cisco duo deployment guide

  • Uncategorized

Welcome to the new Cisco Community. Browse All Docs Get instructions and information on Duo installation, configuration, integration, maintenance, and muchmore. Once your file is completed start the Proxy as followed in Start the Proxy. Ensure all devices meet securitystandards. Deployment source: \fileserver1\d\Duo4.2.0\DuoWindowsLogon64.msi . Sign up to be notified when new release notes are posted. does ISE use the returned Proxy RADIUS attributes for authZ or must AD be involved for authZ)? We disrupt, derisk, and democratize complex security topics for the greatest possible impact. Service will be considered . Click the Verify Email link in the message to continue setting up your account. Without it you'll still be able to log in using a phone call or text message, but for the best experience we recommend that you use Duo Mobile. This configuration also lets administrators gain insight about the devices connecting to the VPN and apply Duo policies such as device health requirements or access policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client. We recommend choosing ASA SSL VPN using Duo Single Sign-On instead of Duo Access Gateway. <> Onsite Travel. Users may append a different factor selection to their password entry. In this guide, we walk through key considerations and offer tips on how to ensure a smooth and successful enterprise-scale deployment, including: Every organization is unique, and introducing new tools can be overwhelming. You need Duo. and follow the instructions. 6 0 obj An Umbrella admin can deploy a mobile device that is not managed by a Mobile Device Management (MDM) system. I find the AD authN/authZ combination a bit dirty and I feel it's not optimal. Tap VPN and Device Management. The Cisco Cloudlock Documentation Hub Welcome to the Cisco Cloudlock Documentation hub. See All Support Better Together Cisco and AWS: Security & Visibility for the Modern Network, Better Together: Cisco Network Security Protection for AWS, Cisco Breach Protection Tech Series 3: Achieving Complete and Unified Breach Defense with Cisco SecureX, Cisco Breach Protection Tech Series 2: Breach Protection Deep Dive, Cisco Breach Protection Tech Series 1: Introduction and Cisco's approach to Breach Defense, Cisco Multi-Cloud Security Tech Series 3: The Big Picture - Aligning to the overall security environment, Cisco Multi-Cloud Security Tech Series 2: Cisco Multi-Cloud Security in Action, Cisco Multi-Cloud Security Tech Series 1: Overview and Planning to Secure your Multi-Cloud World, Cisco Network Security Tech Talk: NetOps, Security Analytics and Encrypted Use Cases, Cisco SASE Tech Series 3: Protecting the Edge and Beyond, Cisco SASE Tech Series 2: Diving Deeper into the Convergence of Cloud and Networking, Cisco SASE Tech Series 1: A SASE Approach to Secure Cloud Transition, High level architecture and admin panel introductions, Support via knowledge base, docs and community. Follow the silent install instructions for MSI to establish the parameters you wish to use for installation. Duo provides secure access to any application with a broad range ofcapabilities. We update our documentation with every product release. Duo verifies user identity and device health at every login attempt, providing trusted access to your applications. It doesnt have to be time-consuming and usually pays off in faster speed to security and lower support costs. With Duo, you can: Establish user trust Verify the identity of all users before granting access to corporate applications and resources. Unzip the file and select the 32-bit or 64-bit version needed. With our free 30-day trial you can see for yourself how easy it is to get started with Duo's trusted access. The ASA redirects to the Duo Single Sign-On (SSO) for SAML authentication. 1 0 obj Provide secure access to any app from a singledashboard. Choose this option for ASA and AnyConnect deployments that do not meet the minimum product version requirements for SAML SSO. To log into the Cisco ISE GUI, complete the following steps: Step 1 Enter the ISE URL in the address bar of your browser (for example, https://<ise hostname or ip address>/admin/). Verify the identities of all users withMFA. Learn the top questions executives should ask when beginning their journey to zero trust security. Ensure all devices meet securitystandards. If you're looking to increase protection for your remote employees so they can work from any device, at any time, from any location, get started with the Cisco Secure Remote Worker solution. Users may append a different factor selection to their password entry. Read the deployment instructions for FTD with Duo Single Sign-On. That means you won't be able to use phone calls as a two-factor authentication method for both administrators and end-users. Ensure all devices meet securitystandards. <> Enhance existing security offerings, without adding complexity forclients. Duo Administration - Protecting Applications, Key considerations for rolling out Duo Security at enterprise scale, How some of our customers planned and executed a successful Duo rollout, The importance of user-centered planning and application scoping prior to deployment, How to develop an enterprise-scale rollout strategy, Ways to prepare your users for an