Meraki

Community

2 factor authentication and sso saml

fbiggizod
Just browsing
‎Jul 2 2019 12:15 PM
‎Jul 2 2019 12:15 PM

2 factor authentication and sso saml

Hi,

is it possible run 2 factor authentication for meraki dashboard with DUO?

I found saml sso with duo but was not sure if this will include 2 factor auth too... 

 

Thank you 

0 Kudos
5 Replies 5
BAllen
Here to help
‎Jul 2 2019 12:36 PM
‎Jul 2 2019 12:36 PM

Yes for a 6 digit time based code. Just go to your profile and follow the instructions. However the last time I tried push notifications did not work like with AnyConnect.
mciecior
Here to help
‎Jul 2 2019 12:54 PM
‎Jul 2 2019 12:54 PM

Yes, this is possible.  You need to deploy the Duo Access Gateway (DAG), which is just a SAML IdP, and protect the built-in Meraki Dashboard application.

 

The Duo documentation is a little vague on this, but there are some fundamental assumptions the Duo DAG is making when passing the SAML response to the Meraki Dashboard.  The first is that you have an AD group in place for Meraki users, and that it's of a certain format.  You can then specify a prefix for all these Meraki-related groups in your AD and the DAG will search through all of those.

 

For example, if you have two groups, SAML-Meraki-Admin and SAML-Meraki-RO, users in either AD group will be able to authenticate, and the role attribute that's passed to the Dashboard is the exact same as the AD group name.  Thus, the role you define within all your organizations must match the AD group exactly.  There is no flexibility in this.

In response to mciecior
fbiggizod
Just browsing
‎Jul 2 2019 1:37 PM
‎Jul 2 2019 1:37 PM

here https://duo.com/docs/meraki#duo-access-gateway   they mentioned ADFS for SSO partnership between  AD FS service and the external cloud resource, in this case Meraki. 

Does this mean DUO or ADFS , or DUO and ADFS must be deployed?

 

Thank you 

0 Kudos
In response to fbiggizod
mciecior
Here to help
‎Jul 2 2019 1:51 PM
‎Jul 2 2019 1:51 PM

There are only two required components:

1) a SAML service provider (SP) - in this case, the Meraki Dashboard

2) a SAML identity provider (IdP)

 

ADFS and the Duo DAG can both serve as SAML IdPs.  Provided you follow the AD group info I listed earlier, using the Duo DAG is pretty simple.  The flow is simple: the DAG sends you a push (via the Duo cloud), and then redirects you to the Dashboard after authentication.

 

If, however, you already have ADFS deployed, it might make more sense to use ADFS as the SAML IdP.  In that case, you would follow the guide to use ADFS as the SAML IdP with Meraki.  If you then want to tie in Duo, you'd have to follow the ADFS guide here as well.  The flow here is similar but not quite the same: ADFS would authenticate you via whatever policy you configure, then use the Duo cloud to send you a push, and then redirect you to the Dashboard.

 

In my mind, using only the DAG is simpler, but it's not as feature-rich of an IdP as ADFS or F5's APM.

In response to mciecior
fbiggizod
Just browsing
‎Jul 8 2019 7:33 AM
‎Jul 8 2019 7:33 AM

Hi , thank you.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.