1. Home
  2. Authentication Systems
  3. Cisco Duo Reviews
  4. User Review of Cisco Duo
Duo offers a streamlined GUI, flexible policies, and all for a reasonable price
May 05, 2021

Duo offers a streamlined GUI, flexible policies, and all for a reasonable price

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Duo / Cisco Secure Access, by Duo

We use Duo primarily to provide multi-factor access (MFA) for our RADIUS-based devices, though we also use it for MFA with SSO. We are only using it for the IT team, since we use Microsoft MFA for most of the rest of the firm for remote access. We needed a tool with a straightforward interface to manage all of our IT admin MFA needs, such as fine-grained policies, per application.
  • Easy-to-use and streamlined GUI for administration/management.
  • Lots of MFA options such as code, push, SMS, etc.
  • Industry standard with backing by Cisco, positioning it for high adoption and growth.
  • Unable to set time-based MFA bypass based on username and source IP, making the solution unnecessarily administratively burdensome.
  • Hand-edited configuration file, which is prone to errors and difficult to manage.
  • Very positive ROI given it is inexpensive for a small group and helps us secure our most valuable IT assets.
  • Lack of extreme policy granularity results in higher administrative overhead, as there is no middle ground (i.e. MFA every time or not at all).
The initial administrative setup can be challenging, particularly when it comes to configuring RADIUS proxy and integrating with an on-prem RADIUS server. The configuration file is text-based, and while the documentation is decent, it is error-prone and one really needs to understand how RADIUS works and what parameters need to be passed through, copied, modified, etc. Cisco pre-sales did help us with standing up a PoC, which saved us some time and trouble, though it was still a significant effort.
The whole purpose of MFA is to make sure the user that is authenticating is who they say they are and are authorized to perform the action. Additionally, if credentials were compromised, an attempt to use them that would trigger a MFA request to the actual user. This is an added bonus, alerting that the credentials were compromised and investigation and remediation can take place. While we are fairly early on with our Duo implementation, I have no doubts that it will prevent intrusion and data breaches.
Most of my support has come from the pre-sales side, as I haven't done much with post-sales support. The engineer was helpful, though it would have been even better if he had more production experience. Hopefully the backing by Cisco will give Duo support the deep bench that one would expect out of Cisco.
We were trying to figure out what properties we needed to pass and update for RADIUS and the pre-sales engineer guided us to the proper documentation and helped us find a solution to our use cases. We certainly didn't make it easy on him, but we appreciated the responsiveness and support.
Each vendor we spoke with had different strengths and weaknesses, some very subtle, and for our use cases, they'd probably all have worked; however, we primarily needed a MFA solution for RADIUS and web that was inexpensive, simple to set up, easy to manage, and backed by a large company.
Great for organizations that need to deploy a solution that is used by a small group, given that Duo charges per account; however, be careful if you have a lot of service accounts that you want to set to bypass MFA, as you will have to pay for each one of them, as you would for any human user. Also good for small IT teams that need a solution that has a very straightforward and easy-to-use GUI. Finally, while it has a decent amount of features and functionality, don't expect it to be able to do every permutation of policy that you can think of, though Cisco is promising future updates and solutions (e.g. an adaptive product) that will address some very specific use-cases, such as MFA bypass based on user and IP.