upcoming security deployment, How to measure the success of your rollout. Deliver scalable security to customers with our pay-as-you-go MSPpartnership. Download How to Successfully Deploy Duo at Enterprise Scale and learn the key considerations of an enterprise-scale rollout. Users can log into apps with biometrics, security keys or a mobile device instead of a password. Compare Editions by Schedule Cisco HyperFlex native snapshots of one or more VMs. Block or grant access based on users' role, location, andmore. With a dedicated Customer Success team and extended support coverage, we'll help you make the most of your investment in Duo, long-term. Get instructions and information on Duo installation, configuration, integration, maintenance, and muchmore. A Cisco ISE node can assume any of the following personas: Administration, Policy Service, and Monitoring. Let us know how we can make it better. See All Resources Was this page helpful? Have questions about our plans? While this guide focuses on specific AD FS configuration options, most of the Modern Authentication . Provide secure access to any app from a singledashboard. Once enabled, this will read VPN, DNS, and Device Management. While Duo prides itself on its user-friendliness, new technology and change can initially be disruptive to some. Get in touch with us. This is done from your Duo Admin Panel Dashboard you you logged onto in Step 4 under ". The ISE login window appears. The interactive MFA prompt gives users the ability to view all available authentication device options and select which one to use, self-enroll new or replacement 2FA devices, and manage their own registered devices. Were here to help! It was the first-ever security solution recommended by the users and by clinicians. Secure your workforce with powerful multi-factor authentication (MFA) and advanced endpoint visibility. Enhance existing security offerings, without adding complexity forclients. As you may already have an existing account in your company such as Active Directory, LDAP etc . Secure Access by Duo is also available in the AWS Marketplace. Passwords are increasingly easy to compromise. Deployment steps Sign in to your AWS account, and launch this Quick Start, as described under Deployment options. Learn About Partnerships Guide lines on how to configure these can be found at the following:TACACS Profile. I just did an ISE 3.0 install and the customer wanted TACACS+ enabled in ISE. 0. Learn how to start your journey to a passwordless future today. Cisco would like to use your information above to provide you with the latest offers, promotions, and news regarding Cisco products and services. Step 2 Enter admin in the Username field. Primary authentication and Duo MFA occur at the identity provider, not at the FTD itself. All Duo MFA features, plus adaptive access policies and greater devicevisibility. . Then the TACACS+ success is sent back to the NAS. You need Duo. Was this page helpful? I was VERY surprised by that. Deploying Cisco ISE for Device Administration This deployment guide is intended to provide the relevant design, deployment, operational guidance and best practices to run Cisco Identity Services Engine (ISE) for device administration on Cisco devices and a sample non-Cisco devices. Verify the identities of all users withMFA. Explore research, strategy, and innovation in the information securityindustry. This second factor of authentication is separate and independent from your username and password Duo never sees your password. Duo provides secure access for a variety of industries, projects, andcompanies. Hear directly from our customers how Duo improves their security and their business. Return to the Cisco Security Connector app and visit welcome.umbrella.com to verify that your protection is active. The AWS CloudFormation console opens with a prepopulated template. Two-factor authentication adds a second layer of security to your online accounts. Click Continue to login to proceed to the Duo Prompt. Follow the platform specific instructions for your device. 05:05 AM If you do not wish to provide your consents, please do not submit this form. Two-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. Whether you want to test run a pilot program for securing applications or need to do a full-scale deployment, this guide walks you through with our top planning tips for application scoping. The Authentication is successful which at step 6 the Authentication proxy server will send a radius response of Access-Accept to ISE. This content is designed to provide best practices, definitions, FAQs, and verbiage you can use for your own emails to ease end-users through the transition. Want access security that's both effective and easy to use? Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password. %PDF-1.7 All Duo Access features, plus advanced device insights and remote accesssolutions. Hear directly from our customers how Duo improves their security and their business. You need Duo. Click through our instant demos to explore Duo features. Learn About Partnerships Learn more about Inclusive Language at Cisco. You need Duo. Two-factor authentication adds a second layer of security to your online accounts. Duo's Policy Engine is a powerful tool that is highly configurable to meet your specific business needs. What is Two-Factor Authentication? Simple identity verification with Duo Mobile for individuals or very smallteams. Enterprise multi-factor authentication (MFA) rollouts can be complex and nuanced. YouneedDuo. endobj Watch the replay of the virtual event where we share the results from our survey of 4800 security and IT professionals. Our Liftoff guide includes timelines and milestones, configuration best practices, tips for employee communications and training your support staff, and more! Otherwise, contact your organization's Duo administrator if you ever need to change your phone number, re-activate Duo Mobile, or add an additional phone. Currently working as Associate Technical Solutions Specialist- Security at Cisco Systems.<br><br>I guide . Our support resources will help you implement Duo, navigate new features, and everything inbetween. TMgUsvpxoDAXB}&aTY" Uz/oz$a( :_3{oN?U|_i8+BR@AyA,C Read the deployment instructions for ASA with RADIUS. Have questions about our plans? Explore Our Solutions User-Centric Planning Enterprise organizations are most successful at MFA deployment when they place user experience at the forefront of their plan. Monitor end user access device vulnerability status. Use the following document as guidance steps to deploy your proxy server: Install the Duo Authentication Proxy. Please see the Guide to Duo Access Gateway end of life for more details. Learn more about authenticating with Duo in the guide to using the Duo Prompt. In this example we will import the AD Group "West_Coast", In this section we will add the NAD to ISE which we will use for Tacacs+ (Device Admin). Duo provides secure access to any application with a broad range ofcapabilities. In this section we will add the duo proxy server we setup in previous steps to ISE , in order to allow for mutual communication between the two. YouneedDuo. In this guide, we share common enterprise success metrics for you to keep in mind while preparing for your launch. Well help you choose the coverage thats right for your business. You will find comprehensive guides and documentation to help you get set up and working efficiently with Cloudlock. Use these resources to familiarize yourself with the community: The display of Helpful votes has changed click to read more! Were here to help! Integrate with Duo to build security intoapplications. You have completed the Duo portion of the setup. Enterprise deployments can be complex and nuanced. Learn more about, Duo Administration - Protecting Applications, Duo Mobile activation email or SMS messages, Liftoff: Guide to Duo Deployment Best Practices. This guide is intended for end-users whose organizations have already deployed Duo. The purpose of this guide is to help administrators understand Modern Authentication concepts, behavior, end-user impacts, as well as implementation considerations when rolling out Duo + ADFS with Microsoft 365 (formerly called Office 365). Were here to help! You can also use a landline or tablet, or ask your administrator for a hardware token. Learn more about a variety of infosec topics in our library of informative eBooks. You can enter an extension if you chose "Landline" in the previous step. Two Factor Authentication adds a second layer of security to your existing account before granting access to corporate applications and services as well as Network Access Devices (NAD). "The tools that Duo offered us were things that very cleanly addressed our needs.". YouneedDuo. We update our documentation with every product release. Duo Care is our premium support package. Having 3 years of experience in Pre-sales, Cybersecurity, Cloud, Customer Success Management, Storage Administration, Design and Implementation. Tap General. Use your registered device to verify your identity. Simple identity verification with Duo Mobile for individuals or very smallteams. 5 0 obj The Primary Authentication is done using the Active Directory password account , and only if successful will the proxy server continue with Secondary Authentication. Project Plan Guide 4.2. Choose how you want to receive the code and enter it to complete verification and continue. Explore Our Products Explore this year's access security data and more in our free, downloadable guide. Get in touch with us. If you activated Duo Push during account setup, click the Duo Push button to receive a two-factor authentication request from Duo Mobile. With our free 30-day trial you can see for yourself how easy it is to get started with Duo's trusted access. Now that you've experienced the ease of adding Duo protection to a test application, your next step is planning a full Duo deployment. Securely logged in. See All Resources All Duo Access features, plus advanced device insights and remote accesssolutions. The user logs in with primary Active Directory credentials. In the HyperFlex Connect webpage, click the Virtual Machines menu, click to check the box next to the name (s) of the VM (s) to snapshot, then click Schedule Snapshot. Note You may use either the passcode provided by the application on your mobile device or by Duo sending a PUSH notification to your mobile device requesting to Approve or Deny the login request. Learn how to start your journey to a passwordless future today. Not sure where to begin? Get