Helping on a project that has a simple requirement — to lock down our switches and routers to have 2FA for administrator access. But, we’re out of our element on implementing this – and could use advice.
We do not have any sort of directory right now … at all … but will shortly have everyone in the Office 365 Admin with assorted different 365 licenses. So, to an extent, Azure/AD is available if we wanted. But, there’s no on-premise directory, and we’d prefer not to have another item to manage.
We were thinking to use something simple like JumpCloud’s RADIUS in the Cloud service, but we’re open to other ideas. Was hoping to avoid a full Duo, etc… implementation as it’s only for about 50 switches/routers, and only for admins, not users in anyway.
We’ve been able to create an instance of a RADIUS server in the cloud on JumpCloud, and we see the name, secret key, and believe that we have the right Ips, but when messing around in the Cisco console, to see if we can make anything stick, we’re just not getting anywhere. We don’t see the device show up in the JumpCloud dashboard, and not sure if we’re doing the aaa setup right either (or what is necessary from it).
It just seems this shouldn’t be so hard. We seem to be missing the fundamental piece of understanding of what’s necessary to setup simple 2FA for these devices, even using a service like JumpCloud’s RADIUS.
Any ideas? Suggestions as to alternatives? Just looking for something inexpensive and not a pain in the butt for basic 2FA.
Things to note:
We do not have any sort of directory right now … at all … but will shortly have everyone in the Office 365 Admin with assorted different 365 licenses. So, to an extent, Azure/AD is available if we wanted. But, there’s no on-premise directory, and we’d prefer not to have another item to manage.
We were thinking to use something simple like JumpCloud’s RADIUS in the Cloud service, but we’re open to other ideas. Was hoping to avoid a full Duo, etc… implementation as it’s only for about 50 switches/routers, and only for admins, not users in anyway.
We’ve been able to create an instance of a RADIUS server in the cloud on JumpCloud, and we see the name, secret key, and believe that we have the right Ips, but when messing around in the Cisco console, to see if we can make anything stick, we’re just not getting anywhere. We don’t see the device show up in the JumpCloud dashboard, and not sure if we’re doing the aaa setup right either (or what is necessary from it).
It just seems this shouldn’t be so hard. We seem to be missing the fundamental piece of understanding of what’s necessary to setup simple 2FA for these devices, even using a service like JumpCloud’s RADIUS.
Any ideas? Suggestions as to alternatives? Just looking for something inexpensive and not a pain in the butt for basic 2FA.
Things to note:
- - Automated/scripted access doesn’t need 2FA.
- - Network monitoring doesn’t have to be 2FA.
- - We can have an admin user without 2FA if we lock it to physical access (e.g., console port)
- - Can assume everything is Cisco.
- - Most of the routers are actually ASAs.
- - Most models of switches are Cisco Catalyst (3650 and 4500).