Upgraded with application |
| ISE Licence Tier | Unconfirmed | Advantage or Premier | Verify before upgrade |
| Duo Authentication Proxy | Not required | — | Direct PSN-to-cloud integration used |
| Duo Licence Tier | Unknown — audit first | Essentials minimum; Advantage for Push | |
| IOS-XE | Varies | No change needed | No specific version requirement for TACACS; 17.x recommended |
| Microsoft Authenticator | Existing deployment | No changes required | TOTP enrolment only |
| Firewall / outbound ACL | May require change | TCP 443 from all PSN nodes to Duo API FQDN | Required at both US and UK sites |
| Acronym | Definition |
|---|---|
| AAA | Authentication, Authorisation, and Accounting |
| ACL | Access Control List |
| AD | Active Directory |
| API | Application Programming Interface |
| CLI | Command Line Interface |
| FQDN | Fully Qualified Domain Name |
| FTP | File Transfer Protocol |
| HTTPS | Hypertext Transfer Protocol Secure |
| ISE | Identity Services Engine (Cisco) |
| MFA | Multi-Factor Authentication |
| NDG | Network Device Group |
| PAN | Policy Administration Node |
| PSN | Policy Service Node |
| RADIUS | Remote Authentication Dial-In User Service |
| SFTP | Secure File Transfer Protocol |
| SSH | Secure Shell |
| TACACS+ | Terminal Access Controller Access-Control System Plus |
| TCP | Transmission Control Protocol |
| TOTP | Time-based One-Time Password |
| UDP | User Datagram Protocol |
| VPN | Virtual Private Network |
| VRF | Virtual Routing and Forwarding |
| VTY | Virtual Teletype |