Duo Multi-factor authentication

Updated: April 24, 2026

Want to summarize with AI?

Explains Duo Multi-factor authentication principles and provides instructions for configuring multi-factor authentication to enhance security for user login processes.

Duo Multi-factor authentication

Duo multi-factor authentication is a security feature that

integrates with Cisco SD-WAN Manager and controllers to enhance user login security
requires users to verify their identity using a second factor after entering their username and password, and
helps prevent unauthorized access by adding a second authentication factor aligned with zero-trust principles.

Configure Duo multifactor authentication

From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can configure Cisco SD-WAN Manager to require Duo multifactor authentication (MFA) to verify the identity of users before they can log in to SD-WAN Manager and other controllers.

Before you begin

Create local users in your Duo account before proceeding.

By default, Duo MFA does not apply to the admin user. To enable Duo MFA for the admin user, enable the DUO MFA Configuration option, and enter the admin-auth-order command in the CLI.

Once Duo authentication is set up, users are prompted to authenticate with their Duo credentials on their mobile devices and thereafter log in to SD-WAN Manager.

SD-WAN Manager does not display any message that an MFA request has been sent to the user's mobile device.

Follow these steps to set up Duo authentication.

Procedure

Create an Auth API application.

This step gives you the Duo integration key, secret key, and API hostname information required to complete Duo MFA configuration. See Duo Auth API for more information.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.

Click DUO MFA Configuration.

If you are using Cisco Catalyst SD-WAN Manager Release 20.12.x or earlier, click Edit.

Click Enabled.

Configure the following options:


Field	Description
Integration Key	Enter the integration key (Ikey) for your Duo account.
Secret Key	Enter the secret key (Skey) for your Duo account.
API Hostname	Enter the API hostname (api-hostname) for your Duo account.
Server proxy	(Read only) Displays the server proxy used to access the Duo server if SD-WAN Manager is behind a firewall. Set this server proxy with the system http proxy or the system https proxy command. Note If SD-WAN Manager is deployed on a cloud that can be reached by an external network, a server proxy should not be set.

Click Save.

If a Cisco SD-WAN Validator or a Cisco SD-WAN Controller does not have internet access, enter the following commands in the CLI or the device template to provide access to the Duo MFA feature.

These commands configure the device with proxy information about the device on which Duo MFA is enabled.

vm# config
vm(config)# system aaa
vm(config-aaa)# multi-factor-auth
vm(config-multi-factor-auth)# duo
vm(config-duo)# api-hostname name
vm(config-duo)# secret-key key
vm(config-duo)# integration-key key
vm(config-duo)# proxy proxy_url
vm(config-duo)# commit

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.