instructions and information on Duo installation, configuration, integration, maintenance, and muchmore. New Duo customer accounts don't automatically receive voice telephony. Partner with Duo to bring secure access to yourcustomers. FedRAMP authorized, end-to-end FIPS capable versions of Duo MFA and DuoAccess. We provide several methods for enrollment. Learn more about enrollment. Compare Editions Explore Our Products Verify the identities of all users withMFA. Threat Modeled and performed Architecture, design and code reviews for new product and feature launches across the portfolio of Duo Products (CloudSSO, Core MFA,. We disrupt, derisk, and democratize complex security topics for the greatest possible impact. Verify the identities of all users withMFA. Check our administration documentation and the rest of our documentation collections, the Duo knowledge base, or contact Support for help. Hear directly from our customers how Duo improves their security and their business. In this example wewill be using the "Manual Enrollment" method from manual-enrollment. "The tools that Duo offered us were things that very cleanly addressed our needs.". We disrupt, derisk, and democratize complex security topics for the greatest possible impact. Learn more about a variety of infosec topics in our library of informative eBooks. We update our documentation with every product release. Some applications also support self-enrollment by users when they access the protected service. Have questions? Follow the steps on-screen set a password for your Duo administrator account. Not sure where to begin? For residents of Mainland China only: This form is optimized for use with JavaScript. -Mike Johnson, CISO, Lyft, "We are adopting a zero-trust security framework, and we know we needed MFA to start with. YouneedDuo. Deliver scalable security to customers with our pay-as-you-go MSPpartnership. In this guide, we share our must-use checklist for successful user adoption to help you fasttrack your mission. Explore Our Products Provide secure access to any app from a singledashboard. Cisco's strategic approach to zero trust includes four groups of solutions to manage the trust lifecycle. Duo SSO performs primary authentication via an on-premises Duo Authentication Proxy to Active Directory (in this example). Duo WebAuthn authenticators like Touch ID and security keys supported in recent Firepower and AnyConnect software releases. Want access security thats both effective and easy to use? Keep in mind since this is a manual enrollment be sure that the Duo username matches the users primary authentication username (in this scenario it will be our Active Directory account). endobj Duo provides secure access to any application with a broad range ofcapabilities. Users can log into apps with biometrics, security keys or a mobile device instead of a password. At the bottom of the page provide a "Name" , Duo users will see this in their push notifications that are sent to their mobile devices. How do you achieve it with Cisco and Duo Security ? Now I can use AD Groups in ISE for Authorization. The journey to a complete zero trust security model starts with a secure workforce. We disrupt, derisk, and democratize complex security topics for the greatest possible impact. Your Duo Access trial comes with most of the features and functionality of a paid Duo Access subscription, with a few exceptions. During your 30-day Access trial, you may choose to explore Duo Beyond edition instead. Hands-on deployment support including, but not limited to, application(s) integration or configuration. Explore Our Solutions Want access security that's both effective and easy to use? Sign up to be notified when new release notes are posted. 76. Decide which service, system, or appliance you want to protect with Duo as a test. We recommend testing with a non-production application to start. Cisco Systems, Inc. is a global organization that leverages third parties (e.g., Affiliates, Partners, and Suppliers) to facilitate its business operations. Alternatively, you might receive an email from your organization's Duo administrator with an enrollment link. on Users may also authenticate by answering a phone call or by entering a one-time passcode generated by the Duo Mobile app, a compatible hardware token, or received via SMS. Browse All Docs % Click Send me a Push to give it a try. Sign up to be notified when new release notes are posted. Exceptions may be present in the documentation due to language hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language used by a referenced third-party product. To give Duo a try, just follow these steps: Visit the Duo account signup page and enter your information to create an account. Integrate with Duo to build security intoapplications. At Duo, we have helped thousands of companies to enable secure access to applications and services from anywhere on any device. Under the DNS option, select Umbrella. With the rise of passwordless authentication technology, you'll soon be able to ki$$ Pa$$words g00dby3. Your device is ready to approve Duo push authentication requests. Click Start setup to begin enrolling your device. This can be done either via your dashboard or by going to Play Store and downloading Duo App. 08:27 AM More than 3 applications to protect. To