Lab Guide

Cisco dCloud

Duo Lab v1 – Beginner

Last Updated: 30-October-2020

About This Lab

For this preconfigured lab, the Beginner Guide walks through basic set up including an overview of the Admin Panel. It
includes:

About This Lab

Requirements
About This Solution
Topology
Get Started
Scenario 1. Admin Panel Navigation
Scenario 2. Protecting Applications
Scenario 3. Application Options
Scenario 4. Removing Applications

Scenario 5. Protecting Users

Appendix A. Sign Up for a Duo Account
What’s Next?

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 31
Lab Guide
Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Required Optional

Laptop Laptop with Cisco AnyConnect®

Mobile Phone

Duo Mobile App

About This Solution

By deploying Duo, administrators are taking a big step toward safeguarding their organization and their employees from data
theft and account takeover.
This lab's Beginner Guide walks you through the basics of navigating the Admin Panel. Every aspect of Duo's two-factor
authentication system can be managed from the Admin Panel—including:
• Configuring and testing applications
• Importing users and groups from external user directories
• Enrolling and managing users
• Managing authentication methods
• Enforcing access policies for users and devices

• Monitoring dashboard and generating logs and reports

• Creating and managing Duo administrator accounts
• and more

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 31
Lab Guide
Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution.
Most components are fully configurable with predefined administrative user accounts. You can see the IP address and user
account credentials to use to access a component by clicking the component icon in the Topology menu of your active session
and in the scenario steps that require their use.

dCloud Topology

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 31
Lab Guide
Cisco dCloud

Get Started

Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client
on your laptop [Show Me How]
3. Click Jumphost, then click Remote Desktop.

4. Double-click the Demo Ready icon on the desktop.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 31
Lab Guide
Cisco dCloud

5. On the Welcome to dCloud page, to the right of the Activation URL, click copy.

6. Open your browser, and then paste the Activation URL into the address bar.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 31
Lab Guide
Cisco dCloud

7. On the Duo New Admin Setup page, click Get started.

8. Create your password (with a minimum of 12 characters), confirm your password, and then click Continue.

9. From the Duo Mobile Phone app, scan the QR code.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 31
Lab Guide
Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 31
Lab Guide
Cisco dCloud

10. After a successful scan, you will see this screen. Click Continue.

11. Click Skip setting a phone number as a backup.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 31
Lab Guide
Cisco dCloud

12. You have successfully set up your Duo admin account. From here, you can click the Launch button on the Welcome screen
(shown in Step 6), or you can click Continue to Duo Admin Panel Login.

13. Enter your email address, and then click Continue.

14. Enter your password (you created in Step 9), and then click Log in.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 31
Lab Guide
Cisco dCloud

15. At this point, you can either use Duo Push or enter the Passcode from the Duo app to confirm your identity.
a. Tap Duo Push
or
b. Enter the Passcode from the app

16. Tap Submit.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 31
Lab Guide
Cisco dCloud

17. You will see the Duo Admin Dashboard which you will learn to navigate in the first scenario.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 31
Lab Guide
Cisco dCloud

Scenario 1. Admin Panel Navigation

Value Proposition: Manage or view different menu items by clicking the links on the left side of the Admin Panel. You may be
shown a subset of these links, depending on your assigned administrative role.

Steps

1. Familiarize yourself with each of the following options in the left navigation. Video Overview

• Dashboard: Return to the summary and authentication map. Dashboard Documentation

• Device Insight: Review information about clients and devices authenticating to Duo. This feature appears to Duo Beyond,
Duo Access, and Duo MFA plan customers. Device Insights Documentation
• Policies: Refine and assign access policies by user group and per application. This feature will be visible to customers with
Duo Beyond, Duo Access, and Duo MFA plans. Policy Documentation
• Applications: View, add, and modify applications. Protecting Applications Documentation
• Users: View, create, and modify users. Managing Duo Users Documentation
• Groups: Create and view user groups. Using Groups Documentation
• Endpoints: Review operating system, browser, and plugin security status information for end user devices accessing Duo.
This feature appears to Duo Beyond and Duo Access plan customers. Endpoints Documentation

Note: This feature is not available for Duo MFA plan customers.

