Configure Cisco Duo 2FA for SSH logins with ONTAP
Beginning with ONTAP 9.14.1, you can configure ONTAP to use Cisco Duo for two-factor authentication (2FA) during SSH logins. You configure Duo at the cluster level, and it applies to all user accounts by default. Alternatively, you can configure Duo at the level of the storage VM (previously referred to as vserver), in which case it applies only to users for that storage VM. If you enable and configure Duo, it serves as an additional authentication method, supplementing the existing methods for all users.
If you enable Duo authentication for SSH logins, users will need to enroll a device the next time they log in using SSH. For enrollment information, refer to the Cisco Duo enrollment documentation.
You can use the ONTAP command line interface to perform the following tasks with Cisco Duo:
Configure Cisco Duo
You can create a Cisco Duo configuration for either the entire cluster or for a specific storage VM (referred to as a vserver in the ONTAP CLI) using the security login duo create
command. When you do this, Cisco Duo is enabled for SSH logins for this cluster or storage VM. Learn more about the security login duo create
command in the ONTAP command reference.
-
Log in to the Cisco Duo Admin Panel.
-
Go to Applications > UNIX Application.
-
Record your integration key, secret key, and API hostname.
-
Log in to your ONTAP account using SSH.
-
Enable Cisco Duo authentication for this storage VM, substituting information from your environment for the values in brackets:
security login duo create \ -vserver <STORAGE_VM_NAME> \ -integration-key <INTEGRATION_KEY> \ -secret-key <SECRET_KEY> \ -apihost <API_HOSTNAME>
Learn more about the command in Worksheets for administrator authentication and RBAC configuration.
Change Cisco Duo configuration
You can change the way Cisco Duo authenticates users (for example, how many authentication prompts are given, or what HTTP proxy is used). If you need to change the Cisco Duo configuration for a storage VM (referred to as a vserver in the ONTAP CLI), you can use the security login duo modify
command. Learn more about the security login duo modify
command in the ONTAP command reference.
-
Log in to the Cisco Duo Admin Panel.
-
Go to Applications > UNIX Application.
-
Record your integration key, secret key, and API hostname.
-
Log in to your ONTAP account using SSH.
-
Change the Cisco Duo configuration for this storage VM, substituting updated information from your environment for the values in brackets:
security login duo modify \ -vserver <STORAGE_VM_NAME> \ -integration-key <INTEGRATION_KEY> \ -secret-key <SECRET_KEY> \ -apihost <API_HOSTNAME> \ -pushinfo true|false \ -http-proxy <HTTP_PROXY_URL> \ -autopush true|false \ -prompts 1|2|3 \ -max-unenrolled-logins <NUM_LOGINS> \ -is-enabled true|false \ -fail-mode safe|secure
Remove Cisco Duo configuration
You can remove the Cisco Duo configuration, which will remove the need for SSH users to authenticate using Duo upon login. To remove the Cisco Duo configuration for a storage VM (referred to as a vserver in the ONTAP CLI), you can use the security login duo delete
command. Learn more about the security login duo delete
command in the ONTAP command reference.
-
Log in to your ONTAP account using SSH.
-
Remove the Cisco Duo configuration for this storage VM, substituting your storage VM name for
<STORAGE_VM_NAME>
:security login duo delete -vserver <STORAGE_VM_NAME>
This permanently deletes the Cisco Duo configuration for this storage VM.
View Cisco Duo configuration
You can view the existing Cisco Duo configuration for a storage VM (referred to as a vserver in the ONTAP CLI) by using the security login duo show
command. Learn more about the security login duo show
command in the ONTAP command reference.
-
Log in to your ONTAP account using SSH.
-
Show the Cisco Duo configuration for this storage VM. Optionally, you can use the
vserver
parameter to specify a storage VM, substituting the storage VM name for<STORAGE_VM_NAME>
:security login duo show -vserver <STORAGE_VM_NAME>
You should see output similar to the following:
Vserver: testcluster Enabled: true Status: ok INTEGRATION-KEY: DI89811J9JWMJCCO7IOH SKEY SHA Fingerprint: b79ffa4b1c50b1c747fbacdb34g671d4814 API Host: api-host.duosecurity.com Autopush: true Push info: true Failmode: safe Http-proxy: 192.168.0.1:3128 Prompts: 1 Comments: -
Create a Duo group
You can instruct Cisco Duo to include only the users in a certain Active Directory, LDAP, or local user group in the Duo authentication process. If you create a Duo group, only the users in that group are prompted for Duo authentication. You can create a Duo group by using the security login duo group create
command. When you create a group, you can optionally exclude specific users in that group from the Duo authentication process. Learn more about the security login duo group create
command in the ONTAP command reference.
-
Log in to your ONTAP account using SSH.
-
Create the Duo group, substituting information from your environment for the values in brackets. If you omit the
-vserver
parameter, the group is created at the cluster level:security login duo group create -vserver <STORAGE_VM_NAME> -group-name <GROUP_NAME> -exclude-users <USER1, USER2>
The name of the Duo group must match an Active Directory, LDAP, or local group. Users you specify with the optional
-exclude-users
parameter will not be included in the Duo authentication process.
View Duo groups
You can view existing Cisco Duo group entries by using the security login duo group show
command. Learn more about the security login duo group show
command in the ONTAP command reference.
-
Log in to your ONTAP account using SSH.
-
Show the Duo group entries, substituting information from your environment for the values in brackets. If you omit the
-vserver
parameter, the group is shown at the cluster level:security login duo group show -vserver <STORAGE_VM_NAME> -group-name <GROUP_NAME> -exclude-users <USER1, USER2>
The name of the Duo group must match an Active Directory, LDAP, or local group. Users you specify with the optional
-exclude-users
parameter will not be displayed.
Remove a Duo group
You can remove a Duo group entry using the security login duo group delete
command. If you remove a group, the users in that group are no longer included in the Duo authentication process. Learn more about the security login duo group delete
command in the ONTAP command reference.
-
Log in to your ONTAP account using SSH.
-
Remove the Duo group entry, substituting information from your environment for the values in brackets. If you omit the
-vserver
parameter, the group is removed at the cluster level:security login duo group delete -vserver <STORAGE_VM_NAME> -group-name <GROUP_NAME>
The name of the Duo group must match an Active Directory, LDAP, or local group.
Bypass Duo authentication for users
You can exclude all users or specific users from the Duo SSH authentication process.
Exclude all Duo users
You can disable Cisco Duo SSH authentication for all users.
-
Log in to your ONTAP account using SSH.
-
Disable Cisco Duo authentication for SSH users, substituting the Vserver name for
<STORAGE_VM_NAME>
:security login duo -vserver <STORAGE_VM_NAME> -is-duo-enabled-false
Exclude Duo group users
You can exclude certain users that are part of a Duo group from the Duo SSH authentication process.
-
Log in to your ONTAP account using SSH.
-
Disable Cisco Duo authentication for specific users in a group. Substitute the group name and list of users to exclude for the values in brackets:
security login group modify -group-name <GROUP_NAME> -exclude-users <USER1, USER2>
The name of the Duo group must match an Active Directory, LDAP, or local group. Users you specify with the
-exclude-users
parameter will not be included in the Duo authentication process.
Exclude local Duo users
You can exclude specific local users from using Duo authentication by using the Cisco Duo Admin Panel. For instructions, refer to the Cisco Duo documentation.