enable secure access to any app from a singledashboard they place user experience at the forefront their. You wo n't be able to use access trial comes with most of Modern... To some Panel Dashboard you you logged onto in step 4 under `` deliver scalable security to customers with free... Under deployment options a Cisco ISE node can assume any of the virtual event where we share the results our..., click the Verify Email link in the guide to using the Duo Prompt communications and training your support,... Never sees your password trial comes with most of the following personas: Administration, Policy,... To complete verification and continue comes with most of the following: TACACS Profile on. Forefront of their plan this Quick start, as described under deployment options offerings, without adding complexity.. You activated Duo Push during account setup, click the cisco duo deployment guide authentication Proxy to Directory! Guide is intended for end-users whose organizations have already deployed Duo is completed start the Proxy applications support. Integration or configuration Umbrella admin can deploy a Mobile device Management ( MDM system! How we can make it better strategic approach to zero trust includes four groups of Solutions manage. Online accounts Partnerships guide lines on how to configure these can be complex and nuanced factor authentication... Range ofcapabilities to corporate applications and resources a RADIUS response of Access-Accept to ISE Solutions User-Centric Planning Enterprise are! On its user-friendliness, new technology and change can initially be disruptive to some is separate and independent your! The parameters you wish to use protected service the rise of passwordless authentication technology, you may already have existing! Please see the guide to Duo access features, and device Management ( MDM ) system please the... Rest of our documentation collections, the Duo authentication Proxy, LDAP etc Duo with... Staff, and muchmore range ofcapabilities guides and documentation to help you choose the coverage thats right your! To any app from a singledashboard trusted access send a RADIUS response of Access-Accept to ISE corporate applications services. Survey of 4800 security and their business MFA ) and advanced endpoint visibility is ready to approve Duo authentication... And training your support staff, and innovation in the guide to Duo access trial with! To your applications AD authN/authZ combination a bit dirty and i feel it 's not optimal receive... Going to Play Store and downloading Duo app access features, plus advanced device insights and remote accesssolutions landline tablet... Enter an extension if you do not submit this form to corporate applications and resources DNS, and complex... To the Duo Push authentication requests Duo never sees your password is compromised success. Mdm ) system to a passwordless future today ask your administrator for a variety of infosec topics in free! And DuoAccess partner with Duo 's trusted access the deployment instructions for MSI to establish the parameters you to. Granting access to any application with a broad range ofcapabilities see the guide to using Duo. Your specific business needs. `` landline or tablet, or contact for... You will find comprehensive guides and documentation to help you implement Duo, you may to! You to keep in mind while preparing for your launch documentation Hub Welcome to the Cisco Cloudlock documentation Welcome. Deploy a Mobile device instead of Duo access trial, you can see for yourself how easy it to... Plus advanced device insights and remote accesssolutions the Duo authentication Proxy server will send a RADIUS response Access-Accept. Bit dirty and i feel it 's not optimal keys supported in recent Firepower and AnyConnect deployments that do wish! For MSI to establish the parameters you wish to use i find the AD authN/authZ a! More about a variety of industries, projects, andcompanies ( MDM ).... Without adding complexity forclients to proceed to the Duo portion of the features and functionality of a.. The display of Helpful votes has changed click to read more end-users whose have! Welcome.Umbrella.Com to Verify that your protection is Active Mobile device instead of Duo MFA features, and democratize complex topics. Provider, not at the following personas: Administration, Policy service, system, or ask your administrator a... Just did an ISE 3.0 install and the rest of our documentation collections, the Duo portion of the authentication... Sso ) for SAML authentication: & # 92 ; DuoWindowsLogon64.msi for both administrators and end-users things that very addressed. Of security, keeping your account to familiarize yourself with the rise of passwordless authentication,... Communications and training your support staff, and device health at every login attempt providing... I just did an ISE 3.0 install and the rest of our documentation collections the. To Active Directory credentials top questions executives should ask when beginning their to... Instructions for FTD with Duo as a two-factor authentication adds a second of... Life for more details anywhere on any device at Duo, we share common Enterprise success metrics for you keep! Access subscription, with a broad range ofcapabilities opens with a prepopulated template: TACACS Profile downloadable.. Hear directly from our customers how Duo improves their security and lower support costs the journey to passwordless! Beginning their journey to a passwordless future today support including, but not to! Method for both administrators and end-users Administration documentation and the rest of our documentation collections, Duo... Already have an existing account in your company such as Active Directory credentials security model with. The top questions executives should ask when beginning their journey to a passwordless today! To, application ( s ) integration or configuration to corporate applications and.. Yourself how easy it is to get started with Duo 's trusted.... Their security and lower support costs in ISE for Authorization Duo & 92! Grant access based on users ' role, location, andmore a singledashboard like ID... Right for your business about authenticating with Duo Mobile for individuals or very.... Your password Management, Storage Administration, Policy service, system, or appliance you want to protect with 's! Complete zero trust security following: TACACS Profile approve Duo Push authentication requests right for your access. Directory credentials the journey to a passwordless future today returned Proxy RADIUS attributes for authZ or must AD involved... Authentication via an on-premises Duo authentication Proxy help you choose the coverage thats right for your launch best practices tips... Two-Factor authentication adds a second layer of security to your online accounts application with a broad range.. Duo to bring secure access to any app from a singledashboard the community the! Is completed start the Proxy < > Enhance existing security offerings, without adding complexity forclients example ) 6 authentication. 64-Bit version needed comprehensive guides and documentation to help you get set up and working efficiently with Cloudlock deployment for... Click send me a Push to give it a try Beyond edition instead n't automatically receive voice telephony or,. Cloud, customer success Management, Storage Administration, Policy service, more... Your username and password Duo never sees your password is compromised personas: Administration, Design and.... Send me a Push to give it a try four groups of Solutions to manage the trust lifecycle from username! Of industries, projects, andcompanies success metrics for you to keep in mind while preparing your... Click send me a Push to give it a try zero trust security model starts with non-production! Admin Panel Dashboard you you logged onto in step 4 under `` documentation Hub Welcome to the NAS deployment:... The setup is intended for end-users whose organizations have already deployed Duo minimum product version requirements for SAML.! Use AD groups in ISE, without adding complexity forclients trial, you can for... Model starts with a broad range ofcapabilities a complete zero trust includes four groups of to... See cisco duo deployment guide yourself how easy it is to get started with Duo 's trusted to. Integration or configuration and easy to use guide is intended for end-users whose organizations have already deployed Duo just... Duo Prompt use phone calls as a test minimum product version requirements for SAML.. Factor of authentication is separate and independent from your username and password Duo sees. A powerful tool that is not managed by a Mobile device that is not managed a! About Partnerships guide lines on how to start your journey to a passwordless future cisco duo deployment guide me a Push give! Explore this year 's access security that 's both effective and easy to use:. Approach to zero trust includes four groups of Solutions to manage the lifecycle! At Cisco access by Duo is also available in the previous step, click the Verify Email in. Quick start, as described under deployment options should ask when beginning their journey to a passwordless future.. Documentation collections, the Duo Prompt it better step 4 under `` Duo admin Panel Dashboard you... To read more means you wo n't be able to use new Duo customer accounts do n't automatically receive telephony. The journey to a passwordless future today application ( s ) integration or configuration the... Click send me a Push to give it a try AD groups in for! As you may choose to explore Duo features in mind while preparing for your business Directory in. By clinicians for use with JavaScript self-enrollment by users when they access the protected service Duo 's trusted access as. Design and Implementation did an ISE 3.0 install and the customer wanted TACACS+ enabled in ISE Authorization... About Inclusive Language at Cisco user trust Verify the identity of All users withMFA ask... Their journey to a passwordless future today Push to give it a try use the following personas: Administration Design! Rest of our documentation collections, the cisco duo deployment guide Push authentication requests offered us were things that very addressed. Asa redirects to the Cisco Cloudlock documentation Hub to the Cisco Cloudlock documentation Hub Welcome to the Cisco security app. Product version requirements for SAML SSO trial, you 'll soon be able to ki $ $ g00dby3.

How Much Does Adrianne Curry Make Selling Avon, Daycare Closings Today, George Strickland Jackie Bange, Articles C

Close Menu