• 2FA Devices: View, create, and assign phones, hardware tokens, and other authentication devices. Managing 2FA
Devices
• Administrators: Create, manage and delete Duo administror accounts. Managing Duo Administrators
• Trusted Endpoints Configuration: Set up management integrations to support managed/unmanaged device detection
using Duo certificates. This feature appears to Duo Beyond plan customers. Trusted Endpoints Documentation

Note: This feature is not available for Duo MFA plan customers.

• Reports: View authentication events, administrator actions, and other valuable reports. All administrator roles except
Billing and Phishing Manager can view reports. Reports Documentation

• Settings: Change global settings for your Duo service. Using Admin Panel and Changing Settings Documentation
• Billing: Manage payment methods, change your Duo subscription, view and download your monthly billing history, and
purchase telephony credits or Duo hardware tokens.

2. You'll find Duo's support information on the left side of the Admin Panel as well.
3. Additionally, you'll find your Deployment ID on the left, under your Account ID. Clicking the Deployment ID takes you to
the Duo Service Status page, where you can see the current operational status of Duo's cloud systems.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 31
Lab Guide
Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 31
Lab Guide
Cisco dCloud

Scenario 2. Protecting Applications

Value Proposition: Decide which service, system, or appliance you want to protect with Duo. The Applications page lists all
resources that are linked and protected by your Duo service.

Steps

1. Click Applications in the left sidebar, and then then click the Protect an Application. Alternatively, you can click the Add
New... button in the top right of the Dashboard page and then click Application.

Note: The Protect an Application page lists the different types of services you can protect with Duo.

2. You can scroll down the page to browse all available applications or start typing the name of your product in the space
provided to filter the applications list. For example, type ci to view Cisco and Citrix solutions.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 31
Lab Guide
Cisco dCloud

3. Before adding the new application, click Read the documentation and review the requirements and configuration steps
for integrating Duo with that application.

Note: If you don't see a Read the documentation link that means it's a partner application for which Duo doesn't host
configuration instructions

4. When you've located the application, you want to protect with Duo, click the Protect this Application link to the right of
the application's name. Your new application is added with a default name like Cisco SSL VPN.

5. You'll be taken directly to the new application's properties page after creation. Here you can update the application's name
and phone greeting or set policies for that application.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 31
Lab Guide
Cisco dCloud

6. The Details section near the top of the page shows your Integration key (“ikey”), Secret key (skey), and API hostname.

Note: The integration key and secret key uniquely identify a specific application to Duo. The API hostname is unique
to your account but shared by all your applications. You'll need these keys and hostname when configuring your
system to work with Duo. You may also need them if you contact Duo Support.

IMPORTANT: Treat your secret key like a password.

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any
sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

7. Click the Instructions link at the top of each application's properties page to configure your appliance, device, application,
service, or system to work with Duo.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 31
Lab Guide
Cisco dCloud

Scenario 3. Application Options

Value Proposition: A few additional settings can be configured from an application’s properties page.

Steps

Policy

1. Policy settings are visible to Duo Beyond, Duo Access, and Duo MFA plan customers. Only Duo Beyond and Duo Access
customers can create and assign application and group policies that control device security, allowed authenticators, and
more.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 31
Lab Guide
Cisco dCloud

2. Duo MFA customers may create a policy for an individual application that affects all users of that application or use the
Global Policy to manage settings for all applications.

Type and Name

1. The application Type shows what kind of application you’re protecting with Duo. This field is read-only.
2. Users see the application's Name each time they authenticate using Duo Push. To update, type in a new name and click
the Save Changes button at the bottom of the page when done.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 31
Lab Guide
Cisco dCloud

Self-service Portal

Duo's self-service portal lets users add, update, and remove authentication devices. The self-service portal is an option for web-
based and some SSL VPN applications that feature inline enrollment and authentication prompt.
1. To enable this feature, check the Let users manage their own devices box under Settings. This option will only be
available if the application supports the self-service portal feature.
2. Click Save Changes at the bottom of the page when done.

