Configuring Multi-Factor Authentication with Duo
Overview
Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This guide covers Duo integration methods, adaptive authentication policies, device trust assessment, and phishing-resistant MFA deployment aligned with NIST 800-63B AAL2/AAL3 requirements.
Objectives
- Configure Duo MFA for VPN, RDP, SSH, and web applications
- Implement adaptive access policies based on user, device, and network context
- Deploy phishing-resistant authentication (Duo Verified Push, WebAuthn)
- Configure device health policies (trusted endpoints, OS version enforcement)
- Set up Duo Admin Panel monitoring and reporting
- Implement MFA bypass and emergency access procedures
Key Concepts
Duo Authentication Methods (by security strength)
- Security Keys (WebAuthn/FIDO2): Phishing-resistant, AAL3 capable
- Duo Verified Push: Requires code entry, resistant to MFA fatigue attacks
- Duo Push: Push notification to Duo Mobile app
- TOTP (Duo Mobile Passcode): Time-based one-time password
- Hardware Tokens: OTP from physical token
- SMS/Phone Call: Least secure, use only as fallback
Duo Integration Architecture
- Duo Authentication Proxy: On-premises proxy for RADIUS/LDAP integration
- Duo Web SDK: Embed Duo MFA in web applications
- Duo OIDC/SAML: SSO integration for cloud applications
- Duo for RDP: Windows Logon MFA
- Duo Unix: PAM-based MFA for SSH
Adaptive Access Policies
- Trusted Networks: Reduce MFA friction for corporate networks
- Remembered Devices: Skip MFA for trusted devices (configurable duration)
- Device Health: Block or require MFA based on OS patch level, encryption, firewall
- Risk-Based Authentication: Step-up MFA for anomalous login patterns
Implementation Steps
Step 1: Duo Authentication Proxy Setup
- Deploy Duo Authentication Proxy on Windows/Linux server
- Configure primary authentication (AD/LDAP or RADIUS)
- Configure Duo API credentials (Integration Key, Secret Key, API Hostname)
- Set failmode (safe=deny if Duo unreachable, secure=allow)
- Test proxy connectivity to Duo cloud and AD
Step 2: VPN MFA Integration
- Configure VPN concentrator for RADIUS authentication
- Point RADIUS to Duo Authentication Proxy
- Configure Duo proxy with [radius_server_auto] section
- Test VPN login with Duo Push
- Deploy to all VPN users with enrollment period
Step 3: RDP/Windows Logon MFA
- Install Duo Authentication for Windows Logon on target servers
- Configure Duo application in Admin Panel
- Set offline access options (allow N offline logins)
- Configure bypass for service accounts
- Test RDP login with Duo MFA
Step 4: Adaptive Policy Configuration
- Create user groups (Standard, Privileged, Contractors)
- Configure per-group authentication policies:
- Standard: Duo Push allowed, remembered device 7 days
- Privileged: Verified Push required, no remembered device
- Contractors: WebAuthn required, no remembered device
- Configure device health policies:
- Require encrypted disk
- Block outdated OS versions
- Require firewall enabled
- Set trusted network exceptions for corporate IPs
Step 5: Phishing-Resistant MFA Deployment
- Enable Verified Push (requires entering 3-digit code from login screen)
- Register WebAuthn/FIDO2 security keys for privileged users
- Disable SMS and phone call for high-risk groups
- Configure Duo Risk-Based Factor Selection
- Monitor for MFA fatigue attack patterns
Step 6: Monitoring and Response
- Configure Duo Admin Panel alerts
- Set up authentication log forwarding to SIEM
- Monitor for: MFA denial patterns, bypass usage, new device enrollments
- Create incident response playbook for MFA compromise
- Regular review of bypass and exception policies
Security Controls
| Control | NIST 800-53 | Description |
|---|---|---|
| MFA | IA-2(1) | Multi-factor authentication for network access |
| MFA for Privileged | IA-2(2) | MFA for privileged account access |
| Replay Resistance | IA-2(8) | Replay-resistant authentication |
| Device Identification | IA-3 | Device identity and trust |
| Authenticator Management | IA-5 | MFA enrollment and lifecycle |
Common Pitfalls
- Not deploying phishing-resistant MFA (Verified Push/FIDO2) for privileged accounts
- Setting failmode to "safe" (allow access when Duo is down) in production
- Not disabling SMS/phone call for users with app-capable devices
- Forgetting to configure offline access for laptops
- Not monitoring for MFA fatigue/prompt bombing attacks
Verification
- [ ] VPN login requires Duo MFA
- [ ] RDP to servers requires Duo MFA
- [ ] SSH access requires Duo MFA
- [ ] Verified Push enabled for privileged users
- [ ] Device health policy blocks non-compliant devices
- [ ] Authentication logs forwarded to SIEM
- [ ] Bypass/emergency access procedures tested
- [ ] MFA fatigue detection alerts configured
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC6.2 (Credentials), CC6.3 (Provisioning)
- ISO 27001: A.9.1 (Access Control), A.9.2 (User Access Management), A.9.4 (System Access Control)
- NIST 800-53: AC-2 (Account Management), IA-2 (Identification), AC-6 (Least Privilege)
- NIST CSF: PR.AC (Access Control)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add configuring-multi-factor-authentication-with-duo
# Or load dynamically via MCP
grc.load_skill("configuring-multi-factor-authentication-with-duo")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.