Skip to main content

Configure Cisco Duo 2FA for SSH logins with ONTAP

Contributors netapp-mwallis netapp-aaron-holt netapp-dbagwell

Beginning with ONTAP 9.14.1, you can configure ONTAP to use Cisco Duo for two-factor authentication (2FA) during SSH logins. You configure Duo at the cluster level, and it applies to all user accounts by default. Alternatively, you can configure Duo at the level of the storage VM (previously referred to as vserver), in which case it applies only to users for that storage VM. If you enable and configure Duo, it serves as an additional authentication method, supplementing the existing methods for all users.

If you enable Duo authentication for SSH logins, users will need to enroll a device the next time they log in using SSH. For enrollment information, refer to the Cisco Duo enrollment documentation.

You can use the ONTAP command line interface to perform the following tasks with Cisco Duo:

Configure Cisco Duo

You can create a Cisco Duo configuration for either the entire cluster or for a specific storage VM (referred to as a vserver in the ONTAP CLI) using the security login duo create command. When you do this, Cisco Duo is enabled for SSH logins for this cluster or storage VM. Learn more about the security login duo create command in the ONTAP command reference.

Steps
  1. Log in to the Cisco Duo Admin Panel.

  2. Go to Applications > UNIX Application.

  3. Record your integration key, secret key, and API hostname.

  4. Log in to your ONTAP account using SSH.

  5. Enable Cisco Duo authentication for this storage VM, substituting information from your environment for the values in brackets:

    security login duo create \
    -vserver <STORAGE_VM_NAME> \
    -integration-key <INTEGRATION_KEY> \
    -secret-key <SECRET_KEY> \
    -apihost <API_HOSTNAME>

Change Cisco Duo configuration

You can change the way Cisco Duo authenticates users (for example, how many authentication prompts are given, or what HTTP proxy is used). If you need to change the Cisco Duo configuration for a storage VM (referred to as a vserver in the ONTAP CLI), you can use the security login duo modify command. Learn more about the security login duo modify command in the ONTAP command reference.

Steps
  1. Log in to the Cisco Duo Admin Panel.

  2. Go to Applications > UNIX Application.

  3. Record your integration key, secret key, and API hostname.

  4. Log in to your ONTAP account using SSH.

  5. Change the Cisco Duo configuration for this storage VM, substituting updated information from your environment for the values in brackets:

    security login duo modify \
    -vserver <STORAGE_VM_NAME> \
    -integration-key <INTEGRATION_KEY> \
    -secret-key <SECRET_KEY> \
    -apihost <API_HOSTNAME> \
    -pushinfo true|false \
    -http-proxy <HTTP_PROXY_URL> \
    -autopush true|false \
    -prompts 1|2|3 \
    -max-unenrolled-logins <NUM_LOGINS> \
    -is-enabled true|false \
    -fail-mode safe|secure

Remove Cisco Duo configuration

You can remove the Cisco Duo configuration, which will remove the need for SSH users to authenticate using Duo upon login. To remove the Cisco Duo configuration for a storage VM (referred to as a vserver in the ONTAP CLI), you can use the security login duo delete command. Learn more about the security login duo delete command in the ONTAP command reference.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Remove the Cisco Duo configuration for this storage VM, substituting your storage VM name for <STORAGE_VM_NAME>:

    security login duo delete  -vserver <STORAGE_VM_NAME>

    This permanently deletes the Cisco Duo configuration for this storage VM.

View Cisco Duo configuration

You can view the existing Cisco Duo configuration for a storage VM (referred to as a vserver in the ONTAP CLI) by using the security login duo show command. Learn more about the security login duo show command in the ONTAP command reference.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Show the Cisco Duo configuration for this storage VM. Optionally, you can use the vserver parameter to specify a storage VM, substituting the storage VM name for <STORAGE_VM_NAME>:

    security login duo show -vserver <STORAGE_VM_NAME>

    You should see output similar to the following:

    Vserver: testcluster
    Enabled: true
    
    Status: ok
    INTEGRATION-KEY: DI89811J9JWMJCCO7IOH
    SKEY SHA Fingerprint:
    b79ffa4b1c50b1c747fbacdb34g671d4814
    API Host: api-host.duosecurity.com
    Autopush: true
    Push info: true
    Failmode: safe
    Http-proxy: 192.168.0.1:3128
    Prompts: 1
    Comments: -

Create a Duo group

You can instruct Cisco Duo to include only the users in a certain Active Directory, LDAP, or local user group in the Duo authentication process. If you create a Duo group, only the users in that group are prompted for Duo authentication. You can create a Duo group by using the security login duo group create command. When you create a group, you can optionally exclude specific users in that group from the Duo authentication process. Learn more about the security login duo group create command in the ONTAP command reference.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Create the Duo group, substituting information from your environment for the values in brackets. If you omit the -vserver parameter, the group is created at the cluster level:

    security login duo group create -vserver <STORAGE_VM_NAME> -group-name <GROUP_NAME> -exclude-users <USER1, USER2>

    The name of the Duo group must match an Active Directory, LDAP, or local group. Users you specify with the optional -exclude-users parameter will not be included in the Duo authentication process.

View Duo groups

You can view existing Cisco Duo group entries by using the security login duo group show command. Learn more about the security login duo group show command in the ONTAP command reference.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Show the Duo group entries, substituting information from your environment for the values in brackets. If you omit the -vserver parameter, the group is shown at the cluster level:

    security login duo group show -vserver <STORAGE_VM_NAME> -group-name <GROUP_NAME> -exclude-users <USER1, USER2>

    The name of the Duo group must match an Active Directory, LDAP, or local group. Users you specify with the optional -exclude-users parameter will not be displayed.

Remove a Duo group

You can remove a Duo group entry using the security login duo group delete command. If you remove a group, the users in that group are no longer included in the Duo authentication process. Learn more about the security login duo group delete command in the ONTAP command reference.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Remove the Duo group entry, substituting information from your environment for the values in brackets. If you omit the -vserver parameter, the group is removed at the cluster level:

    security login duo group delete -vserver <STORAGE_VM_NAME> -group-name <GROUP_NAME>

    The name of the Duo group must match an Active Directory, LDAP, or local group.

Bypass Duo authentication for users

You can exclude all users or specific users from the Duo SSH authentication process.

Exclude all Duo users

You can disable Cisco Duo SSH authentication for all users.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Disable Cisco Duo authentication for SSH users, substituting the Vserver name for <STORAGE_VM_NAME>:

    security login duo -vserver <STORAGE_VM_NAME> -is-duo-enabled-false

Exclude Duo group users

You can exclude certain users that are part of a Duo group from the Duo SSH authentication process.

Steps
  1. Log in to your ONTAP account using SSH.

  2. Disable Cisco Duo authentication for specific users in a group. Substitute the group name and list of users to exclude for the values in brackets:

    security login group modify -group-name <GROUP_NAME> -exclude-users <USER1, USER2>

    The name of the Duo group must match an Active Directory, LDAP, or local group. Users you specify with the -exclude-users parameter will not be included in the Duo authentication process.

Exclude local Duo users

You can exclude specific local users from using Duo authentication by using the Cisco Duo Admin Panel. For instructions, refer to the Cisco Duo documentation.