New User Policy

1. An application's new user policy can be one of the following:

• Require enrollment - Users who are not enrolled in Duo see the inline self-enrollment setup process after entering their
primary username and password. Users who are already enrolled in Duo are prompted to complete two-factor
authentication. This is the default policy for new applications.
• Allow access - Users who are already enrolled in Duo are prompted for two-factor authentication. Users not enrolled in
Duo are not prompted to complete enrollment and are granted access without two-factor authentication. Customers with
Duo Beyond and Duo Access plans see events for users that access an application without two-factor authentication as a
result of this setting in the Authentication Log.
• Deny access - Access is denied to users not enrolled in Duo. Users must be enrolled before attempting authentication, by
using one of the automatic enrollment options, bulk self-enrollment, or manual enrollment by a Duo administrator.

Note: The new user policy settings are especially important during a staged rollout or controlled deployment of Duo.
You can initially enroll just a subset of your user base and set the policy to allow access, which will require two-factor
authentication for just the enrolled testers while the rest of your users continue to log on normally.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 31
Lab Guide
Cisco dCloud

2. To change the new user policy, click the radio button next to the desired setting.
3. Click the Save Changes button at the bottom of the page when done.

Remembered Devices

When the Remembered Devices option is set, users are not challenged for Duo two-factor for the specified number of days
after authenticating on that device.
1. To enable this feature, check the box next to Allow users to remember their device for _ days (or hours) and enter the
desired number of days or hours (365 days or less) in the space provided (the default is 30 days).
2. Click Save Changes.

Authorized Networks

When the Authorized Networks option is configured, users are only challenged for two-factor authentication when accessing
the application from outside the listed IP addresses, IP ranges, or CIDR networks. Refer to Configuring Authorized Networks
Documentation.
1. To configure this feature, check the Don't require two-factor authentication for logins from the following IPs: box and
enter your network information in the space provided.
2. You can choose whether unenrolled users accessing the application from an authorized network are required to complete
Duo enrollment by checking the box next to Enroll new users logging in from authorized networks.
3. Click Save Changes.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 31
Lab Guide
Cisco dCloud

Username Normalization

The Username normalization option controls whether usernames entered for primary authentication should be altered before
trying to match them to a Duo user account.

With normalization off, the usernames jsmith, DOMAIN\jsmith, and jsmith@domain.com would be three separate users in
Duo.
When username normalization is enabled, any domain information is stripped from the username; so jsmith,
DOMAIN\jsmith, and jsmith@domain.com would all resolve to a single jsmith Duo user.
1. To turn on username normalization, click the radio button next to Simple.
2. Click Save Changes.

Voice Greeting

1. The Voice greeting is read to users at the beginning of the verification phone call before the Duo authentication
instructions. You may customize the greeting as you wish.
2. Click Save Changes.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 31
Lab Guide
Cisco dCloud

Applications Notes

1. Enter any additional information about your application in the Notes field. The notes are only visible to administrators.
2. Click Save Changes.

Permitted Groups

1. With Permitted Groups, Duo groups can be used to restrict active Duo user access to applications. To configure this
setting, check the Only allow authentication from users in certain groups box and then click in the Select groups field to
bring up a list of groups.
2. Click on a group name to select it. You may also narrow down the group search results by typing a group name in the box.

3. Click the Save Changes button at the bottom of the page when done. You can select up to 100 permitted groups.

Hostname Whitelisting

1. The Hostname Whitelisting optional setting ensures only approved application hostnames may show users the Duo
Prompt. This prevents displaying the Duo Prompt for this application on a web page you do not control, minimizing the
risk of having your users tricked into authenticating on fraudulent web sites.

2. Check the box next to Only allow access for approved application hostnames to enable this setting and specify
additional options.
3. In the Approved application hostnames entry field, enter the fully-qualified hostnames, IP addresses, or domain wildcard
entries that represent your services or systems that you'll use with this Duo application. These entries should be listed one
per line. You can append an information comment on each line with a comma, followed by your descriptive text.
4. Under Hostname missing, determine what you want to happen if no HTTP referrer is sent by the user's browser or
application that matches the approved IP addresses or hostnames you entered above. Choose Deny access

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 31
Lab Guide
Cisco dCloud

(recommended) to prevent the user from completing Duo authentication to access the application or Allow the user to
authenticate to allow the user to access the application without a matching referrer value.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 31
Lab Guide
Cisco dCloud

Scenario 4. Removing Applications

Value Proposition: Be sure to remove Duo authentication from your product's configuration before you remove the
corresponding application from the Duo Admin Panel.

WARNING: Removing an application may prevent user logins!

Steps

1. To remove an application from Duo, view the application's configuration page in the Duo Admin Panel and click Remove
Application.

2. Confirm that you want to remove the application.

2. The application is removed from Duo.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 31
Lab Guide
Cisco dCloud

Scenario 5. Protecting Users

Value Proposition: Two-factor authentication protects against phishing, social engineering and password brute-force attacks
and secures users logins from attackers exploiting weak or stolen credentials.

Steps

1. To protect users with two-factor authentication, users need to be enrolled in Duo. To enroll users, click Users in the left
sidebar of the Duo Admin Panel.
2. Click the Bulk Enroll Users link at the top of the Users page.

3. On the Bulk Enroll Users page, enter the usernames and email addresses of the participating users. These users will receive
an email informing them that their administrator has requested they enroll in a two-factor authentication service. That
email includes an individualized link so the user can enroll immediately. You can edit the text of this email. When you're
ready to send the enrollment email, click the Send Enrollment Links button at the bottom of the page. See the Bulk Self-
Enrollment documentation for more detailed instructions.

4. Once these users click on the link in the email message and complete enrollment, they'll be enrolled in Duo's service.
These users will now be able to securely log in using Duo's two-factor authentication system.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 31
Lab Guide
Cisco dCloud

5. Configure your system to use Duo two-factor authentication with the application created in Scenario 3 by and the
documentation specific to your device or service.
6. Ask the newly enrolled proof-of-concept users to log in to the Duo protected service. They will now see the Duo prompt
and be asked to complete secondary authentication. Unenrolled users will not be prompted for secondary authentication.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 31
Lab Guide
Cisco dCloud

Appendix A. Sign Up for a Duo Account

Value Proposition: For customers who are ready to start exploring Duo on their own, they must set up a Duo account and
download the Duo Mobile app. Duo Mobile is Duo Security’s mobile authenticator application.

Steps

1. If you do not have a personal Duo account, sign up for one at https://signup.duo.com/.
2. Fill in all your information, chose Just Me, and click Create My Account.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 31
Lab Guide
Cisco dCloud

3. Go to your email account inbox, open the Welcome to Duo email, and click Verify Your Email.

4. To create a password, enter a minimum of twelve characters, reenter the same password, and click Continue.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 31
Lab Guide
Cisco dCloud

5. On your mobile device open the App Store or Play Store, search for the Duo Mobile app, click Install, and then click
Open. on your mobile device.

6. Follow the steps show below in your browser to activate the Duo Mobile app on your mobile phone.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 31
Lab Guide
Cisco dCloud

7. Enter your phone number to set up a backup verification method and click Finish.

Note: If you are entering an international number, add your country code.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 31
Lab Guide
Cisco dCloud

What’s Next?
Check out the related Duo Security Proposal to learn how you can deliver simple, secure access to all applications—
on premises or in the cloud. For any user. From any device. From anywhere.
The Duo Lab v1 Advanced Guide – demonstrates how to set up Duo with AnyConnect.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 31